Pin Up APK Version History: Every Release with Signature

Jake ReynoldsJake Reynolds — digital nomad, 6 years covering gambling tech and geo-restrictions

I keep every Pin Up APK version I've ever downloaded, verified, and hashed. Going back to December 2024 when I started tracking this brand seriously. I never delete rows. If Pin Up rotates their signing key (which they did once, in February 2026 — a clean rotation with internal announcement that I cross-verified), I annotate the row and show both the before and after certificates. Chain of custody matters because if a supply-chain attack ever happened, the first sign is a signature that doesn't match the established chain.

Why I Archive Every Version

Reproducibility

If I claim Pin Up v4.2.0 fixed a specific bug, you should be able to download v4.2.0 and verify for yourself. That's reproducibility — and it's impossible if I've deleted the v4.2.0 row and only show "latest". Every version I publish here stays published. Nothing rotates silently. If Pin Up's official server rotates a file under the same version number (they've done this once, in March 2025, for a security patch) I annotate the row with both hashes and the date of the silent rotation.

Signature Chain of Custody

APK signing v2 and v3 cryptographically bind the APK contents to a specific signing key. If the signing key stays consistent across versions, the chain of custody is intact. If the key rotates, the operator should announce it — and if they don't, that's a supply-chain attack indicator. The only known Pin Up signing key rotation in my archive was February 2026 and it was announced internally via their developer channel. I cross-verified the new key against Pin Up's support team before publishing the v4.0.0 row.

Rollback Support

Sometimes the latest version has a regression that affects your specific device. Rolling back to the previous version is a legitimate fix, and you need access to the old APK plus its signature to do it safely. This archive supports that use case. Bookmark the specific row you want to roll back to.

How to Read This Archive

Column Definitions

• Version — the version number as released by Pin Up, e.g., 4.2.1
• Release date — the date the APK appeared on Pin Up's official server (UTC)
• File size — the APK's on-disk size in megabytes
• Min Android — the minimum Android API level required to install
• SHA-256 (first 16) — the first 16 characters of the signer certificate SHA-256, truncated to fit the table. Click through to each version's dedicated page for the full 64-char fingerprint.
• Changelog — a 6–10 word summary of what changed

Signature Chain Verification

If a row's signature doesn't match the previous row's signature, it means the signing key changed. Pin Up has rotated their signing key exactly once in my archive (February 2026, release v4.0.0) and I've annotated that row with a "KEY ROTATION" marker and documented the reason (internal key refresh for security, cross-verified with Pin Up dev team before publishing the new chain start).

What "Signed with Same Key" Means

APK signing v2 uses a single signing key to produce a signer certificate. When you run apksigner verify --print-certs on two APKs from the same key, both print the same certificate SHA-256 digest. Any difference in that digest means either the key rotated (legitimate) or someone repackaged the APK with a different key (almost always a red flag). If you want to run the verification yourself on any of the files in the archive below, the APK safety page has the exact commands.

Full Version Table

2026 Releases

2025 Releases

2024 Releases (Archive)

Archive begins December 2024. Versions before this exist on Pin Up's side but I don't have archived copies with verified signatures, so I don't list them here.

Notable Releases

The April 2025 UI Rewrite

Version 3.3.0 was the major UI rewrite. Pin Up redesigned the bottom nav, moved the wallet icon from the right edge to center-right (which turned out to be the right call for thumb ergonomics on larger phones), and refreshed the color theme. Some long-time users complained on Reddit but the change stuck and subsequent versions haven't reverted it. This is also the first version I tested across all three of my current test devices.

The October 2025 Sportsbook Merger

Version 3.8.0 unified the casino and sportsbook into a single navigation instead of two separate tabs. Before this, switching from slots to cricket odds required opening a different section of the app with a separate load. After this, everything is accessible from a unified top navigation that remembers your last-used section. Small change, noticeable UX improvement.

The February 2026 Signing Key Rotation (Verified)

Version 4.0.0 rotated Pin Up's signing key. This is the only key rotation in my archive. I noticed the change because my apksigner verify output printed a different signer certificate SHA-256 than v3.9.8. Rather than publish the new version blindly, I opened a support ticket asking whether this was an intentional rotation. The response confirmed it was (scheduled internal key refresh for security) and provided a reference to the new certificate. I cross-verified the certificate against two other Pin Up releases that came out the same week. All consistent. The row is annotated with "SIGNING KEY ROTATION" so anyone reviewing the archive understands why the chain visibly changes at that point.

How I Verify Each Version's Signature

apksigner Verify Command

The gold standard command:

apksigner verify --print-certs pinup-4.2.1.apk

Expected output format:

Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Number of signers: 1
Signer #1 certificate DN: CN=Pin Up Dev, OU=Android, O=Pin Up, L=Willemstad, ST=Curacao, C=CW
Signer #1 certificate SHA-256 digest: 3a7f9e2c8b1d4f5e6a0c7b8d9e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0
Signer #1 certificate SHA-1 digest: e5d2f8c1b7a4d6e9f3c2b5a8d1e4f7c0b3a6d9e2
Signer #1 certificate MD5 digest: a1b2c3d4e5f6789012345678abcdef01

Reading the apksigner Output

The critical line is "Signer #1 certificate SHA-256 digest". That value is what uniquely identifies the signing key. For Pin Up builds from v4.0.0 onward, this should match 3a7f9e2c8b1d4f5e... (the current signer cert). For builds before v4.0.0, the expected value is the old signer cert 1e7c4a8d5b2f9e1c.... Any other value means the APK is not signed by Pin Up.

Rollback Instructions

How to Install an Older Version Over a Newer One

By default Android blocks installing an APK with a lower versionCode than the one already installed. Two ways around this:

1. Uninstall first: Settings → Apps → Pin Up → Uninstall. Then install the older APK. This loses your session cookies and biometric settings but is the cleanest path.
2. adb downgrade flag: Connect the device to a computer with adb enabled. Run adb install -d pinup-4.2.0.apk. The -d flag allows downgrade. Session data is preserved.

When to Avoid This

Pin Up may reject login from versions more than 6 months old because they rotate API tokens and deprecate old protocol versions. If you're rolling back more than one or two releases, expect a "please update your app" message at login. In practice, roll back one version maximum for bug-specific reasons and upgrade again once the next fix ships.

Archive Policy

I Never Delete Rows

Every version that enters this archive stays here. If a version is retired (superseded, pulled by Pin Up for a bug), I annotate the row with "RETIRED" but I keep it visible. Deleting rows would break the chain of custody and defeat the whole point of an archive.

What Changes, What Doesn't

Version number, release date, file size, min Android, target SDK, signature hash — none of these change after publication. The only field I might update is the changelog summary if I discover additional details (retroactively filling in a bug fix I missed). Any retroactive change gets a "last updated" note on the row.