Yes, but it can also verify currently installed apps too.
Installing an app from an APK file is trust on first use. All apps are signed by a certificate from the app developer which the OS trusts. Apps can only update if it is both a newer version, and it is signed by the same certificate it came with.
Updates are verified by only allowing updates from that same developer's certificate. If it doesn't match, it will fail. This prevents installing a fake or malicious update.
AppVerifier checks the apps you installed are have the genuine certificate and package name from the developer. It can compare to keys you provide or it can check from an internal database of apps in the app if there is an entry for it.
DB can be found here: https://github.com/soupslurpr/AppVerifier/blob/master/app/src/main/kotlin/dev/soupslurpr/appverifier/InternalVerificationInfoDatabase.kt
final [GrapheneOS] 📱👁️🗨️
npub1c9…7sqfm
2024-07-21 00:23:04
in reply to nevent1q…jnkt
Author Public Key
npub1c9d95evcdeatgy6dacats5j5mfw96jcyu79579kg9qm3jtf42xzs07sqfmPublished at
2024-07-21 00:23:04Event JSON
{
"id": "a11abb203837456c2dcfcd304a3463062e92a329670b0cd2d5e92042c090fbda",
"pubkey": "c15a5a65986e7ab4134dee3ab85254da5c5d4b04e78b4f16c82837192d355185",
"created_at": 1721521384,
"kind": 1,
"tags": [
[
"e",
"0b6a451bd34613caffaea17962e120e2a94a7741b2d0ee5d216937ec54c6f5c1",
"",
"root"
],
[
"e",
"5587f36bd0b5466170b519a1f8c88cbe9a9136e0df1862098a39b7179302d293"
],
[
"e",
"e3d45016cf8b62b28fa211fc775952c4e92ae2078d22ba9160741c17f64d0ca4",
"",
"reply"
],
[
"p",
"c15a5a65986e7ab4134dee3ab85254da5c5d4b04e78b4f16c82837192d355185"
],
[
"p",
"aca7d34560960b46bbf1bd3c400cf4b269111671f6fd8bbcb5f5ec6d89d91844"
],
[
"r",
"https://github.com/soupslurpr/AppVerifier/blob/master/app/src/main/kotlin/dev/soupslurpr/appverifier/InternalVerificationInfoDatabase.kt"
]
],
"content": "Yes, but it can also verify currently installed apps too.\n\nInstalling an app from an APK file is trust on first use. All apps are signed by a certificate from the app developer which the OS trusts. Apps can only update if it is both a newer version, and it is signed by the same certificate it came with.\n \nUpdates are verified by only allowing updates from that same developer's certificate. If it doesn't match, it will fail. This prevents installing a fake or malicious update.\n\nAppVerifier checks the apps you installed are have the genuine certificate and package name from the developer. It can compare to keys you provide or it can check from an internal database of apps in the app if there is an entry for it.\n\nDB can be found here: https://github.com/soupslurpr/AppVerifier/blob/master/app/src/main/kotlin/dev/soupslurpr/appverifier/InternalVerificationInfoDatabase.kt",
"sig": "0ed9b0175e218a6fd640f61fa8da0b2e4e2a1578e5369e886c9cab73e10b524bdf1a3eef6d6da678689b09301238bf85f0fd171e0091fd6bdc933d8c5a82b4e8"
}