banner.png

You might have read our recent series on crypto scams - for example part 3 on fake apps

Today our security team prepared a tutorial on how to spot fake websites and apps. Read on to learn more.

 

Stay safe in app stores

When downloading an app like imToken, you might go to the Google Play Store or Apple App Store. When visiting one of those two app store, simple tips can help you to stay safe:

  1. Search for the app name and be careful if you find multiple apps, because usually only one is real and fake apps try to look similar to real ones
  2. An app with many reviews and downloads is less likely to be fake, because fake apps will be taken offline before getting many downloads

If you don’t download from the two big app stores, be careful, because smaller app stores are - generally speaking - less safe. Why? Because in our security team’s experience, they are less strict in taking down fake apps.

If you don’t download from app stores at all, you might use an official website - such as imToken’s https://token.im/ . In this case, here are our recommendations:

 

Three steps to tell if a website is real and safe

  1. Make sure that the domain name you entered in the browser is: https://token.im/
    Note: Be sure to use HTTPS instead of HTTP.
  2. Make sure there is a security icon such as 🔒 or 🛡 in front of the domain name.
    image1.png
  3. Click the security icon, the website is real and safe if the pop-up shows “Connection is secure”. Otherwise, the website is fake and you can contact us via [email protected]. We’ll get you the help you need.
    image3.png

Before downloading imToken, please make sure you have completed the three steps. 

 

How can I verify the authenticity of an imToken APK file I downloaded?

If you downloaded an imToken APK file through a third-party website or a friend, please check the authenticity of the APK by checking its hash before installing it. 

The SHA-256 of a file is a kind of digital fingerprint which ensures that data is not modified or tampered with.

The simplest way is to get the SHA256 through online tools.

  1. Move the APK file to desktop
  2. Open the website: https://emn178.github.io/online-tools/sha256_checksum.html
  3. Click “Drop File Here” and upload your APK file to get the result
  4. Compare the SHA256 of the APK file with that of different versions of imToken listed in the table below. If the result is identical to the SHA256 in the table, it can be said that your APK file is original and safe.
    If you encounter any problems during the process, please feel free to contact us via [email protected]

 

Mac users

  1. Move the APK file to desktop, and rename it as “check.apk”
  2. Open Terminal (default path: Launchpad - Other - Terminal) and enter cd desktop/
    image5.png
  3. Enter shasum -a 256 check.apk, and press “Enter” to get the SHA256 of the file.
    image2.png
  4. Compare the SHA256 of the APK file with that of different versions of imToken listed in the table below. If the result is identical to the SHA256 in the table, it can be said that your APK file is original and safe.
    If you encounter any problems during the process, please feel free to contact us via [email protected]

Windows users

  1. Move the APK file to desktop, and rename it as “check.apk”
  2. Open the command line tool(press Win and R, enter CMD, press Enter) and enter cd desktop/, press Enter
    image4.png

  3. Enter certUtil -hashfile check.apk SHA256, and press “Enter” to get the SHA256 of the file.
  4. Compare the SHA256 of the APK file with that of different versions of imToken listed in the table below. If the result is identical to the SHA256 in the table, it can be said that your APK file is original and safe.
    If you encounter any problems during the process, please feel free to contact us via [email protected]

APK from our official website

Version

SHA256

2.15.7.6870

5525cd287958795302565036465f70ab88b42617dbc8f043d6097b27f2782ae4

2.15.6.6795

a19279bfda5c316eedc1d4408785bd8d10583f9b72299893603386421f068ec9

2.15.5.6538

4a8d97fd1b40d3628115e23281d5431312c67258b0e2adcc572b186735af6cf8

2.15.4.6483

a9a3d16c4646aabde3e38a2c84dd1d49153b17fcb746f26e9cef20b2fb19f650

2.15.3.6229

e5574ffba5eec3755998541c61d58f5fdc5ddc2ef32176eb16393e9d6e0b7042

2.15.2.6022

a2107476f7d60fbfcb6eee1f4b3bf4c3c70453aaa20d4655932bd954ada4a3b7

2.15.1.5703

a33a8af6e85195a551fd3831c339c4affc0098705cb70de59927ba4719225c52

2.15.0.5658

7e9d2e0cdb13c07401d41a6fa5ed6aebcfee5e596700bf8186c76e0290d57687

2.14.1.4651

9fa7d0a22ee91318a212539c5a9bb28d1d349732a6090b3d9860063459ce1ab5

2.14.0.4428

7690c38a672cc9399c7721efb4f5bb857395dd552622cbdb53c258b6b04ef366

2.13.5.4077

ba7277900e56f6ca673d9493d0b1cf8bfedd1e1bb3f40c66acd3f16d023cbc0c

2.13.4.3990

a18c41b4fb423daf14b0cbb8b604576daeeec1a2f07fc716841fbdc64c7a8ca3

2.13.3.3948

5d84c6c497dc855c0413e81155473dde326cd2546555f34cc8b1698b4ea07c26

2.13.2.3736

4b021d832b3d9364a20bcac3907fd0baf908822737a09f635088c2a007e88fd1

2.13.1.3722

003d312f2d5949296ef8010900c7f5c7c6594d4a82f074cbd4a4d5ef07cbfc88

2.13.0.3667

6bbe481a3d09d67a72cef657047471c81c5a16513345657103d4d49eeeac80b3

2.12.2.3289

a6fabf3becf2a83b40315f337fbe28b01e17937a21af800a6a42cd738b45f031

2.12.2.3227

0ba2f40d0c76f4ae535a7bcca9664b7949b55041179f32a19ca56809fb488952

2.12.1.2978

70d2d94a4364625dd5b5cde169293c0386ad7a11cbc25e38095bfd223d7c7635

2.12.0.2777

33eb1f986b326fa6042a6c23bc38cf34b5ee3a61a9bbff75771cffde242e2663

2.11.3.2534

9229008833123372018989ac89625b93b6208d9128ea81af0fd80fdbeac76d6a

2.11.3.2478

021bf09612455068a4951a932b3d8b993bba28a48b78d1f37d85fc49b937c67e

2.11.2.2195

4b65805f05790afc081e6841adb228a61e4c1badcaab2d3d791358d268e9a81e

2.11.1.2067

f6df695289ffa05201627d1d480880e72815fc5e34c9e585ef19174eacf1a31b

2.11.0.1953

894da7618e5fabab3065e847ea427bda30a8f5c7ecdabb8648e59b4ce335f0f1

2.10.4.1787

f26b89d234cae59ef64e9d7ddfa9a6cb3e87670117c7c929dab5ff8c7e622898

2.10.3.1734

b2b7059f8bd875864b5b4c5d563f65d610076c794b06e63933420574eadf4e47

2.10.2.1693

847eb56c17064a467f8bb14b435d2cd9f503deae75d4e49014831e8ad9934a8a

2.10.1.1678

9450b72b4feb8f45bc045b5bf93324668c47c09e85adf322c188742bade34a3f

2.10.0.1675

e50f53ce55198ab37eeff760aecc8c739373d40b917dc51a027c79e4918ead3c

2.9.11.1578

caeb05714efab1e0ca95289b4a63950efc3ca61920710f7d79f1ed6633ee21f8

2.9.10.1539

3647beaed797f927fd030ef20ed6dc2c86b6591b4320166346caab0f8206f376

2.9.9.1514

6bd13c0ba674049aedba062a56cc72c8f4e4d578a10fb051d38c7d804c16d656

2.9.8.1471

bacb7cff0f38ef68803c1ce16c04b51a2f2b3066d12f59847f652cfef37f1b45

2.9.7.1413

cb11455f40758a0f8b4be9f1f06c290bf1f80b3129613b342925f6ff14da139f

2.9.6.1387

b98d21b5a5955983dff49b3cbc5d37a05450cf8201c554c7f7d51df4e8b3b9df

2.9.5.1370

55325d89fdbb29695a5964c006b78b74cb05bef5bf4dd2ad25f935328826fb13

2.9.4.1335

88392aa940b326b5e920b44d18152e26b84be635edba908e58a87ce7f0bca541

2.9.3.1293

9eda05d46d7e595c7ef6c67dd3ba3bf60e6cf6d37f1ee5459a6a32384c488f5c

2.9.2.1270

f1876987f35a2ecac7f579793df5823f28ff7f5c4e0835e30b0c35bdeed0f89a

2.9.1.1257

ea248e1503101a3f35bde8a5fc546e73c613dd08c0de367b5f4c1397cd8305a7

App Store and Google Play

If you download imToken from Apple App Store or Google Play, please confirm that the developer of imToken is IMTOKEN PTE.LTD., and all others are fake Apps.

image5.png