Android APK download and verification

Android users: open the Binance Official Website, click "Download" → "Android" at the top, or hit the Binance Official App shortcut. The whole flow takes about three minutes — the one step you cannot skip is signature verification. Because Android is open, more than 90% of phishing incidents happen on this side, so this section is more detailed than the iOS one.

Details on "unknown sources" permission

From Android 8 onward, the "unknown sources" permission is granted per app: every browser and file manager has its own switch. Find it under Settings → Apps & permissions → Special permissions → Install unknown apps, locate the browser you used (Chrome / Edge / Samsung Internet / Quark / UC, etc.), and toggle it on. Once Binance is installed, turn the switch back off so a stray third-party download page cannot push another app onto you. HarmonyOS, MIUI, and ColorOS use slightly different wording but the same path. MIUI users will see an extra "install-source security warning" — tap "I understand the risk and continue" to proceed.

Can't find the APK file

It is common to miss the "Open" button after a download and lose track of the file. Open the built-in "Files" or "My Files" app, navigate to the Download folder, and sort by date in reverse — the latest .apk file will be at the top. With Chrome you can long-press "Open" on the bottom download banner to jump there; with Edge there is a download arrow on the right of the address bar. On HarmonyOS, "Pure Mode" sometimes locks APKs — tap the APK in the file manager, follow the prompt to "Security settings", and temporarily disable Pure Mode.

Install permissions and failure messages

Beyond "unknown sources", a few other rejections show up: not enough storage — Binance ends up around 220 MB after install (with data), so keep at least 500 MB free; an existing package with a mismatched signature, which means a non-official build is already there and must be removed cleanly first; family / kids mode lock — OPPO, vivo, and Huawei kids-mode profiles intercept APK installs, so switch back to the main user. If the install screen freezes for over 30 seconds, do not keep tapping; return to the home screen and tap the APK again. Force-restarting the phone mid-install can leave the system in a half-installed state, which then requires a Dalvik-cache wipe to fix.

iOS install walkthrough

iOS users need to sign in to the App Store with a non-mainland-China Apple ID (US / HK / JP all fine). Before downloading, fetch the App Store QR code from the Binance Official Website — that prevents you from accidentally tapping a same-named clone in the search results. To be clear: phishing on iOS is much harder than on Android — as long as the app comes from the App Store and the developer reads "Binance", it is essentially 100% legitimate. The real risk is getting phished while you are switching Apple IDs, so we cover that part in detail.

Region, email, and address tips

The trickiest field when registering an overseas Apple ID is the address. The US region needs a real US address — any free public address generator will work, as long as ZIP, state, and city match. Hong Kong is more relaxed; any HK office building address is fine. Apple's anti-fraud system compares your IP to the chosen region, so use a stable overseas network during registration; once it's active, you can switch freely. If your fresh account immediately shows "This Apple ID has not yet been used in the iTunes Store" when downloading, just accept the terms and fill in the basic profile once — do not log out and back in repeatedly.

Don't want to register? Borrow an existing overseas ID

If a friend or family member already has an overseas Apple ID, the safest play is to borrow it directly — sign in with their ID under "Media & Purchases" only, download Binance, and sign out. Their personal data never lands on your device. Never buy a "shared Apple ID" or "public US ID" — those accounts can be reclaimed by Apple at any moment, and worse, plenty of sellers attach a malicious configuration profile beforehand. The instant you log in, your device gets an MDM profile and your photos, messages, and location are exposed.

Signing issues and the TestFlight path

The official Binance app ships through the App Store review process — there is no "enterprise certificate revoked" or "expired profile". Anything that asks you to install a configuration profile or trust a developer certificate is phishing. On the genuine side, TestFlight beta builds occasionally roll out to specific regions; whether you can join depends on whether Binance is currently distributing TF slots. It is fine to join, fine to skip — the production version is fully featured either way. Ignore claims about "permanent TestFlight builds" or "internal PRO versions". If your first launch shows "Update to the latest version", open the App Store and tap "Update" manually — never tap any external link inside the in-app prompt.

macOS and Windows desktop clients

The desktop client is best for long charting sessions or API-driven trading. The macOS client is built on Electron with native Apple Silicon support (M1/M2/M3/M4); the Windows client is Win10/11 64-bit only and installs without admin rights. Both come from the "Download" link at the top of the Binance Official Website. Functionally the desktop client is identical to the web app, but local shortcuts, floating-price widgets, and tray tickers fit intraday trading better.

macOS Gatekeeper interception explained

A dmg downloaded through the browser automatically receives the "com.apple.quarantine" attribute, so the first launch is blocked by Gatekeeper with "cannot verify developer". The right way through: open System Settings → Privacy & Security, scroll down to the "Security" section, you will see a "Binance was blocked" notice, click "Open Anyway" on the right; the next launch will show a confirmation dialog, click "Open". If you installed a .app copied from somewhere else (strongly discouraged), macOS may flag it as "damaged, move to Trash" because the quarantine version is recognized as a risky source. The fix is to re-download the dmg from the Binance website, not to copy a Gatekeeper-bypass command from the internet — running the wrong one will whitelist every unsigned app indefinitely.

Windows install and Defender alerts

The Windows client is smaller and faster to launch, but Defender SmartScreen occasionally flags new builds. If a blue "Windows protected your PC" prompt appears, check that "App" reads BinanceSetup.exe and "Publisher" reads Binance Holdings Limited; if both match, click "More info" → "Run anyway". The default install location is %LocalAppData%\\Programs\\Binance, no admin needed. If you prefer Program Files, right-click the exe → "Run as administrator". Defender's real-time protection may scan again on first launch — this is normal, just wait a few seconds. Never add the Binance folder to Defender's exclusion list to "skip the scan" — phishing builds can ride on that exclusion to inject into the legitimate process undetected.

Web-client browser support and login tips

If you would rather skip the desktop client, the web app supports every feature — spot, futures, earn, withdrawals. Stability mostly comes down to your browser engine version and cookie settings; the table below summarizes the official recommendations alongside what we have observed in practice.

Cookies and session settings

Binance web login relies on third-party cookies for cross-domain coordination (market data on binance.com, risk control on binancezh.co, support on a subdomain). If your browser blocks all third-party cookies, you will hit a "redirect back to login" loop. The fix is to allow cookies for binance.com and its subdomains, or move the privacy level from "Strict" back to "Balanced". Safari users also need to add a tracking exception for binance.com under "Settings → Privacy → Prevent cross-site tracking".

Risk-control triggers and switching browsers

If the same account flips IPs frequently, clears the cache often, or runs browser-automation extensions, Binance's risk control may demand a fresh round of verification. Do not panic-clear cookies and retry; the safest move is to switch to a clean browser with no extensions installed — Edge InPrivate or Chrome Guest mode is ideal — log in there, complete the verification, then come back to your daily browser. Stuffing several accounts into the same browser via different windows easily clashes with device fingerprinting; give each account its own browser profile.

Telling a real app from a phishing build: a four-step check

Every week we see appeal cases where the user discovers their installed app was a phishing build — same icon, similar UI, but funds vanish in seconds. The four checks below decide it in under two minutes.

1. Package name / developer. On Android, use a package-info app to confirm the package name is com.binance.dev. On iOS, the App Store page must list the developer as Binance. Anything else is a clone.
2. Signature certificate. The Android APK must be signed by Binance Holdings Limited — verify with Android's official tooling or a signature-viewer app. The certificate's SHA-256 fingerprint is published in the Binance help center.
3. Permission requests. The official app does not request SMS, contacts, photo album, or accessibility permissions on first launch; anything that demands those at the splash screen is almost certainly phishing.
4. Network requests. Use a packet inspector to look at the launch traffic — the official app only talks to binance.com / binancezh.co and their subdomains. Any unfamiliar third-party domain is reason to uninstall on the spot.

SHA-256 verification (in plain language)

You don't need to type a command to verify. On Windows, drag the APK file into File Explorer, right-click → Properties — recent versions show the file hash there directly; older versions can use the built-in PowerShell terminal's file-hash utility. macOS users can right-click the APK in Finder → Services → "Compute file checksum", or use a hashing utility from Terminal. On Android, install something like "Hash Droid" or "Termux File Hash" and point it at the APK. Whichever route you take, you end up with a 64-character hex string. Compare it digit-for-digit against the SHA-256 published on Binance's download page — one extra digit, one missing digit, or a case mismatch all fail. If verification fails, delete the installer immediately and clear your browser's download history so you do not double-tap it later.

Package size and version-number reference

Phishing repackages also tend to have abnormal sizes — too small (under 70 MB, missing real assets) or too large (over 150 MB, padded with ad SDKs and surveillance modules). The official Android APK consistently sits in the 80–95 MB range. For version numbers, "Profile → About" inside the app shows the full version, e.g. 2.78.0 or 2.79.1. Compare it against the latest version published on Binance's site — within two minor versions is normal grayscale variance; a wider gap means you should update from the official download page right away.

Common install errors at a glance

The errors users report most often are gathered below. Find your symptom in the first column and follow the matching fix in the third.

Must-do security settings after install

Installing the app does not equal account safety. The four items below — drawn from SentinelGuard's case archive over the years — give the highest payoff: set them once, benefit forever, and each takes under two minutes.

• Bind Google Authenticator 2FA. Under "Security → Two-factor verification" pick Google Authenticator, write the 16-character key down on paper for offline backup so a lost phone does not lock you out. Full walkthrough lives under our 2FA Setup category.
• Set the anti-phishing code. In "Security → Anti-Phishing Code" choose any 4–20 character string. Every legitimate Binance email will then carry that string in the subject; any "Binance email" without it is phishing. Details under Anti-Phishing.
• Enable the withdrawal whitelist. Add your usual cold-wallet addresses to the whitelist and turn on "Withdraw to whitelist addresses only" — even an attacker holding your 2FA cannot pull funds out.
• Clean up old logged-in devices. Under "Security → Device Management", review every active session and kick anything unfamiliar or unused. See the Device Management category.

All four can be configured on either the app or the web client, but we recommend doing them on Binance Official Website first — the desktop view is wider and harder to misclick. Settings sync back to the app immediately afterwards.

Binance app download FAQ

Next steps

Installing the app is only step one — your account is genuinely safe only after the defensive stack is complete. After this page, head back to Topics and read through "2FA Setup → Anti-Phishing → Device Management → Withdrawal Whitelist" in that order to lock the basics in. If you just realized the installed app is phishing and you have already logged in, stop reading right now, open Binance Official Website on a clean device, change your password, and follow the incident-response steps in the "Device Management" category to kick off every unknown session.