Disorganized download sources are the greatest security risk for cryptocurrency APPs. Once a fake version is installed, your account password and 2FA information could be stolen. The starting point for verification is the official download link on the Binance Official Website, and then use the Binance Official APP button to complete the download. For iOS certificate verification, please refer to the iOS Installation Tutorial. There are 4 critical dimensions for determining whether it is an official version: signature certificate, package size, permission list, and icon & Bundle ID.
1. Four Dimensions to Distinguish the Official Version
Step 1: Check the Signature Certificate
The signature entity for the Android APK should be Binance Holdings Limited (some older versions might be Binance Operations Limited). The developer Team ID for the iOS version is GN7MM956V6, and the Bundle ID is com.czzarc.seaplane. Anything that doesn't match these two values is definitely a fake version.
Step 2: Check the Package Size
The latest official Android APK is approximately 96MB ± 2MB, and the iOS IPA is approximately 148MB ± 3MB. If the downloaded installation package is smaller than 50MB or larger than 200MB, it is almost 100% a fake or repackaged version.
Step 3: Check the Permission Request List
The official APP only requests necessary permissions: storage, camera (for scanning codes & KYC), network, notifications, and biometrics. If you find requests for irrelevant permissions such as contacts, call logs, SMS reading, precise location, or accelerometer, uninstall it immediately.
Step 4: Check the Icon and UI
The official Binance icon is a golden diamond-shaped letter B on a dark or white background. Fake versions often use similar but slightly crooked icons, with a color deviation of more than 10%. Applications whose fonts, spacing, and animation styles in the UI are almost identical to the official version cannot be ruled out as shell applications.
2. Specific Methods for Checking Signature Certificates
Checking signature on Android: Before installing the APK, long-press the APK file in the file manager → Properties → Certificate to see the name of the issuing authority. Alternatively, use the apksigner verify --print-certs command to view the full certificate chain. The SHA-256 fingerprint of the official signature is fixed and has been published in the official FAQ.
Checking signature on iOS: Go to Settings → General → VPN & Device Management to view the developer name of the enterprise-level App. The official signature is not visible in the App Store version (signed by Apple); it shows as Binance Holdings in TestFlight, and the corresponding signing entity is displayed for the enterprise version.
Checking signature on Desktop:
On Windows, right-click the EXE → Properties → Digital Signatures. The signature entity should be Binance Holdings Limited. On macOS, use codesign -dvv /Applications/Binance.app to view the developer ID.
3. Comparison Table of Four Key Features
| Dimension | Official Version Value | Common Features of Fake Versions | Risk Level |
|---|---|---|---|
| Android Signature | Binance Holdings Limited | Random or no signature | Extremely High |
| iOS Bundle ID | com.czzarc.seaplane | Similar name (more or fewer chars) | Extremely High |
| APK Size | 96MB | 20-40MB or 150MB+ | High |
| IPA Size | 148MB | 50-80MB or 200MB+ | High |
| Permission List | Approx. 8-10 necessary permissions | Requesting contacts/SMS | Extremely High |
| Developer Team ID | GN7MM956V6 | Any other ID | Extremely High |
| Icon Color Value | #F0B90B Golden Yellow | Color deviation ±10% | Medium |
| Website Link | Ends with binance.com | Suffixes like -dl / -app | High |
4. Typical Forgery Methods and Prevention
Method A: Phishing Website Disguised as Official Website Searching for "Binance download" may lead to sites like binance-dl.xxx or binance-app.xxx. Their URLs have more than 80% similarity to the official website, but the signature certificate is fake. Prevention: Only trust the green lock icon in the browser address bar + an address that exactly matches binance.com.
Method B: Repackaging by Third-Party App Stores Some third-party stores download the official APK, embed advertising SDKs or spyware code, and then re-sign it. The package size is usually 5-15MB more than the official one. Prevention: Only download from Google Play, the Binance official website, or pre-installed system app stores.
Method C: Inducing Download via Social Media More than 80% of the "Latest Binance Version" links shared in Telegram or Discord groups are phishing links. A common tactic is saying "official channels are slow, this version is faster." Any link requested to be shared via chat tools should be ignored directly.
Method D: Impersonating Customer Service to Induce Installation Fake customer service asks users to "verify identity and re-download the APP" via email or SMS, providing links to fake sites. Real Binance customer service will not proactively ask you to re-download the APP.
Method E: Keyword SEO Hijacking The first few search engine results may be paid advertisement slots, where some criminal industries buy ads to direct traffic to fake websites. It is recommended to skip the ad slots and click directly on results marked as "Official Website" or with clear sources.
5. 5-Step Verification Process After Downloading
Step A: Check the Website Address Confirm that the browser address is binance.com (or its compliant domain variants like binance.us, binance.com.br) and has an HTTPS lock symbol.
Step B: Check SHA256 Before Downloading The official "Download" page publishes the SHA256 value for each version. After downloading, use system tools (certutil on Windows, shasum on macOS) to calculate the file checksum for comparison.
Step C: Review Permission List Before Installing Android installation lists all permissions requested by the APP. Go through them carefully and terminate the installation immediately if there are suspicious items.
Step D: Check UI on First Startup The startup animation of the official APP lasts 1.5 seconds before entering the login page. Be vigilant if there are extra pop-ups, ads, or requests for contact permissions at startup.
Step E: Check Domain After Logging In During the formal login process, all API requests are directed to api.binance.com or api.binance.us. If the APP connects to an unfamiliar domain (needs to be viewed with a packet capture tool), uninstall it immediately and reset your account password and 2FA.
2. FAQ
Q: I accidentally installed a fake version and entered my password. What should I do? A: Immediately log in to the Official Web Version using another trusted device: 1) Change your login password; 2) Disable all old API keys; 3) Reset 2FA; 4) Check fund transfer records. The faster the emergency handling is completed (within 10 minutes), the better.
Q: Is the iOS Enterprise Signature version really safe? A: It depends on the signature source. Official signature sources (enterprise signatures from official website links) are safe and have the same functionality as the App Store version; however, if installed through a third-party signature distribution platform, there is a risk of tampering. Stick to download links from the binance.com domain.
Q: The icon or startup screen changed after an update. Is it a fake version? A: Not necessarily. The official side also makes UI revisions, such as changing the startup screen or adjusting icon color schemes during major version updates. Determining whether it is an official version should be based on signature, package size, and permissions, not just appearance.
Q: How to report phishing links all at once? A: Binance has an Anti-Phishing Report entrance in the "Help Center". After submitting a fake website link, the official team will coordinate with regulatory departments to take it down. App stores from Google and Apple also have built-in "Report Fake App" buttons for parallel reporting.
Q: Elderly people at home are prone to downloading the wrong version. Any protection methods? A: It is recommended that the elderly use the iOS App Store version (strict review) and turn on Screen Time restrictions to prohibit the installation of non-App Store applications. Android users should turn off "Install from Unknown Sources" in system settings so that they can only install through official stores, which basically eliminates the risk of fake versions.