Frequently Asked Questions

  1. Why this service?

    I started to play with Android devices and since being concerned about privacy, I had no motivation to link my device to a company called Google. They know already quite a bit about me: my mails, my search requests, etc. - therefore, not having access to the Google Play store, I became interested how the authenticity of an APK file is guaranteed. Shockingly, this wasn't that easy - naively, I expected some trusted and linked signatures, s.th. like a Web-of-trust. This does not exist. Therefore, I searched for ways to analyze the APKs I found somewhere on the Internet. Most importantly, I wanted to guarantee, that the APKs are not stuffed with malware.
  2. So, I found an APK on the Internet - what should I do?

    Well.. That's not that easy:
    • Upload to virustotal or similar to check for viruses, make sure the majority of engines agree on "no virus".
    • Check validity of signature in APK, and look for matching certificate fingerprints in some online DB. Get a list of other packages and versions signed with the same key. The more packages match, the better.
    • Upload the apk to some sandboxing thing (local or an online service) to see what the apk does (connections, file access, api calls).
    • Install the apk on your own device
    APKscan somehow allows to realize the above steps 1 & 2. For an online sandboxing service, we recomend NVISO APKScan.
  3. How can APKscan help me to check if an APP is genuine?

    So, first of all, you should upload the APK under research on this website. By clicking on the little symbol () you can always use Google search to check if this APK was found elsewhere. When checking the little triangle (), you can check if the APK also exists in the Google Play store. If so, please check the name of the developer. Then compare it to the subject line in the signature ("Signed by:"-section). If this matches, this is a first hint, that the package *might* be genuine. Then, we suggest to download other packages by the same developer and upload them to APKscan - if you then click on the fingerprint of the package under research, all packages should be listed which have the same signature. If the questionable package and the reliable genuine package have the same signature, this is likely an unmodified original package.
  4. What is the Universal App. ID and why is it needed?

    The Universal App. ID is a way to uniquely identify an application across different APK sources (i.e. the Google Play store, the Amazon app store, etc.) and application versions. The universal app ID (or UAppID for short) is composed of the application package name (unique per device) and the fingerprint of each certificate used to sign the application. This information is static across releases (not influenced by version/functionality increments) and ties together a package and developer (who holds the private keys corresponding to the certificates).

    The observatory relies on the UAppID because we poll APK submissions from multiple sources. We wish to build relationships between packages released by the same developer, despite where we source the APK file from.
  5. How can I easily check if an APK is already in APK Scan?

    On a Linux machine with a BASH shell, try adding the following function to your ~/.bashrc:

    function observatoryOpen { xdg-open https://apkscan.org/apk/$(shasum $1 | cut -d' ' -f1); }

    This will allow you to run observatoryOpen ~/Downloads/some.app.sample.apk and have the corresponding APK Scan app page (if it exists) open in your default web browser.

    If the application isn't in APK Scan consider contributing a sample yourself!
  6. How can I easily contribute multiple APKs to the observatory at once?

    Currently APKs can only be uploaded one-by-one. We plan to implement a bulk upload feature in the near future, stay tuned!

    In the meantime if you have a large collection of APKs you wish to have added to the observatory please send an email to ilja@cryptix.net or contact the old team via Twitter at @AndroidObs. We'll work with you to get your APK collection imported as painlessly as possible!
  7. What does the "Other sources" listing on an application page mean?

    The Other sources section of the application details page lists other APKs we have found with a matching UAppID that were collected from a different APK source. For instance, if you're viewing the application details for a copy of the Gmail app that was loaded from an APK imported from the Google Play market, the Other Sources section would include a link to the Gmail app with the same UAppID that was loaded from an APK a user submitted.
  8. I've contributed an APK but it still isn't listed in the APK Scan results. What do I do?

    On rare occasions our import process is not able to handle an APK. In the event this occurs please contact us at ilja@cryptix.net and include a copy of the broken APK. We will work to address the issue and ensure the APK gets included in the observatory database.
  9. I want to run more advanced queries/find relationships not publicly displayed, what can I do?

    We are open to sharing the SQLite3 database of parsed Metadata with any researchers that contact us expressing interest. Please send an email request to ilja@cryptix.net.