imToken on Security: How to Tell if a Website or an App is Fake?

You might have read our recent series on crypto scams — for example part 3 on fake apps:

imToken Wallet Website | Wallet security letter #3: Crypto wallet scams: Fake Apps, texts and…

Today our security team prepared a tutorial on how to spot fake websites and apps.

Read on to learn more.

Stay safe in app stores

When downloading an app like imToken, you might go to the Google Play Store or Apple App Store. When visiting one of those two app store, simple tips can help you to stay safe:

1. Search for the app name and be careful if you find multiple apps, because usually only one is real and fake apps try to look similar to real ones
2. An app with many reviews and downloads is less likely to be fake, because fake apps will be taken offline before getting many downloads

If you don’t download from the two big app stores, be careful, because smaller app stores are — generally speaking — less safe. Why? Because in our security team’s experience, they are less strict in taking down fake apps.

If you don’t download from app stores at all, you might use an official website — such as imToken’s https://token.im/ . In this case, here are our recommendations:

Three steps to tell if a website is real and safe

1. Make sure that the domain name you entered in the browser is: https://token.im/
   Note: Be sure to use HTTPS instead of HTTP.
2. Make sure there is a security icon such as 🔒 or 🛡 in front of the domain name.

3. Click the security icon, the website is real and safe if the pop-up shows “Connection is secure”. Otherwise, the website is fake and you can contact us via support@token.im. We’ll get you the help you need.

Before downloading imToken, please make sure you have completed the three steps.

How can I verify the authenticity of an imToken APK file I downloaded?

If you downloaded an imToken APK file through a third-party website or a friend, please check the authenticity of the APK by checking its hash before installing it.

The SHA-256 of a file is a kind of digital fingerprint which ensures that data is not modified or tampered with.

The simplest way is to get the SHA256 through online tools:

1. Move the APK file to desktop
2. Open the website: https://emn178.github.io/online-tools/sha256_checksum.html
3. Click “Drop File Here” and upload your APK file to get the result
4. Compare the SHA256 of the APK file with that of different versions of imToken listed in the table below. If the result is identical to the SHA256 in the table, it can be said that your APK file is original and safe.

Using the online tool to check the integrity of a downloaded file

If you encounter any problems during the process, please feel free to contact us via support@token.im

Verify apps as a Mac users

1. Move the APK file to desktop
2. Open Terminal (default path: Launchpad — Other — Terminal) and enter cd desktop/

3. Enter shasum -a 256 + the name of the file, and press “Enter” to get the SHA256 of the file.

4. Compare the SHA256 of the APK file with that of different versions of imToken listed in the table below. If the result is identical to the SHA256 in the table, it can be said that your APK file is original and safe.

If you encounter any problems during the process, please feel free to contact us via support@token.im

Verify apps as a Windows users

1. Move the APK file to desktop
2. Open the command line tool(press Win and R, enter CMD, press Enter) and enter cd desktop/, press Enter

3. Enter certUtil -hashfile + the name of the file + SHA256, and press “Enter” to get the SHA256 of the file.

Compare the SHA256 of the APK file with that of different versions of imToken listed in the table below. If the result is identical to the SHA256 in the table, it can be said that your APK file is original and safe.

If you encounter any problems during the process, please feel free to contact us via support@token.im

Version: 2.9.5.1370
SHA256: 55325d89fdbb29695a5964c006b78b74cb05bef5bf4dd2ad25f935328826fb13

Version: 2.9.4.1335
SHA256: 88392aa940b326b5e920b44d18152e26b84be635edba908e58a87ce7f0bca541

Version: 2.9.3.1293
SHA256: 9eda05d46d7e595c7ef6c67dd3ba3bf60e6cf6d37f1ee5459a6a32384c488f5c

Version: 2.9.2.1270
SHA256: f1876987f35a2ecac7f579793df5823f28ff7f5c4e0835e30b0c35bdeed0f89a

Version: 2.9.1.1257
SHA256: ea248e1503101a3f35bde8a5fc546e73c613dd08c0de367b5f4c1397cd8305a7

Download imToken: Google Play | Apple App Store
And follow us: Twitter | Support | token.im