Practical Binance Tutorial Site About Disclaimer
EN JA KO ES FR
TK Crypto News TK Crypto News Binance Official Access - Download - Account - Wallet
Search Binance tutorials
Home All Tutorials Categories App Download About Us Disclaimer
Getting StartedApp InstallationIdentity VerificationDeposits and WithdrawalsTrading GuideExchange OverviewSecurityCountry PoliciesWallet Guide
Home All TutorialsApp InstallationSecurityHow to Verify Binance APK Digital Signature to Prevent Fake Apps

How to Verify Binance APK Digital Signature to Prevent Fake Apps

TK Crypto News · 2026-04-09 · About23min·App Installation·Security

All Android APKs must be signed by the developer with a private key before installation. This signature leaves an unforgeable SHA-256 fingerprint. As long as the fingerprint of the Binance APK in your hands exactly matches the official fingerprint published by Binance, it is 100% confirmed to be the original version, with no possibility of being tampered with. It is recommended to download the APK from the Binance Official Website and verify it according to the methods in this article, or simply install the Binance Official App directly on a trusted device; iPhone users can refer to the iOS Installation Tutorial.

What is a Digital Signature

The Android system requires that all APKs must pass a digital signature before installation. The working principle of the signature is roughly:

  1. The developer generates a pair of public and private keys.
  2. Before releasing the APK, a signature block is calculated for the APK content using the private key.
  3. The signature block, along with the public key certificate, is packaged into the APK.
  4. During installation, the Android system uses the public key to verify if the signature is valid.
  5. Any modification to the APK file will invalidate the signature, causing the system to refuse installation or report an error.

The private key is strictly kept by Binance officials, and outsiders cannot access it. This means:

  • No one can forge the Binance signature (theoretically cracking it would take hundreds of millions of years).
  • Any APK implanted with code must be re-signed, and the signature fingerprint will be completely different.
  • As long as the fingerprint matches, the APK is definitely the original version.

This is the power of the digital signature—it is the ultimate defense against counterfeit apps.

Core Concepts of Signature Verification

What is a SHA-256 Fingerprint

SHA-256 is a hashing algorithm that can convert data of any size into a fixed 64-character hexadecimal string. For the same certificate, no matter who calculates it, the exact same SHA-256 will be obtained.

The fingerprint of Binance's signature certificate looks like:

XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

(32 bytes, each byte represented by 2 hexadecimal digits, totaling 64 characters)

This string of characters is the "DNA" of the Binance APK—any genuine official APK will output this exact same fingerprint.

Three Signature Schemes

Android has gone through several generations of APK signature schemes:

Scheme Introduced Version Features
v1 (JAR) Android 1.0 Based on JAR signing, only signs META-INF/
v2 (APK Sig Scheme v2) Android 7.0 Signs the whole APK, faster installation
v3 (APK Sig Scheme v3) Android 9.0 Supports key rotation
v4 (APK Sig Scheme v4) Android 11 Supports incremental updates

Binance APK uses v1+v2+v3 signatures simultaneously, ensuring verification passes on all Android versions.

Method 1: Verify using apksigner

apksigner is an official tool provided by Google, making its verification the most authoritative.

Install apksigner

Windows:

  1. Download Android Command Line Tools (from official Google).
  2. After extracting, find apksigner.bat in the build-tools/<version>/ directory.
  3. Add this directory to the PATH environment variable.

macOS / Linux:

brew install android-commandlinetools

Or download Android Studio, apksigner will be in the ~/Library/Android/sdk/build-tools/xx.x.x/ directory.

Verify Signature Validity

Basic verification:

apksigner verify --verbose Binance.apk

Normal output:

Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Number of signers: 1

If any item is false, it means there is a problem with the signature: either the APK is corrupted or it has been tampered with.

Print Signature Certificate Details

apksigner verify --print-certs Binance.apk

Example output (fingerprint is illustrative):

Signer #1 certificate DN: CN=Binance Holdings Limited, O=Binance, L=George Town, ST=Cayman, C=KY
Signer #1 certificate SHA-256 digest:
 a1:b2:c3:d4:e5:f6:07:18:29:3a:4b:5c:6d:7e:8f:90:
 a1:b2:c3:d4:e5:f6:07:18:29:3a:4b:5c:6d:7e:8f:90
Signer #1 certificate SHA-1 digest:
 a1:b2:c3:d4:e5:f6:07:18:29:3a:4b:5c:6d:7e:8f:90:11:22:33
Signer #1 certificate MD5 digest:
 a1:b2:c3:d4:e5:f6:07:18:29:3a:4b:5c:6d:7e:8f:90

Pay attention to three fields:

  1. certificate DN: Should contain "Binance Holdings Limited" or a similar official name.
  2. SHA-256 digest: Must exactly match the value published on the Binance official website.
  3. Number of signers: Must be 1 (multiple signers may indicate being re-signed).

Compare your calculated SHA-256 with the official value; every digit must be identical.

Method 2: Verify using keytool

keytool is built into the JDK, so no extra installation is needed (as long as Java is installed).

Export the Certificate

First, unzip the APK as a ZIP file, and find the certificate file in the META-INF/ directory (usually CERT.RSA or BINANCE.RSA):

unzip -p Binance.apk META-INF/CERT.RSA > cert.rsa

View Certificate Fingerprint

keytool -printcert -file cert.rsa

Example output:

Owner: CN=Binance Holdings Limited, O=Binance, L=George Town
Issuer: CN=Binance Holdings Limited, O=Binance, L=George Town
Serial number: abc123def456
Valid from: Mon Jan 01 00:00:00 UTC 2020 until: Sat Dec 31 23:59:59 UTC 2049
Certificate fingerprints:
     SHA1: A1:B2:C3:D4:E5:F6:07:18:29:3A:4B:5C:6D:7E:8F:90:11:22:33:44
     SHA256: A1:B2:C3:D4:E5:F6:07:18:29:3A:4B:5C:6D:7E:8F:90:A1:B2:C3:D4:E5:F6:07:18:29:3A:4B:5C:6D:7E:8F:90
Signature algorithm name: SHA256withRSA
Version: 3

Similarly, compare the SHA256 fingerprint with the official published value.

Method 3: Verify with Online Tools

If you haven't installed command-line tools, you can use some online APK analysis tools:

  • APK Analyzer type websites (make sure to choose reputable ones).
  • Signature verification features on AppMoD and APKMirror.

After uploading the APK, signature information will be displayed, including the SHA-256 fingerprint.

Note the privacy risks: Uploading an APK to a third-party website is equivalent to handing the file over to them. Although the Binance APK itself doesn't contain your personal data, it is still recommended to:

  1. Only use well-known, reputable online tools.
  2. Ensure the site automatically deletes your uploaded file after verification.
  3. Avoid using online verification on apps related to phone numbers or accounts.

Method 4: Verify Directly on the Phone

The lazy approach without a computer: Install an app package info viewer (from a trusted app market), open it, select Binance, and check the "Signature Info" or "Certificate Info" field to see the SHA-256 fingerprint.

The premise of this method is that the info viewer app itself on your phone must be trustworthy.

The Complete Loop of the Verification Process

Recommended complete verification process:

  1. Download the APK from binance.com.
  2. Note the APK file size and compare it with the officially published value (should be 80-90MB).
  3. Run apksigner verify to confirm the signature is valid.
  4. Run apksigner verify --print-certs to get the SHA-256.
  5. Compare it with the SHA-256 published on the official website.
  6. Install only if it matches exactly.
  7. After installation, check if the package name is com.binance.dev.

After completing these seven steps, you can be 99.99% sure the APK is original.

Frequently Asked Questions

Q1: I can't find where Binance publishes the SHA-256 fingerprint.

A: Binance publishes it on the "How to Verify APK Authenticity" page in their Help Center. The main signature in different periods may vary (if key rotation was performed), and the official site lists all valid historical signatures. If you can't find it, contact Binance customer service directly; do not rely on "fingerprints" from third-party websites as references.

Q2: Which is more reliable, SHA-1 or SHA-256?

A: SHA-256 is more reliable. SHA-1 has theoretically been proven to have collision vulnerabilities and should not be used as the sole basis for security verification. However, for non-sensitive scenarios like APK signing, a SHA-1 collision remains extremely difficult. In practice, comparing both provides greater security. Absolutely do not just look at MD5—MD5 has been thoroughly cracked.

Q3: Should the signature fingerprints of two different versions of the Binance APK be the same?

A: They should be exactly the same, because the same signature certificate is used. If you compare the APK signatures of versions v2.91.0 and v2.92.0, the SHA-256 fingerprints must be perfectly identical. What differs is the hash of the APK content itself, but the certificate fingerprint remains unchanged. This is how you confirm it's from the "same developer."

Q4: If signature verification passes but the app runs abnormally, does it mean the app still has a problem?

A: Passing signature verification only proves the APK hasn't been tampered with; it doesn't prove everything will run normally. If the signature is correct but the app is glitchy, it could be: ① Incompatible system version; ② Network issues; ③ Corrupted local cache; ④ Interference from other malware on the phone. Try uninstalling, reinstalling, and clearing the cache first.

Q5: How do iOS users verify app authenticity?

A: iOS doesn't require manual signature verification. Apple's sandbox mechanism dictates that all apps downloaded from the App Store are signed by Apple, and the system automatically verifies the signature on every startup. Any tampered app cannot run on a regular iPhone. The focus for iOS users is: Ensure you download from the official App Store and that the developer is listed as Binance Holdings Limited.

Signature Verification is a One-Time Investment

Learning how to use apksigner for the first time takes 10-20 minutes, but subsequently verifying each new APK update only takes 30 seconds. Compare these two scenarios:

  • The cost of not verifying: A one-in-ten-thousand chance of installing a fake app, getting assets stolen, and losing anywhere from thousands to hundreds of thousands.
  • The cost of verifying: Spending an extra 30 seconds per update.

From mathematical expectation, verifying APK signatures is a highly rewarding habit. For any user holding over a thousand dollars in crypto, this should be a standard step for every app update.

If you feel the command line is too much trouble, at least do the two most basic steps:

  1. Only download from binance.com.
  2. After installation, check the package name is com.binance.dev.

These two steps can block the vast majority of fake versions, adding a layer of insurance for your assets.

Next Step Go to Binance Official Site Download Binance App