DEV.co
Open-Source Security · soupslurpr

AppVerifier

AppVerifier is an Android app that lets users verify app authenticity by comparing signing certificate hashes. Users can share verification info with others to confirm apps are genuine, with an internal database for quick lookups.

Source: GitHub — github.com/soupslurpr/AppVerifier
1.1k
GitHub stars
54
Forks
Kotlin
Primary language
ISC
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorysoupslurpr/AppVerifier
Ownersoupslurpr
Primary languageKotlin
LicenseISC — OSI-approved
Stars1.1k
Forks54
Open issues28
Latest release13 (2025-04-23)
Last updated2025-08-29
Sourcehttps://github.com/soupslurpr/AppVerifier

What AppVerifier is

Kotlin-based Android application using Jetpack Compose and Material Design 3 that computes and compares SHA-256 hashes of app signing certificates against user-provided or database values for app authenticity verification.

Quickstart

Get the AppVerifier source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/soupslurpr/AppVerifier.gitcd AppVerifier# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

App Distribution Authentication

Organizations distributing Android apps can publish their signing certificate hashes via AppVerifier, allowing end users to independently verify app authenticity before installation.

Developer Identity Verification

Individual developers and open-source projects can share their signing certificate info to build user trust and prevent impersonation or malicious forks.

Security-Conscious User Community

Users concerned about app spoofing can use AppVerifier as a peer verification tool within security-aware communities to confirm app legitimacy before deploying to production or critical devices.

Implementation considerations

  • The app requires Android deployment infrastructure; ensure target Android versions and API levels align with your user base.
  • Review and understand the internal database mechanism for hash storage and update frequency—unclear from documentation how often it is maintained.
  • Plan for user education: end users must understand signing certificate verification concepts and how to safely share verification info.
  • Evaluate whether the ISC license aligns with your organization's open-source policy and whether you plan to modify or redistribute the app.
  • Test workflow of sharing and importing verification info to ensure it fits your organization's communication and trust-establishment processes.

When to avoid it — and what to weigh

  • Centralized Certificate Authority Model Required — If your organization requires a traditional PKI or certificate authority infrastructure with formal trust chains and revocation mechanisms, AppVerifier's hash comparison approach will not meet those requirements.
  • Non-Android Platforms — AppVerifier is Android-only. If you need to verify app signatures across iOS, web, or cross-platform ecosystems, this tool cannot be used.
  • Automated Verification at Scale — AppVerifier is designed for manual peer verification and inspection. If you need programmatic, automated verification of thousands of apps in a CI/CD pipeline, this is not the right solution.
  • Offline-First Enterprises Without Community — AppVerifier relies on an internal database and community sharing. If your threat model demands airgapped networks with no external database or user-to-user data exchange, deployment will be limited.

License & commercial use

Licensed under ISC License, a permissive OSI-approved open-source license permitting commercial use, modification, and distribution with minimal restrictions (retain copyright and license notice).

ISC License permits commercial use without royalty or permission requirement. However, verify any trademarks or branding associated with 'AppVerifier' name before commercial redistribution, and maintain copyright attribution.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitPossible
Assessment confidenceMedium
Security considerations

AppVerifier allows comparison of SHA-256 signing certificate hashes to detect tampering or impersonation. Users should understand that verification is only as trustworthy as the source of the comparison hash (e.g., official website, community consensus). No cryptographic signature binding the app's identity to external claims; verification relies on the integrity of communication channels through which hashes are shared. Project recommends Accrescent store over GitHub releases for improved supply-chain security.

Alternatives to consider

apksigner (Android Studio command-line tool)

Native Android SDK tool for verifying APK signatures offline; requires developer knowledge and command-line familiarity; no user-friendly mobile UI.

Aurora Store or similar app store clients

App stores perform signature verification at the platform level and can detect spoofed apps; however, they do not provide user-facing certificate hash comparison or peer verification features.

Exodus Privacy / similar app audit services

Third-party services analyze app security and trackers; do not focus specifically on signing certificate verification but offer complementary trust signals.

Software development agency

Build on AppVerifier with DEV.co software developers

Download AppVerifier from Accrescent or GitHub to start comparing signing certificate hashes and confirm app genuineness with your community.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

AppVerifier FAQ

Can I use AppVerifier to verify AppVerifier itself?
No. The README explicitly states 'DO NOT use AppVerifier to verify itself.' Verify AppVerifier's signing certificate via independent means (e.g., apksigner command) or trust Accrescent's own verification.
Is there a programmatic API to verify signatures outside the app?
Not documented in the README or GitHub excerpt. AppVerifier appears to be a user-facing Android app only; no REST API or library interface is mentioned.
How is the internal database maintained, and who controls it?
Unknown. README mentions an 'internal database' of signing hashes but does not document its update mechanism, ownership, or how developers can submit their certificates.
Can AppVerifier work offline?
Unclear. If the app relies on the internal database for lookups, offline mode and database sync behavior are not documented in the README.

Custom software development services

DEV.co helps companies turn open-source tools like AppVerifier into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Verify Your App's Authenticity Today

Download AppVerifier from Accrescent or GitHub to start comparing signing certificate hashes and confirm app genuineness with your community.