APK Authenticity and Integrity


https://www.pleco.com/products/pleco-for-android/ does not list the 256 signing cert fingerprint for the apk e.g. Signer #1 certificate SHA-256 digest: 780a2a639a3ccb65621e0caccf18fa38c91f6cbf351d453742ebe2a114b09624 nor does it list a checksum for the current apk itself e.g SHA256 (plecodroid-211028-website.apk) = 8da9e3756c441ab23761f7a5ce55b1b11f1ff99007b0902ebcc53415a24bc581. Auth and integrity is important at first install for the trust-on-first-use Android model, particularly for those of us who do not use Play Store for app delivery. Please consider publicly posting at min cert prints digests for auth.


Staff member
Will see about doing that for our website redesign - honestly, pleco.com isn't as aggressively locked-down as the separate server we use for mission-critical store / order management / etc stuff, and I wouldn't want to provide the reassurance of SHA checksums without having robust measures in place to ensure that those checksums could not themselves be hacked. (we could post them on social media but that's an incomplete solution since our users in China can't access most of our accounts and anyway we're not big enough to get verified on Twitter e.g.)

I'm *hopeful* that as various government regulators force Google to more enthusiastically embrace sideloading, they will add some approved third-party CAs and an interface to display code signature info on APK install, so that when you install our APK it will come up with a nice helpful green check mark "signed by Pleco Inc." badge on it.