How to Verify the Authenticity of Binance Android APK? Check the Signature Before Logging In

The biggest fear for Android users downloading the Binance APK is installing a phishing version. The solution is actually very simple: verify the signature first, then log in to your account. Get the official APK from the Binance website, or you can go directly to the download page via the Binance official app link. iPhone users do not need to worry about APKs, just follow the iOS install guide to install it. This article uses three methods to cross-verify whether an APK is genuinely from Binance.

1. Three Fixed Characteristics of the Official APK

No matter how the version updates, the official Binance APK always meets the following three characteristics:

1. Package Name: com.binance.dev
2. Signer: CN=Binance Holdings Ltd, O=Binance, ...
3. SHA-256 Fingerprint of V2/V3 Signature Certificate: A 64-character hexadecimal string, and Binance announces the currently valid fingerprint in the Help Center.

Any APK that does not match these is not an official APK. Below we explain how to use the command line, mobile apps, and hash comparison to verify these three items.

2. Method 1: Verify with apksigner on a Computer (Most Authoritative)

apksigner is the official signature verification tool that comes with the Android SDK, suitable for users with a Java environment.

Installation Steps

1. Download Android SDK Command-line Tools: https://developer.android.com/studio#command-tools
2. After unzipping, add cmdline-tools/latest/bin to your PATH
3. Run sdkmanager "build-tools;34.0.0" in the command line to install build-tools
4. Finally, apksigner will appear in the build-tools/34.0.0/ directory

Verification Command

apksigner verify -v --print-certs Binance.apk

Normal output example:

Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Signer #1 certificate DN: CN=Binance Holdings Ltd, O=Binance, L=Malta, C=MT
Signer #1 certificate SHA-256 digest: a1b2c3... (a hexadecimal string)

Three must-sees:

• Verified using v2 scheme: true and Verified using v3 scheme: true must both be true
• certificate DN must contain Binance Holdings Ltd
• The SHA-256 fingerprint must match the value announced in the official Binance notice

If any item does not match, delete the APK immediately and do not install it.

3. Method 2: Verify with a Signature Viewer on Mobile (Most Convenient)

If you have already installed a suspicious APK and are too lazy to use a computer, you can also check the signature on your phone. Two apps are recommended:

• App Signature Checker (The version by developer Infinite Loop on Google Play)
• Apk Info (Open source, available on F-Droid)

Taking Apk Info as an example:

1. Open the app and grant "read installed applications" permission
2. Search for Binance and click to enter details
3. Scroll to the bottom to view the "Signatures" section
4. The Subject field of the certificate should display Binance Holdings Ltd
5. The SHA256 Fingerprint of the certificate should match the official announced value

The advantage of mobile verification is that it is fast (done in 30 seconds), but the disadvantage is that it is limited by the credibility of the app itself—these signature-checking tools must be downloaded from Google Play or F-Droid, do not install them from unknown channels.

4. Method 3: SHA-256 Hash Comparison (Simplest)

This is the most basic method to verify "whether the file has been tampered with", and it can be done even without Android knowledge.

Getting the APK's SHA-256

PowerShell (Windows):

Get-FileHash Binance.apk -Algorithm SHA256

Terminal (macOS/Linux):

shasum -a 256 Binance.apk

The output is a 64-character hexadecimal string.

Getting the Officially Announced Hash

Log in to binance.com → Help Center → Search for "APK hash" or "APK verification". The official announcement page will list the SHA-256 value of the current version of the APK. If your hash matches the official value, it means the file has not been tampered with and is the original APK released officially.

Note: Hash comparison can only prove "the file has not been altered", it cannot prove "this is an official file"—because the hash changes with versions. The ideal approach is hash comparison + signature verification double insurance.

5. Several Situations Encountered When Signature Verification Fails

Situation 1: Signer is not Binance Holdings Ltd

This is the most serious situation—the APK has been resigned by someone else. Even if the original logic belongs to Binance, attackers may insert malicious code during the repacking process (such as hijacking pasted addresses from the clipboard or forwarding 2FA verification codes). Delete it immediately and download from a different source.

Situation 2: v1 Signature Passes but v2/v3 Fails

In this case, the APK may have suffered a Janus vulnerability attack (CVE-2017-13156), where additional DEX files are inserted while retaining the v1 signature. This is also a phishing tactic and must be deleted immediately.

Situation 3: SHA-256 Does Not Match But Signature is Valid

The most likely explanation is: you downloaded an older version, and the official hash has been updated. Go back to the Binance official website to download the latest version APK, and compare again. If the hash of the latest version still does not match, your download process may have been tampered with by a man-in-the-middle; change networks or browsers and download again.

Situation 4: Phone Prompts "App is uncertified"

Play Protect on Android 10+ performs a cloud scan on all newly installed APKs. If it is a brand new version downloaded from the official website, occasionally there will be a false alarm because the Play Protect database has not been updated yet. At this time you can:

• Wait 24-48 hours for the Play Protect update to automatically clear it
• Or mark the app as an exception in Play Protect
• Note: Do not ignore Play Protect just because of a false alarm—if you find that there is also an issue with the signature at the same time, it is real phishing.

6. "First Startup Check" After APK Verification

A passed signature does not mean everything is fine; you also need to look at the app's behavior on first startup:

1. Permission Requests: The official app will not ask for SMS, contacts, or photo album permissions on the startup page. Any version that asks for these permissions upon startup is phishing.
2. Splash Screen Ads: The official app has absolutely no third-party ads. Those with ads are fake versions.
3. Login Interface: When logging in, the URL should point to accounts.binance.com, not any other domain.
4. Network Requests: Use packet capture tools like HTTP Canary to look at the domains on first startup; they should all be official domains like *.binance.com or *.binancezh.co.

Only if all four of these pass can you confirm that the app is truly usable.

7. Download Channel Priority for Android Users

Sorted by security, the recommended download channels are as follows:

1. Direct download from the official website (binance.com/download) → Highly recommended
2. Download links pushed by Binance social accounts (official Twitter) → Only as a backup
3. Google Play Store (if supported in your country/region) → Reliable but not available in mainland China
4. Third-party APK repositories like F-Droid, APKMirror → Not recommended, although these sites have verification, it is not official distribution

Any APK distributed in QQ groups, WeChat groups, or Telegram groups must be treated as phishing, no matter how confidently the sender claims "this is the official version."

FAQ

Q: Can I verify the APK again after it is installed? A: Yes. Use pm path com.binance.dev to find the path of the installed APK, and then run apksigner on this APK to see the actual signature installed on the phone. This is the last line of defense against "being replaced after installation."

Q: Do I need to re-verify an app that has been installed for a while? A: It is recommended to do it once after every major version upgrade. Because the APK file is downloaded to a temporary directory during official upgrades, there is a risk of being hooked during that time (although extremely small).

Q: Will customized systems like Android Xiaomi / Huawei affect signature verification? A: No. Signature verification is an attribute of the APK file itself and has nothing to do with the system. The "app store whitelist" on the system side is another layer of verification, and the two do not affect each other.

Q: What else can I do if I don't have a computer and haven't installed a signature viewer? A: At the very least, do a SHA-256 hash comparison. Many file managers (such as Solid Explorer) have built-in hash calculation functions, and comparing it with the official announcement is the lowest cost verification.