APKTag solves this with . It doesn't just store the signature hash; it computes the signature_block_hash (the hash of the entire signing block). Two APKs with different package names but the same signature block hash are 100% signed by the same developer key.

And start searching: apktag search --db android_archive.db --tag "missing_certificate" APKTag won't replace jadx or Ghidra. But if you have ever wasted thirty minutes searching for an APK you know you reversed last month, it will save your sanity. In the chaotic world of Android binaries, it finally offers a card catalog.

Or grab the prebuilt binaries for Linux, macOS, and Windows from the GitHub releases page .

You can run:

The Android reverse engineering community has long solved the problem of decompiling code (thanks, apktool and jadx ). But until recently, no one seriously solved the problem of it.

Imagine a simple watcher script:

apktag find --signer 6c9a...f3e2 And instantly get a timeline of every app that developer has ever touched. Where APKTag shines is automation. Because it is a CLI tool that outputs JSON by default, it fits neatly into malware pipelines.

# Inotify on a "drop_folder" apktag tag --recursive ./incoming --db ~/my_index.db apktag search --db ~/my_index.db --tag "crypto_mining" --format csv You can also use it as a poor man's VirusTotal. Before manually reversing a new APK, run: