One of the best things about Android is the amount of control that the operating system gives users. For instance, with an iPhone, if you want to install apps, you have to either use the App Store or jailbreak the phone.
With Android, you can use Google Play, or side load the app using an APK file. To do this, all you need to do is copy the APK on your phone, enable Unknown sources in the privacy settings and launch the APK, and you’ll install the app that’s been packaged in the file.
However, this level of simplicity also means that there’s a little risk – for Android users, downloading apps via Google Play is the safest option. Based on the data released by the Android security team this year, you’re about 10 times more likely to have a potentially harmful application on your device if you’re not just using Google Play.
Because of that, if you’re planning to use an APK file you’ve downloaded, it’s a good idea to run a few simple checks to try and verify that it is really what it claims to be. Luckily, there are a few simple ways you can do this.
Scanning the APK
The VirusTotal website lets you upload your APK files to check for viruses and other issues. Android files are the fifth most popular file to be checked on the website. The one caveat is that the file size has to be under 128MB, so some games in particular might be too big for this tool.
To use, do the following:
- Open the site.
- Click on Choose File, and in the browser dialogue box, select your file.
- Click on Scan it!to get your results.
This will help you to quickly check if an APK is safe or not. In general, we’ve seen a lot of comments online praising VirusTotal’s effectiveness. It was acquired by Google in 2012, and is a non-commercial entity. The aggregated data is the output of different antivirus engines, website scanners, file and URL analysis tools and user contributions.
- NViso ApkScan
Another tool that’s similar to VirusTotal is NViso ApkScan. It also provides a detailed report on the APK file you have, and there’s no file size limit. We’ve seen this tool recommended on the most number of forums, and it worked quickly and easily.
To use Nviso, do the following:
- Open the Nviso site.
- Drag and drop the APK file onto the site.
- Click on Scan package.
You can also tick the E-mail box, enter you email ID, and leave the site if you like. You will then get the results in your mail. The results are detailed, starting with a risk rating, and then showing you the permissions that the app asks for, general information such as its MD5 and SHA256 hashes, and file size (this information might be publicly available for the app you’re trying to download, helping verify the authenticity of the APK), and includes a virus scan.
Checking the hash
- Hash Droid
As mentioned above, one way to see if you’re downloading the right APK is to check its hash. The SHA of a file is kind of like a digital fingerprint, and if the app you’re looking for has its SHA publicly mentioned by the developers, then you can compare that with the SHA of the APK you have. If the two match, you’re safe.
Nviso ApkScan is one way to look up this information, but if you want to get it done on your phone itself, you can use the Hash Droid app.
- Install Hash Droid from Google Play.
- Select Hash a File.
- Under Select a hash, choose SHA-256.
- Choose the APK file you want to check.
- Tap on Calculate.
This should show you the APK’s hash data, which would be a long string that looks something like this: 5a8679e3e4298b7b3ffac725106db12a21bdb0bcf746f44fa7e46c40dbf794aa. That’s the original Pokemon Go hash, in case you’re wondering.
By using this method, you can compare the hashes of APKs and what the app publishers have revealed, to see if the APK is safe to install.
That’s it – with these three methods, you can be have a greater degree of security when using apps downloaded from third party sources. However, it’s worth noting that these methods are never 100 percent secure, and if you’re worried about malware, then it’s probably better to stick to the Play Store.