How it works?
Whenever someone wants to download an APK file from apkplz.com, we’ll check the corresponding APK file on Google Play and allow user download it directly (of course, we’ll cache it on our server).
If the APK file does not exist on Google Play, we’ll search it in our cache or other certified APK host site and download it. As the following picture shows, the APK file is from Google Play.
The security of APK has been taken as a very serious problem for us. That’s why we will make sure that any APK is from its official manufacture.
We use “Certificate Fingerprint” to check who published the APK file. After extracted one string from APK file as the identification of APK certificate (using SHA1 algorithm), we’ll compare this identification with the one existed in Google Play.
If they are identical, we‘ll consider this APK is safe. Otherwise, it’s not.
We’ll decline any APK with different identification from Google Play’s, and will not host/cache these APKs. So it’s not possible to download “unsafe” APK from apkplz.com.
Note: We’ll decline all APKs with ‘debug’ certificate, which are not safe.
Why using SHA1 to check the identification of certificate is safe?
That’s a cryptography problem. Please refer to the following authoritative information to check the reason.
References
1. Wiki:Android application package
2. Signing Your Applications
3. Application Signature Verification: How It Works
4. 4Understanding Signing and Verification
5. X.509 Certificates and Certificate Revocation Lists (CRLs)