How to APK (for new Graphene OS users)

WHAT is an APK?

An APK file is essentially an app installation file (code, resources, manifest, etc. all zipped-up) meant for Android users. It stands for "Android Package". If you have always gotten your apps from an app "store", you might not have come across this term before.

WHY would I use an APK?

You already do, to put it simply. What you may not have done before is to download them outside of an app store. When you use an app store, it will handle most of the steps for downloading, validating and installing APK files for you. As a new Graphene OS user, I found that some of the apps I wanted to install were not available through the alternative app stores* like Aurora or F-Droid -- and that eventually led me to downloading APK files for those apps directly from the developers in some few cases. I learned that when you get APK files from a developer, you must validate the file yourself -- which is what this post will hopefully help with.

*Learn more about various app stores here: https://odysee.com/@NaomiBrockwell:4/Alt-app-store:f

Note: there are many pros & cons, risks, etc. to consider with installing APK files yourself that can inform whether or where downloading and installing them is your best choice. Suffice it to say that much of this conversation centers around themes of privacy, censorship & security -- worth your time to learn more about that.

WHY should I validate an APK before installing it?

In short -- it is important to validate any software before you install it. Most folks in the Linux world are used to doing this; Windows / MacOS / app store users -- not so much. Validating software before you install it will help you to prevent malware / spyware / corrupt or compromised files / etc. from infecting or damaging your device.

How do I validate an APK?

Step 1: Download and install a checksum validator from F-Droid.

- For this example, I'll use Hash Droid.
- If you have a recommendation for a better checksum validator, I'd love to know what it is and why you think so -- I'll update this post if it seems reasonable.

Step 2: Download the APK

- For this example, I'll use the BitChat app
- Go to: https://bitchat.free/
- Find 'apk releases' on the page, and follow that link to the github page.
- Find Assets on the github page.

- Click on the bitchat-1.5.1.apk file and save it to your Downloads folder
- Next, copy the checksum value you see next to bitchat-1.5.1.apk
- Looks like: sha256:e275d9d3dbc6a06e...

Step 3: Verify the checksum

- Open Hash Droid

- Click on the 'COMPARE HASHES' tab
- Paste the checksum you copied from the github page into the 'Input the first hash value' field.
- note: remove the "sha256:" prefix

- Click on the 'HASH A FILE' tab
- Under 'Select a hash function' -- select SHA-256
- Next, Click the 'Click here to select a file to hash' button
- Navigate to your 'Downloads' folder
- Select your APK file -- in this case: bitchat-1.5.1.apk
- Click the 'Calculate' button
- Click the 'Copy checksum to clipboard' button

- Click on the 'COMPARE HASHES' tab
- Paste the checksum you copied from the 'HASH A FILE' tab into the 'Input the second hash value' field.
- Click 'Compare'
- Here, you will see one of two responses:
- 'Hashes match!' in green text indicates that you may now close Hash Droid and proceed to installing the app
- 'Hashes do not match!' in red text indicates that you should double check your two values -- make sure you didn't leave the 'sha256:' prefix on one but not the other. If you did -- fix that, then click compare again. If the values still do not match -- DO NOT proceed with installing the app. Go to your downloads folder, delete the APK file, then start over from scratch.

Step 4: Install the App

- Navigate to your 'Downloads' folder
- Click on the APK file in your downloads folder
- Open with Package Installer -- follow the prompts.

Other: Terminal Apps

I'm not sure if Graphene OS has a native terminal app that could be used to validate checksums. Lots of mention of one online, but I don't see it on the device. If someone knows more about this, LMK, and I'll update this section.

If you prefer to use a non-native terminal app (like Termux, et al.), please suggest that, along with a little how-to if you're feeling particularly generous, and I can update this post with that information.

click the 'guestbook' link at page top to share your thoughts