Looking to improved the security of my Android app to flag if the .apk has been extracted, modified, repacked and resigned. Here's article from Zdnet noting the issue link1.

The concern is if the app is targeted by hackers they could add malicious code and upload to an alternate app store and dupe users in to downloading it.

So I'm thinking code to verify a checksum of the apk or signing certificate?

I appreciate the app code could be repacked and any security code removed, but it does increase the difficulty of repacking it, maybe enough for them to try another app.

[update]I know the Google Play store licensing module offers something similar but I'm looking for something for non paid apps and other/non marketplaces.

I ended up using Dexgaurd (paid obfuscator for Android) offers a module that preforms apk verification. Mainly as simple to implement and offers better the average protection.

Here's the code to do the check:

dexguard.util.TamperDetection.checkApk(context)

The main issue is where to store the checksum of the apk to verify against given that it could to be replaced. The dexguard way is to check it locally but using other features like class/string encryption and api hiding obscure this call.

Here are some of the articles that could help you out.

Retrieving APK signature during runtime.
Self checking an APK signature.
How to check APK signature.

Use the Google licensing service It will connect with the play store to make sure the user purchased the app every few days. (you can set the amount) Also loook at ProGuard. It strips all the class, method, and variable names out of your code making it really hard to understand once its decompiled.