File Checksum Verification

How does a checksum detect file changes?

A checksum algorithm (like SHA-256) reads every byte of a file and produces a unique "fingerprint". Change any part of the file — even a single bit — and the output changes unpredictably. This is called the avalanche effect: small input changes cause large output changes.

When the publisher releases an APK, they also publish its checksum. After you download, you compute the checksum locally and compare. If both match exactly, the file is identical to what the publisher released. If they differ, the file was modified or corrupted during transfer.

How do I compute a checksum on Windows?

Windows has two built-in options: certutil (Command Prompt) and Get-FileHash (PowerShell). Both produce identical results.

Command Prompt:

certutil -hashfile app.apk SHA256

PowerShell (often easier to copy output):

Get-FileHash app.apk -Algorithm SHA256 | Format-List

Example output (both methods):

SHA256 hash of app.apk:
3a7bd3e2c4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1

Copy the 64-character hex string and compare it character by character with the official value. If they match exactly, the file is safe. Even one different character means the file was modified.

How do I compute a checksum on macOS or Linux?

Both systems include shasum (macOS) or sha256sum (Linux). Open Terminal and run the command for your system.

macOS command:

shasum -a 256 ~/Downloads/app.apk

Linux command:

sha256sum ~/Downloads/app.apk

Example output:

3a7bd3e2c4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1  app.apk

The first 64 characters are the checksum. Compare with the official value — they must match exactly.

Can I verify a checksum on Android?

Android does not have a built-in checksum tool, but apps like Hash Checker or Hash Droid (both available on F-Droid and Play Store) can compute checksums for any file.

Steps:

1. Install Hash Checker from Play Store or F-Droid.
2. Open the app and select the downloaded APK.
3. Choose SHA-256 as the algorithm.
4. Compare the result with the official checksum.

If the checksums differ, delete the file and download again from the official source.

Why is SHA-256 more reliable than MD5?

MD5 was designed in 1991 and has known collision vulnerabilities since 2004. A collision means two different files can produce the same MD5 hash — an attacker could create a malicious file with a matching MD5. SHA-256 has no known collisions and produces a longer hash (256 bits vs 128 bits), making brute-force attacks impractical.

Where do I find the official checksum to compare?

The publisher may list the checksum on the official download page or in release notes. If no checksum is published, use APK signature verification instead — it provides equivalent protection.

Note: Checksums change with every app update. The value you see today will be different next week. Always get the checksum at the same time you download the file, from the same official source.

What if the checksums don't match?

A mismatch means the file you have is different from what the publisher released. Do not install it. Follow these steps:

1. Delete the downloaded file — do not attempt to install.
2. Clear browser cache — old cached data can interfere with downloads.
3. Re-download from official source — use a direct link, not a bookmark.
4. Compute checksum again — compare with the official value.
5. If still mismatched: Try a different browser or device, or use signature verification instead.

Quick reference: checksum commands by platform

Copy the command for your system.