When you download an APK outside of an app store (e.g. directly from Git Hub), you have no automatic guarantee it’s genuine. The file could have been tampered with, replaced, or swapped for a fake version at any point between the developer’s server and your phone.
APK verification solves this by checking the developer’s cryptographic signature against an official hash, if they match, the app is authentic. The catch is a bootstrap problem: You need a trusted tool to verify apps, but that tool also needs to be trusted first. This guide covers two paths through that problem, one for GrapheneOS users who can verify everything on-device, and one for Google Android users who need a computer to do it reliably.
GrapheneOS: On-Device Verificaiton
While the following video is not specifically about APK verification on GrapheneOS, I provide the full walkthrough about how to do it. Skip to 6:53 to watch how.
The Advantage of GrapheneOS
- GrapheneOS comes with the GrapheneOS App Store pre-installed
- The App Store is signed and verified by the OS itself
- This creates a chain of trust from verified boot on up
- You can download Accrescent from the GrapheneOS App Store and bootstrap from there without needing a computer
On-Device Method: Using Accrescent + AppVerifier
Get Accrescent
- Open the GrapheneOS App Store (pre-installed on your device)
- Search for “Accrescent” and download it
- Accrescent is verified through the App Store’s trust chain
- No computer needed, it’s safe to trust
Get AppVerifier
- Open Accrescent
- Search for “AppVerifier”
- Install it directly from Accrescent
- AppVerifier verifies the signature of other apps for you
Verify Your Downloaded APK
- Download the APK from Zap Store’s official GitHub or website
- Transfer the APK file to your phone
- Open AppVerifier
- Provide the app’s package name (e.g., “dev.zapstore”)
- AppVerifier will show the signing certificate hash
- Compare this hash to the official hash published by the app developer on their GitHub or website
- If the hashes match exactly, the app is authentic
The Chain of Trust
- Verified Boot → GrapheneOS App Store → Accrescent → AppVerifier → Your Apps
- Each link in the chain is cryptographically verified
- You only have to trust GrapheneOS (which you already did by installing it)
Google Android: Computer-Based Verification
If you do not have a Graphene phone, you will need to carry out the verification process on a computer.
Why Google Android Users Can’t Use On-Device Verification
- AppVerifier is not available on Google Play Store
- Accrescent is not available on Google Play Store (except in early/alpha form)
- There’s no bootstrap path for Google Play users within the phone
- Solution: Use a computer to verify before transferring to your phone
Computer-Based Method: Using apksigner
You’ll need:
- A Windows, Mac, or Linux computer
- The Android SDK (which includes apksigner)
- Terminal/Command Prompt knowledge (basic commands)
- The APK file you downloaded
Option A: Install Android Studio (Easiest)
Download Android Studio
- Go to developer.android.com
- Download Android Studio for your operating system
Install Android Studio
- Follow the setup wizard
- Complete the installation
Find apksigner Location
- Android Studio automatically installs the Android SDK
- apksigner is located in:
[SDK_Path]/build-tools/[version]/apksigner - Example on Windows:
C:\Users\YourName\AppData\Local\Android\Sdk\build-tools\34.0.0\apksigner - Example on Mac:
~/Library/Android/sdk/build-tools/34.0.0/apksigner - Example on Linux:
~/Android/Sdk/build-tools/34.0.0/apksigner
Option B: Install Just the Build Tools (Lighter Download)
- Go to developer.android.com/tools
- Download just the command-line tools
- Extract and configure (instructions vary by OS, follow Google’s guide)
- This takes less space than Android Studio
How to Verify Your APK on Windows
Open Command Prompt
- Press
Win + R - Type
cmdand press Enter
Navigate to apksigner Location
cd C:\Users\YourName\AppData\Local\Android\Sdk\build-tools\34.0.0(Replace YourName and 34.0.0 with your actual username and build-tools version)
Run the Verification Command
apksigner verify --print-certs C:\Users\YourName\Downloads\YourApp.apk(Replace the path with wherever your APK file is saved)
Read the Output
The command will print information including:
Signer #1 certificate SHA-256 digest: 3a04a80b2a88334c747485f0b2151640a38bb3d2d73a8eab81df503e0f0202b2Compare the Hash
- Look up the official SHA-256 hash published by the app developer
- For Zap Store, this would be on zapstore.dev or their GitHub
- Compare character-by-character: they must match exactly
- If they match: the app is authentic
- If they don’t match: do NOT install the app
How to Verify Your APK on Mac
Open Terminal
- Press
Cmd + Space - Type
Terminaland press Enter
Run the Verification Command
~/Library/Android/sdk/build-tools/34.0.0/apksigner verify --print-certs ~/Downloads/YourApp.apk(Adjust paths if your build-tools version is different)
Same as Windows
- Read the SHA-256 digest output
- Compare to the official hash
- Match = authentic; no match = don’t install
How to Verify Your APK on Linux
Open Terminal
- Open your terminal application
Run the Verification Command
~/Android/Sdk/build-tools/34.0.0/apksigner verify --print-certs ~/Downloads/YourApp.apkSame as Windows and Mac
- Read the SHA-256 digest output
- Compare to the official hash
- Match = authentic; no match = don’t install
Transfer the Verified APK to Your Phone
- Connect your phone to the computer via USB
- Enable “File Transfer” mode on your phone
- Copy the verified APK to your phone’s Downloads folder
- Disconnect the phone
- On your phone: open Files, navigate to Downloads
- Tap the APK to install
- You may see a “Unknown Source” warning, this is normal for apps not from Google Play
- Confirm the installation
The Chain of Trust (Google Android)
- You trust your computer’s OS → apksigner tool (from Google) → app’s digital signature → Your Phone
- The verification happens offline on your computer before the app ever touches your phone
- Even Google doesn’t verify it for you because it’s not on Google Play
Finding the Official Signing Hash
Where to Find Official Hashes
- GitHub releases page: Often under “Assets” or in the release notes
- Official app website: Check their FAQ or downloads section
- Developer social media: Some developers post hashes on Twitter/Bluesky
- Multiple sources: Always verify the hash from a different source than where you got the APK
Example: Finding Zap Store’s Hash
- Go to zapstore.dev (the official website)
- Download section shows the APK and SHA-256 checksum
- Or check GitHub: github.com/zapstore
- Get the hash from the release page
Tips for Finding Hashes Safely
- Don’t trust a single source
- If you download the APK from GitHub, verify the hash from the website
- Look for hashes that are published consistently across multiple places
- Be wary if an official source doesn’t publish hashes, it suggests they don’t take verification seriously
| Feature | GrapheneOS | Google Android |
|---|---|---|
| AppVerifier Access | Yes (via Accrescent) | No (not on Google Play) |
| On-Device Verification | Yes | No |
| Computer Verification | Optional but possible | Required |
| Bootstrap Chain | OS → App Store → AppVerifier | Computer’s apksigner tool |
| Easiest Method | Use Accrescent + AppVerifier | Use computer + apksigner |
| Trust Required | Trust GrapheneOS | Trust your computer’s OS |
Frequently Asked Questions
Here are a few common questions based on the topics covered in the article.
What If the Hash Doesn’t Match?
Do not install the app. A hash mismatch means one of three things: you downloaded a tampered or fake version, the file was corrupted during download, or you are comparing the wrong hashes. Delete the APK, return to the official source, and download a fresh copy before verifying again.
Do I Need to Verify Every App Update?
Yes, ideally. At minimum, verify the first time you install an app and any time you are updating from a new or external source. Once you have confirmed an app is legitimate, you can use the app’s own built-in update mechanism if it has one, since that update will carry the same developer signature.
Can I Verify APKs on My Phone Instead of a Computer?
Not easily on Google Android. The apksigner tool requires a desktop environment. GrapheneOS users have a simpler path through AppVerifier, which runs entirely on-device. Google Android users should use a computer for verification before transferring the APK to their phone.
Is the Official Website Always a Safe Source for the Hash?
Not necessarily. Websites can be compromised. That is why comparing the hash across multiple independent sources, the developer’s website, their GitHub releases page, and any social media announcement, provides stronger confidence. If multiple sources show the same hash, the risk of all of them being simultaneously compromised is extremely low.
What Is the Difference Between a SHA-256 File Hash and an APK Signing Certificate Hash?
These check different things. A SHA-256 hash of the file verifies the APK itself has not been altered since the developer released it. The APK signing certificate hash verifies the developer’s private key was used to sign it. Both checks together give you the fullest picture: the file is intact, and it came from the claimed developer.