banner.png

You might have read our recent series on crypto scams - for example part 3 on fake apps

Today our security team prepared a tutorial on how to spot fake websites and apps. Read on to learn more.

 

Stay safe in app stores

When downloading an app like imToken, you might go to the Google Play Store or Apple App Store. When visiting one of those two app store, simple tips can help you to stay safe:

  1. Search for the app name and be careful if you find multiple apps, because usually only one is real and fake apps try to look similar to real ones
  2. An app with many reviews and downloads is less likely to be fake, because fake apps will be taken offline before getting many downloads

If you don’t download from the two big app stores, be careful, because smaller app stores are - generally speaking - less safe. Why? Because in our security team’s experience, they are less strict in taking down fake apps.

If you don’t download from app stores at all, you might use an official website - such as imToken’s https://token.im/ . In this case, here are our recommendations:

 

Three steps to tell if a website is real and safe

  1. Make sure that the domain name you entered in the browser is: https://token.im/
    Note: Be sure to use HTTPS instead of HTTP.
  2. Make sure there is a security icon such as 🔒 or 🛡 in front of the domain name.
    image1.png
  3. Click the security icon, the website is real and safe if the pop-up shows “Connection is secure”. Otherwise, the website is fake and you can contact us via support@token.im. We’ll get you the help you need.
    image3.png

Before downloading imToken, please make sure you have completed the three steps. 

 

How can I verify the authenticity of an imToken APK file I downloaded?

If you downloaded an imToken APK file through a third-party website or a friend, please check the authenticity of the APK by checking its hash before installing it. 

The SHA-256 of a file is a kind of digital fingerprint which ensures that data is not modified or tampered with.

The simplest way is to get the SHA256 through online tools.

  1. Move the APK file to desktop
  2. Open the website: https://emn178.github.io/online-tools/sha256_checksum.html
  3. Click “Drop File Here” and upload your APK file to get the result
  4. Compare the SHA256 of the APK file with that of different versions of imToken listed in the table below. If the result is identical to the SHA256 in the table, it can be said that your APK file is original and safe.
    If you encounter any problems during the process, please feel free to contact us via support@token.im

 

Mac users

  1. Move the APK file to desktop
  2. Open Terminal (default path: Launchpad - Other - Terminal) and enter cd desktop/
    image5.png
  3. Enter shasum -a 256 + the name of the file, and press “Enter” to get the SHA256 of the file.
    image2.png
  4. Compare the SHA256 of the APK file with that of different versions of imToken listed in the table below. If the result is identical to the SHA256 in the table, it can be said that your APK file is original and safe.
    If you encounter any problems during the process, please feel free to contact us via support@token.im

Windows users

  1. Move the APK file to desktop
  2. Open the command line tool(press Win and R, enter CMD, press Enter) and enter cd desktop/, press Enter
    image4.png

  3. Enter certUtil -hashfile + the name of the file + SHA256, and press “Enter” to get the SHA256 of the file.
  4. Compare the SHA256 of the APK file with that of different versions of imToken listed in the table below. If the result is identical to the SHA256 in the table, it can be said that your APK file is original and safe.
    If you encounter any problems during the process, please feel free to contact us via support@token.im

mceclip2.png