Is it true, and the new Avira AppStore the only app store that´s fully secure? Wasn´t that Google Play Store, and aren´t all other app sources automatically “unsafe”, “contaminated by viruses”, and “full of malware”?
Most Android users only know Google Play store as source for their apps. They might have heard of other places – but if so, usually no good arguments. Time to squelch those legends, ambiguities, half-truths, and rumors! This article will introduce a small selection of “Android market places”, while concentrating on those having taken appropriate security measures (though not covering them all). This much can be revealed in advance: No, Avira by no means is the only app-store checking apps for malware.
Google Play Store
Let´s start with the most famous candidate: More than a million apps can be found in Google Play Store, which definitely makes it the most comprehensive source. Quantity doesn´t necessarily imply quality – and so you can find “apps the world does not need” in large numbers. But even generously substracting all those “sexy wallpapers”, “designer watches” (in many cases multiple variants of the same for woundrous prices, differing only in the background image used), and other apps of questionable benefit1, this leaves rawly half a million candidates which should at least be “reasonably useful”. A volume competitors having a hard time to keep up with (or even to reach). And you have to add that the Playstore app comes pre-installed on most Android devices, plus every developer wants to have his or her app primarily be available here. This gives the place a monopoly position, at least to some extent.
So what about security at Google Play? Being the largest provider bears a certain responsibility, and Google has to take precautions. Details on this can e.g. be found at Wikipedia: Appropriately enough, their doorman is called “Bouncer”. In the first half of 2011 alone, it reportedly reduced malware in Google Play by 40% – a number showing it still lets through some amount of it. The largest market place of course also is the first address for those wanting to spread their malicious apps. Relying on Google alone to care for security and safety, would be pretty naïve.
So even on Google Play, users should keep a closer eye on apps they download. But they can support Google making it a “safer place”. The help pages describe a.o. how to report an inappropriate app. While just a single report won´t have much effect, you still should do so when encountering a questionable app: if enough users do, action will be taken. Often enough, if suspicion is confirmed, the app is removed. Until then, it´s also a good idea to leave a comment to warn other users.
This kind of “suspension” is, however, not only restricted to apps with potential harm to users. The Developer Program Policies describe other kind of “inappropriate content” as well, e.g. sexually explicit material, gambling, or violating intellectual property. And apps also disappear if they are colliding with the interests of the operator (Google). An example are ad blockers, which were banned collectively in spring 2013. Equally unwelcome are apps to access “other markets”, as they´d take away customers; so you won´t find apps for the stores of Amazon, AndroidPIT, or Samsung, just to name a few, on Google Play.
F-Droid is quite the opposite to Playstore in several aspects. Currently featuring about 1,200 apps, it´s the smallest market place introduced in this article. But it excels in its own way: all its apps are using Open Source licenses, so no fees apply. F-Droid Limited, the non-profit organisation behind it, manually curates the main repository and takes care to keep it clean. This goes as far as inspecting the source code of each and every app, and compiling the apps from that themselves:
F-Droid is a non-profit volunteer project. Although every effort is made to ensure that everything in the repository is safe to install, you use it AT YOUR OWN RISK. Wherever possible, applications in the repository are built from source, and that source code is checked for potential security or privacy issues. This checking is far from exhaustive though, and there are no guarantees.
Though they admit their inspection is “far from exhaustive”, and point out you use this repository “at your own risk”: with all apps being Open Source, principially everybody can check and verify. Especially for popular apps, this most likely is done – and as moreover the amount of apps available is pretty manageable, these “raw checks” are probably more thorough than those on Google Play. The apps compiled directly from these sources by F-Droid you can be sure there´s nothing else within – as long as you trust them, of course For an app to enter this repository, it has to match certain criteria. Checked is, for example, whether it contains ads or tracks the end user.2
You may have noted I always used the term “main repository”. This somehow implies there are others. In fact, everybody is invited to open his or her own repository to publish apps developed. Which is done e.g. by the Guardian-Project – known for its activities in the “crypto sector” (Orbot, ChatSecure).
One more difference you might notice is the lack of a “rating system” for apps. And the high value of privacy: to use the F-Droid repositories, you will not need any account registration or the like. Their structure is rather comparable with software distribution used with Linux systems (more on this parallel below).
Further details on F-Droid can e.g. be found at Wikipedia.
[imglefts:https://i.imgur.com/COJE0YY.png|96px|Aptoide|© Aptoide (CC-BY)] Structures at Aptoide are based on Open Source as well3. As already described with F-Droid, you find multiple repositories here, too – quite a lot, in fact, numbers reach up to the hundred thousands4. Featuring far more than 100,000 apps it´s even closing up to Google´s Playstore (a little, at least). And here you also find a “rating system” again.
The name sounds like a mix of “APT”, the software packaging and distribution tool used with Debian style Linux systems, and “Androide” – which is exactly what it offers: Debian-style APT repositories for Android apps.
And the status of security on this market place? On the net, I found close to nothing about this. So I reached out, and wrote a mail to their support team. It took less than a day to get an answer – from Paulo Trezentos, one of the co-founders himself!5 Following a short, but pretty intense mail exchange (during which Paul responded to my requests on details, amongst other things), I´ve summed up the gained knowledge at Stack Exchange6 – and now will repeat doing so here, in compressed form:
Similar to F-Droid, you can find a manually curated ”core repository” at Aptoide (which is where the corresponding app links from the lists at IzzyOnDroid point to). An entire comittee of checkers is unleashed against all its repositories: three different malware scanners are run on their
.apk files regularly. Furthermore, signatures of packages are cross checked with those of the corresponding packages available on other places the dev is providing his apps on (e.g. Google Play). And then there´s a “Chain of Trust” established, as you might know it from PGP/GPG (oder DNS Security), where developers cross-sign their keys. As even the strongest measures taken cannot give 100% guarantee, users can report apps similar to the Playstore: “Good”, “license needed”, “fake”, “causes freeze”, or “malware”. The package´s status is signalized with a “shield”: a green “Trusted” (as shown in the picture to the right) means, no discrepancies were found. A yellow “Warning” on the other hand shows there´s something “suspicious” – what exactly, you can find out following the advanced details link (in the picture titled “Show”).7
From this I conclude at least Aptoide´s “main repository” (fittingly named “Apps Store”) being as safe as Googles Playstore – maybe even safer; but that´s my personal opinion, please make up your own. Of course malware appears every now and then in both. But the (in)famous “Black Markets” which are mentioned in conjunction with Aptoide readily and often, are definitely not found in this place the Aptoide-Team cares for itself that meticulously.
At Aptoide, everybody can create and maintain his or her own Repository. And I´m not talking about developers here alone, this is especially interesting to the average user. They have an app called “Aptoide Backup Apps”, which automatically uploads apps you install and puts them into your repository. As the name suggests, this is a good backup in case an app becomes unavailable. But it also makes it easier to re-install apps after a factory reset, onto a newly obtained phone, or use apps on multiple devices if you have such.8
Of course there is a multitude of other “market places”. At least two more are linked to from the app lists on this site: AppBrain and AndroidPIT . So why didn´t I elaborate on those, or what is above selection based on?
For both F-Droid and Aptoide, the corresponding “market app” is Open Source, doesn´t require an additional, complex “framework”, and neither ships with its own “License Service”. If one day you decide to no longer use these stores and uninstall their app, your apps installed from there continue working as they did before – which does not apply to all other markets.
- AppBrain is just an alternative front-end for Google Play store. While it offers several advantages I might introduce in another article one day, it´s not a separate market. And to install apps, it relies on the Playstore App again.
- AndroidPIT is indeed running its own market place called “AndroidPIT App Center”. But with very few exceptions, it offers nothing which isn´t listed in the Playstore. And due to the fact developers have to actively maintain their apps here separately, not even all apps can be obtained from this place. Also, for paid apps bought here, its App Center app includes a specific license service – so they will stop working as soon as you uninstall that (to be fair, this is true for most of the apps obtained in the Playstore, from Amazon´s App Store, and other places as well).
There are a lot more Android market places, and I cannot even name (let alone introduce) them all. With a few exceptions, they fall into one of the aforementioned categories (not speaking of the “Black Markets”, which I explicitly will not discuss here for good reasons): they are either alternative front-ends to the Playstore (in the way described for AppBrain) – or, like AndroidPIT and the Amazon App Store, ship with their own license system. If you´re interested to learn about them, let me refer you to the following sources:
- Stack Exchange: What are the alternative Android app markets? names several other market places, and gives some details on e.g. AppBrain, F-Droid, AndroidPIT, and Aptoide
- Stack Exchange:
- The German Wikipedia has a listing of Google Play Alternatives (DE)
As I´d posted my question on Stack Exchange already a few days before contacting their support, and mentioned a link to that with my mail, Paulo took it upon him to answer to both places. You can find his “public answer” here: How safe is it to use Aptoide? ↩︎
There´s also a third, red shield the “average user” is unlikely to encounter ever: here the discrepancies proved an app as malware, infringing copyrights, or the like. Such an app is removed from the repository immediately by the Aptoide team. ↩︎
Bonus point: I already mentioned Aptoide and F-Droid are “close relatives”. Because of that, Aptoide thinks about enabling its app to access F-Droid repositories as well. A great idea, as this saves us using separate apps to access both ↩︎