Responding to my own request, looks like someone already uploaded the previous Chase app version 2.1
here, at 4shared.com. I was able to deposit a check on the first try after rolling back to this version; no camera focus problem.
For those who are as paranoid as I am, you can verify that it positively came from Chase as follows. Assumes you have a recent JDK installed, as .apk files are actually jar files. (For those who can't or don't care to go through this process, at least verify that the MD5 sum of the .apk file is the same as the one I've authenticated, in case someone swaps out the version I've pointed to with a trojan. That would be very bad....)
Code:
% md5sum com.chase.sig.android.apk
9a6298ef5664ffd21c17236692dcd538 *com.chase.sig.android.apk
Verify the digital signature of the .apk file in question. Note that the status of all files except those in META-INF is "sm" (signed, and included in manifest).
Code:
% jarsigner.exe -verify -verbose -certs com.chase.sig.android.apk
Now extract the signature file from com.chase.sig.android.apk and note all the signing certificate details, including fingerprints.
Code:
% jar xvf com.chase.sig.android.apk META-INF/JPMC.RSA
% keytool -printcert -file META-INF/JPMC.RSA
It's self-signed, so you can't rely on a Certificate Authority like Verisign to prove where it really came from. But you can compare its fingerprints to those of the certificate extracted from a known-authentic copy of the latest app downloaded from Android Market. So grab a copy of that now, and repeat the last 2 commands on that .apk and its JPMC.RSA file. Visually compare the certificate fingerprints, and verify that they are identical between the two signature files. If they match, you have proof that the same key signed both the new (known-authentic) and downloaded (unknown authenticity) app, so the latter can be trusted.