joao on the ouya.world forums compiled a list of games that can be sideloaded on the OUYA. One of them is DuckTales: Remastered that was released in 2013 for Android, but is not available in the Google Play Store anymore. So I could not buy it from the official source and looked at sites that let me download this game's .apk file.
When downloading .apk files from random web sites, you do not know if the app is the original version that has been published on Google Play. It may be that the app has been maliciously modified, and when installing + running it you may now have a trojan that listens to remote commands and sends your private data to the attacker, or scans your network for vulnerable devices and infects them.
.apk files have a signature that can be checked. But as described in the answer by Chris Stratton you can check if the signature is valid, but you do not know who signed it. The only way to be sure that the digital signature was made by the app developer you expect it from is to find another .apk from the same one and see if they have the same signature.
There once was androidobservatory.org that crawled Google Play and offered checksums and signatures for the apps, but unfortunately that service does not exist anymore as of 2023-01.
Downloads
Since I do not know which sites I can trust, I decided to download the game from as many sites as possible and compared their signatures.
| Source | Size in bytes | Signature |
|---|---|---|
| v1.0.0, versionCode 8 | ||
| Apk Data Mod | 8170302 | EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US |
| v1.0.2, versionCode 9 | ||
| AndroidOut | 7676217 | EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US |
| APKAward | 7674678 | CN=ducktales remastered, OU=disneyandroid, O=twdc, L=burbank, ST=ca, C=us |
| HappyMod | 7564351 | EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US |
| PDALIFE | 7674678 | CN=ducktales remastered, OU=disneyandroid, O=twdc, L=burbank, ST=ca, C=us |
| v1.0.3, versionCode 124 | ||
| AndroidRey | 7575525 | CN=ducktales remastered, OU=disneyandroid, O=twdc, L=burbank, ST=ca, C=us |
| Androiteka | 7575525 | CN=ducktales remastered, OU=disneyandroid, O=twdc, L=burbank, ST=ca, C=us |
| ApkGK | 7564351 | EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US |
| ApkVision | 7575525 | CN=ducktales remastered, OU=disneyandroid, O=twdc, L=burbank, ST=ca, C=us |
| HappyMod | 7686338 | EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US |
Bad providers
The "signed by" info on some of the .apk files is clearly that of
a dummy signature key. (EMAILADDRESS=android@android.com
).
We can be sure that those apps have been modified.
Thus we know now that we can not trust the following apk providers
to give us unmodified files:
- AndroidOut
- Apk Data Mod
- ApkGK
- HappyMod
Signatures
The signee of the not-obviously-dummy-key is
CN=ducktales remastered, OU=disneyandroid, O=twdc, L=burbank, ST=ca, C=us
Some official Disney apps from Google Play (via AuroraStore) have the following signees:
- Disney Magic Brush Timer
- CN=disneypublishing2013, OU=dpwgoogleplay, O=dpw, L=burbank, ST=ca, C=us
- Disney LOL
- CN=microcontent2016, OU=disneyandroid, O=twdc, L=burbank, S=ca, C=us
- Disneyland Hongkong
- CN=wdproandroid2015, OU=disneyandroid, O=twdc, L=burbank, ST=ca, C=us
Their names follow the same structure, so the DuckTales apks are either the official version, or the attackers took some care to make the signee look valid and distributed the files to several hosters.
We cannot be sure which of the possibilities is correct unless we find a .apk that is known to be official, and whose signing key has the same hash as the ones here.
Hashes
Here are some meta data of the files-that-may-be-the-real-version:
| Package name | com.disney.ducktalesremastered_goo |
|---|---|
| Version code | 9 |
| MD5 hash | 9db66bbb081011f41313ff05467d98bd |
| SHA256 hash | b5aae6e356ab6261dd913563efd8e59d22d58fbc37faa8e36fef82b21d0e1559 |
| Package name | com.disney.ducktalesremastered_goo |
|---|---|
| Version code | 124 |
| MD5 hash | 4726be98fdeef36656f6b88a2e33bb30 |
| SHA256 hash | 55a88b069cb019b25ba961eeb4e2f9978182329df2cbc91b1fe3015d873212ce |