AppVerifier
AppVerifier is an Android app that lets users verify app authenticity by comparing signing certificate hashes. Users can share verification info with others to confirm apps are genuine, with an internal database for quick lookups.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | soupslurpr/AppVerifier |
| Owner | soupslurpr |
| Primary language | Kotlin |
| License | ISC — OSI-approved |
| Stars | 1.1k |
| Forks | 54 |
| Open issues | 28 |
| Latest release | 13 (2025-04-23) |
| Last updated | 2025-08-29 |
| Source | https://github.com/soupslurpr/AppVerifier |
What AppVerifier is
Kotlin-based Android application using Jetpack Compose and Material Design 3 that computes and compares SHA-256 hashes of app signing certificates against user-provided or database values for app authenticity verification.
Get the AppVerifier source
Clone the repository and explore it locally.
git clone https://github.com/soupslurpr/AppVerifier.gitcd AppVerifier# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- The app requires Android deployment infrastructure; ensure target Android versions and API levels align with your user base.
- Review and understand the internal database mechanism for hash storage and update frequency—unclear from documentation how often it is maintained.
- Plan for user education: end users must understand signing certificate verification concepts and how to safely share verification info.
- Evaluate whether the ISC license aligns with your organization's open-source policy and whether you plan to modify or redistribute the app.
- Test workflow of sharing and importing verification info to ensure it fits your organization's communication and trust-establishment processes.
When to avoid it — and what to weigh
- Centralized Certificate Authority Model Required — If your organization requires a traditional PKI or certificate authority infrastructure with formal trust chains and revocation mechanisms, AppVerifier's hash comparison approach will not meet those requirements.
- Non-Android Platforms — AppVerifier is Android-only. If you need to verify app signatures across iOS, web, or cross-platform ecosystems, this tool cannot be used.
- Automated Verification at Scale — AppVerifier is designed for manual peer verification and inspection. If you need programmatic, automated verification of thousands of apps in a CI/CD pipeline, this is not the right solution.
- Offline-First Enterprises Without Community — AppVerifier relies on an internal database and community sharing. If your threat model demands airgapped networks with no external database or user-to-user data exchange, deployment will be limited.
License & commercial use
Licensed under ISC License, a permissive OSI-approved open-source license permitting commercial use, modification, and distribution with minimal restrictions (retain copyright and license notice).
ISC License permits commercial use without royalty or permission requirement. However, verify any trademarks or branding associated with 'AppVerifier' name before commercial redistribution, and maintain copyright attribution.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Possible |
| Assessment confidence | Medium |
AppVerifier allows comparison of SHA-256 signing certificate hashes to detect tampering or impersonation. Users should understand that verification is only as trustworthy as the source of the comparison hash (e.g., official website, community consensus). No cryptographic signature binding the app's identity to external claims; verification relies on the integrity of communication channels through which hashes are shared. Project recommends Accrescent store over GitHub releases for improved supply-chain security.
Alternatives to consider
apksigner (Android Studio command-line tool)
Native Android SDK tool for verifying APK signatures offline; requires developer knowledge and command-line familiarity; no user-friendly mobile UI.
Aurora Store or similar app store clients
App stores perform signature verification at the platform level and can detect spoofed apps; however, they do not provide user-facing certificate hash comparison or peer verification features.
Exodus Privacy / similar app audit services
Third-party services analyze app security and trackers; do not focus specifically on signing certificate verification but offer complementary trust signals.
Build on AppVerifier with DEV.co software developers
Download AppVerifier from Accrescent or GitHub to start comparing signing certificate hashes and confirm app genuineness with your community.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
AppVerifier FAQ
Can I use AppVerifier to verify AppVerifier itself?
Is there a programmatic API to verify signatures outside the app?
How is the internal database maintained, and who controls it?
Can AppVerifier work offline?
Custom software development services
DEV.co helps companies turn open-source tools like AppVerifier into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Verify Your App's Authenticity Today
Download AppVerifier from Accrescent or GitHub to start comparing signing certificate hashes and confirm app genuineness with your community.