When adding an app, there can be a setting to add a known signing certificate hash
Obtanium can use it to show if the hash matches the downloaded apk.
Basically like a built-in AppVerifier, but without needing AppVerifier so you don't need to rely on another app. Because as of right now, AppVerifier does not get updates anymore and hopefully some developer will continue it but in case not, this can be integrated into obtainium for added security:
-
Obtainium should warn a user if the hash is different from the verified hash.
-
In case no verified hash is provided by the user, obtainium can still warn a user if a hash is changed compared to the old version and ask the user if you are sure to install the update.
If no dev will work on AppVerifier to keep it alive, then we'll need some alternative way. So I propose to integrate it into Obtainium for added security and it is a cleaner solution instead of sharing the APK to another app.
I think there's no need to maintain a list of known hashes. It's a lot of extra work for no reason. But just an option for the user to add their own verified hashes if they want to. It's optional.
And at the very least even without a verified hash, obtainium can still verify that a new app update has the same hash as the current installed version and warn if it changed before installing it. Because it's still better than nothing.
When adding an app, there can be a setting to add a known signing certificate hash
Obtanium can use it to show if the hash matches the downloaded apk.
Basically like a built-in AppVerifier, but without needing AppVerifier so you don't need to rely on another app. Because as of right now, AppVerifier does not get updates anymore and hopefully some developer will continue it but in case not, this can be integrated into obtainium for added security:
Obtainium should warn a user if the hash is different from the verified hash.
In case no verified hash is provided by the user, obtainium can still warn a user if a hash is changed compared to the old version and ask the user if you are sure to install the update.
If no dev will work on AppVerifier to keep it alive, then we'll need some alternative way. So I propose to integrate it into Obtainium for added security and it is a cleaner solution instead of sharing the APK to another app.
I think there's no need to maintain a list of known hashes. It's a lot of extra work for no reason. But just an option for the user to add their own verified hashes if they want to. It's optional.
And at the very least even without a verified hash, obtainium can still verify that a new app update has the same hash as the current installed version and warn if it changed before installing it. Because it's still better than nothing.