FixPedia
Android

APK Checksum Verification: A Complete Guide

This guide teaches you how to verify APK checksums to ensure their authenticity and integrity before installing on an Android device.

Updated at February 15, 2026
5-10 minutes
Easy
FixPedia Team
Применимо к:Android 5.0+Any APK files

Introduction / Why This Matters

Installing APK files from unknown sources is a common practice, but it carries risks. Attackers can replace original apps with modified versions containing viruses or spyware. Checksum verification is a fast and reliable way to ensure that the downloaded file is identical to what the developer released. In this guide, you'll learn how to manually verify an APK file's integrity on a computer before transferring it to an Android device.

Requirements / Preparation

Before you begin, make sure you have:

  1. The APK file you plan to install.
  2. The official checksum for that file (usually SHA-256, less often SHA-1 or MD5). You'll need to find this on the developer's website or in a trusted app directory (for example, in the "Technical details" section on APKMirror).
  3. A computer with one of these operating systems: Windows, macOS, or Linux.
  4. Basic skills in working with the command line or terminal (instructions will be provided for each case).

Step-by-Step Guide

Step 1: Get the checksum of your APK file

You can compute the checksum (hash) using built-in operating system tools.

On Windows (PowerShell)

  1. Open PowerShell (Win + X → "Windows PowerShell" or "Terminal" in newer versions).
  2. Run the command, replacing path\to\file.apk with the actual path:
Get-FileHash -Algorithm SHA256 -Path "path\to\file.apk"

Sample output:

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          A1B2C3D4E5F6...                                                         C:\Users\...\app.apk

Important: If the developer specifies MD5 or SHA-1, replace SHA256 with MD5 or SHA1.

On macOS or Linux (Terminal)

  1. Open Terminal.
  2. Navigate to the folder containing the APK file (for example, cd ~/Downloads).
  3. Run the command:
shasum -a 256 app.apk

Sample output:

a1b2c3d4e5f6...  app.apk

For MD5, use md5 app.apk; for SHA-1, use shasum -a 1 app.apk.

Alternative: Cross-platform utilities

If built-in methods are unavailable, install:

  • 7-Zip (Windows) — via the context menu "CRC SHA" → "SHA-256".
  • HashTab (Windows/macOS) — adds a tab in the file's properties.
  • OpenSSL (any OS) — openssl sha256 app.apk.

Step 2: Compare with the official checksum

  1. Copy the hash obtained in Step 1 (remove any extra spaces if present).
  2. Open the page with the official checksum (for example, on the developer's website).
  3. Compare the strings exactly. Pay attention to:
    • Character case (hashes are usually lowercase).
    • Missing or extra characters/spaces.

Result:

  • Match → the file is genuine; you can proceed with installation.
  • No match → the file is corrupted or modified. Do not install! Delete it and download again.

Step 3: Additional APK signature verification (optional)

A checksum verifies integrity but doesn't guarantee the file is signed with the developer's correct key. For deeper verification:

  1. Install Java (if not present) and Android SDK Build-Tools.
  2. Use the apksigner utility (included in Build-Tools):
apksigner verify --verbose app.apk

Sample output on success:

Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true

If verification = false, the signature is invalid — the file is not from an official source.

Verifying the Result

After successfully comparing checksums (and, if needed, verifying the signature), you can be confident in the APK file's authenticity. Transfer it to your Android device and install it normally (via a package installer). If installation errors occur (for example, "App not installed"), the file may still be corrupted or incompatible with your Android version — try downloading it again.

Common Issues

ProblemSolution
"File not found" error when computing the hashCheck the file path. On Windows, use the full path in quotes, especially if it contains spaces.
Checksum doesn't match, but file was re-downloadedEnsure you're comparing the same algorithm (SHA-256 vs SHA-1). Also check if the source file might have changed (for example, an update).
No official checksum availableDo not install the APK. Contact the developer for the hash or use alternative official channels (Google Play, F-Droid).
Signature verification with apksigner failsThe file is either signed with an unknown key or the signature was removed. This is a clear sign of modification — delete the file.
No command-line access on AndroidPerform verification on a computer. If you must do it on the device, install Termux and use sha256sum (requires root to access the downloads folder).

Key principle: If you have any doubts about an APK's authenticity, don't risk it. Better to skip an app than to expose your device to a threat.

F.A.Q.

Why verify APK checksum?
Which checksum algorithms should I use?
Where can I find the official APK checksum?
What should I do if the checksums don't match?

Hints

Get the checksum of your APK file
Find the official checksum
Make an installation decision

Did this article help you solve the problem?

FixPedia

Free encyclopedia for fixing errors. Step-by-step guides for Windows, Linux, macOS and more.

© 2026 FixPedia. All materials are available for free.

Made with for the community