How does one verify that an APK has not been tampered with?

Question

A vanilla Android rom (AOSP) does not contain Google Apps. If I download Google Apps from another source, how can I verify that it has not been tampered with ?

Answer 1

Each apk is signed with release key. If apk is de-compiled and recompiled then new apk must be signed with a different release key (as each release key need a password which only developer/company know). So you can verify the authenticity of your apk by checking the sha1 of your key. Hope it helps

EDIT: You must use web services to verify validity of your app(like what facebook does)

1. You must execute this on your release key to get key hash of your app ie.keytool -exportcert -alias androiddebugkey -keystore "C:\Documents and Settings\Administrator.android\debug.keystore" | "C:\OpenSSL\bin\openssl" sha1 -binary |"C:\OpenSSL\bin\openssl" base64.
2. Obtained key hash must be saved at your server and must be fetched using web services.

3. Obtain key hash programmatically using the following code. Verify if both values are same.

   try {
       PackageInfo info = getPackageManager().getPackageInfo(
               "com.play.fabin",  //Replace your package name here
               PackageManager.GET_SIGNATURES);
   
       for (Signature signature : info.signatures) {
           MessageDigest md = MessageDigest.getInstance("SHA1");
           md.update(signature.toByteArray());
           Log.d("KeyHash:", Base64.encodeToString(md.digest(), Base64.DEFAULT));
           System.out.println("key hash = " + Base64.encodeToString(md.digest(), Base64.DEFAULT));
       }
   } catch (PackageManager.NameNotFoundException e) {
       e.printStackTrace();
   
   } catch (NoSuchAlgorithmException e) {
       e.printStackTrace();
   }
   

Hope it helps you..