Recently, there has been feedback from the community that fake iToken APK packages created by malicious individuals are circulating in the market, posing a threat to users' asset security. These malicious actors decompile legitimate APK files and inject code that can steal private keys and mnemonic phrases, then package and distribute them through other websites or channels for fraudulent activities.
When users download and use the wallet through search engines or recommendations from others, their private keys or mnemonic phrases may be compromised, resulting in the loss of all their assets. Users can follow this tutorial to verify whether the APK package they are currently using is genuine using SHA256/PGP verification.
The iToken Android APK package verification currently supports the following verification methods:
1. SHA256 verification
2. PGP verification
Below is the relevant iToken official website APK package PGP public key information:
Public Key: 342CF9D309E63E057919A8F241336B599A145D0C
User ID: build_iToken <feedback@itoken.com>
SHA256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function that calculates the hash value of an APK package using the SHA256 algorithm. Users can compare the SHA256 value of the downloaded APK package with the SHA256 value provided by the official source to verify if the file content has been tampered with. Compared to the commonly used MD5 algorithm, SHA256 is more secure but computationally more intensive.
PGP (Pretty Good Privacy) is an advanced encryption and signature scheme used for integrity verification and trusted source verification. In PGP encryption, the RSA algorithm is used to calculate the file digest of the APK, and then the file digest is encrypted with the official iToken private key (stored in hardware) to create a signature file. Users can import the iToken PGP public key from a PGP key server and use this public key along with the signature file to decrypt and compare the file digest of the local APK. If they match, it indicates that the APK is intact, ensuring it hasn't been tampered with, and also verifies that the APK is an official release from iToken (as others cannot access iToken's official private key to sign the file digest).
The signature file refers to the encrypted file created using the PGP encryption method. It involves calculating the file digest of the APK using the RSA algorithm and encrypting it with the official iToken private key (stored in hardware) to create an encrypted file. It is primarily used to verify if the APK package is an official release from iToken.
APK package - SHA256 value and signature file
Version |
SHA256 value |
Signature file |
v4.0.3.020 |
368dc60913ffe71b33eb30777e5c24a4dbe5f23dcd4f26b645e4246251c88bf7 |
|
v4.0.4.031 |
e51f9acbc41372dc522cf1b88b151b66de4b93df9bc071c191186100cc7b7317 |
How to perform SHA256 verification:
Calculating SHA256 value using an online tool:
1. Download the iToken APK package to your computer.
2. Open the website: https://oktools.net/file-hash (Note: This is a tool website for calculating file SHA256 values).
3. Upload the application installation package to the website to obtain the SHA256 value of the installation package file. In the example image below, confirm that SHA256 is selected by checking the box in the green area, and drag the installation package into the green area as shown:
4. Compare the obtained SHA256 value with the SHA256 value listed in the "SHA256 Value and Signature File of Official Wallet" table at the top of the document. If they match, it indicates that the package is genuine. If they don't match, it means it is a fake installation package. In such cases, please immediately stop using the application and download the genuine iToken from the official website at https://www.itoken.com and transfer your assets there.
Steps to obtain SHA256 value on macOS:
1. Place the iToken APK package on the desktop of your system.
2. Open Terminal (default path: Launchpad - Others - Terminal) and enter "cd desktop/" without quotes, then press "Enter" to confirm.
3. Enter "shasum -a 256" followed by the file name of the installation package and press "Enter" to obtain the SHA256 value of the package.
Please note that the instructions provided here are for macOS specifically. If you are using a different operating system, the steps may vary slightly.
4. Compare the obtained SHA256 value with the SHA256 value listed in the "SHA256 Value and Signature File of Official Wallet" table at the top of the document. If they match, it indicates that the package is genuine. If they don't match, it means it is a fake installation package. In such cases, please immediately stop using the application and download the genuine iToken from the official website at https://www.itoken.com and transfer your assets there.
Steps to obtain SHA256 value on Windows:
1. Place the downloaded iToken installation package on the desktop of your system.
2. Open the command prompt (press Win key + R, type "cmd", and hit "Enter") and enter "cd desktop\" without quotes, then press "Enter" to confirm.
3. Enter "certUtil -hashfile <filename> SHA256" without quotes, replacing `<filename>` with the name of the installation package file, and press "Enter" to confirm. This command will provide you with the SHA256 value of the installation package file.
4. Compare the obtained SHA256 value with the SHA256 value listed in the "SHA256 Value and Signature File of Official Wallet" table at the top of the document. If they match, it indicates that the package is genuine. If they don't match, it means it is a fake installation package. In such cases, please immediately stop using the application and download the genuine iToken from the official website at https://www.itoken.com and transfer your assets there.
How to perform PGP verification:
1. Install the relevant client:
Method 1: Install GPG Suite from https://gpgtools.org/ (Recommended for non-developer users).
Method 2: Download and install the GnuPG (GPG) source code from
https://gnupg.org/download/index.html.
Enter the source code directory and execute: "./configure & make install" (You may need to download dependencies as prompted).
Method 3: Download the GnuPG installation package for your specific platform from:
https://gnupg.org/download/index.html.
. For example, for Mac OS, download "GnuPG for OS X".
Once the installation is successful, open the terminal/command prompt (refer to the SHA256 tutorial for instructions) and execute "gpg --help". If it displays version information, it indicates that the installation was successful.
2. Import the iToken PGP public key:
Method 1: Using GPG Keychain management software (included with GPG Suite installation), click on "Search for Keys" and enter the public key:
342CF9D309E63E057919A8F241336B599A145D0C. Import the public key once it is found.
Method 2: Terminal/Command prompt window, enter:
"gpg --recv-keys 342CF9D309E63E057919A8F241336B599A145D0C" to automatically import the public key.
3. Download the iToken APK and the corresponding version of the PGP signature file (the latest version can be downloaded from the official website) and place them on the desktop of your system.
4. Perform verification:
* Verifying integrity is crucial, and it is recommended to verify the integrity of the downloaded file before every installation.
(1) Open the terminal/command prompt window and enter "cd desktop/" without quotes, then press "Enter" to confirm.
(2) Enter "gpg --verify <signature file name> <installation package file name>" without quotes, replacing "<signature file name>" with the name of the signature file and "<installation package file name>" with the name of the installation package file, then press "Enter" to confirm.
If the output shows "gpg: Good signature" or "Good integrity signature," it indicates that the package is genuine. On the other hand, if it does not show a good signature or integrity, it means that it is a fake installation package. In such cases, please immediately stop using the application and download the genuine iToken from the official website at https://www.itoken.com and transfer your assets there.
Comments
0 comments
Article is closed for comments.