38

As with the latest update to Google Play one now longer sees the full list of permissions requested by an app on install/update1, I feel my privacy invaded. Even worse, an app could sneak in additional permissions with an update, and without the user knowing2,3.

So I'm looking towards alternatives

TL;DR:

bahan pelajaran sekolah melalui online. Contohnya bagi yang ingin mengerjakan Soal Online PPPK secara lengkap, bisa mengunjungi PendidikNesia karena disitu ada banyak sekali www.pendidiknesia.com

I know we've got What are the alternative Android app markets?, but a) that's more or less a listing of other markets (without giving backgrounds)4, and b) it's not even mentioning Aptoide.

I don't want another app that has to run in background permanently to "check license validity", so things like the Amazon Appstore or AndroidPIT are out. AppBrain is just another front-end to Google Play – so nice as it is, it doesn't solve the issue, as for app installs and updates it just has to re-direct to Google Play – which I'm rather about to "flee".

I've already checked out F-Droid a few days ago, and feel it pretty fitting my needs (follow the link for details) – but with just about 1.200 Apps (as of 6/2014) it leaves too many gaps.

Aptoide on the other end is said to serve more than 120.000 apps currently. As the name suggests, it uses APT style repositories, which I'm used to from Linux (Debian and derivates). It even lets you have your own private repo to share apps between devices (or with friends). All apps are offered for free, so no need for a "license server". But how safe is it for the end-user? I've googled (and ducked) for hours, but could not find any source on this. Instead I found a lot of links of the type "get paid apps for free", "black market", and other piracy-oriented stuff – which is definitely not what I'm after. I'm more than open to pay for good apps5, so "getting them for free" is not the intention behind my question. Like F-DroidAptoide has multiple repositories – but I couldn't figure out whether there's a "trust-able" main repository like with F-Droid.

There is related information available in the package description (e.g. this one) indicating safety measures such as malware scan, signature validation, and third-party-validation. But as the corresponding web page shows, this information seems to be at least partly relying on user feedback (which could be faked/manipulated), or is not even presented to the user (the package info e.g. names 3 scanners used to check, I cannot find this info on the web page). While I might be able to look things up via package info, I cannot ask e.g. my 70+ years old parents to do so. On this pageAptoide also points out how to see results of their security measures, and explicitly states:

Aptoide Anti-Malware platform analyses applications in run-time and disables potential threats across all stores.

(Emphasis mine) – which suggests a malware protection comparable to that of Google Play (how does that go together with those "black market rumors"? Maybe they just don't remove offending apps, but only mark them instead?).

So finally

The question:

Is there a way to safely use Aptoide as source for apps? If so, how?6 If not, why not?

Bonus points for an "idiot proof" way which could be recommended to less experienced users.


Footnotes

1 I know it would be possible opening the Google Play Store web page of the app, scroll through it, and click the corresponding link when found – but you can't call that user-friendly, or expect users doing this on every update.
2 e.g. on first install it requested the "unsuspecting" READ_PHONE_STATE with the usual justification. With an update, it could request CALL_PHONEPROCESS_OUTGOING_CALLS, and others – and the Play app would not bring that up, as they belong to the "same group".
3 To figure "new permissions", one had to compare those of the installed version with those of the present one. Have fun!
4 I've just edited two answers and added some details on AppBrain and F-Droid to fill those gaps
5 I've bought a lot of apps on Google Play (or donated to the dev directly), and e.g. F-Droid has donation buttons on each app's page to make this possible
6 I could imagine by knowing (and restricting your use to) "safe Aptoide repositories" this could be achieved. But as I wrote, I couldn't figure out which ones to consider "safe". The Aptoide article on Wikipedia suggests there's a "default repo" on install, and more repos need to be added manually; so it might be sticking to that first one is safe.

  • I think an app store is as safe as your trust for the curators or (in the case of an entirely open app store) the developers who submit apps. IMHO, for Aptoide, I'd put it in the "just as safe as the app devs" category. But that's because I know nothing about the curators interests here. I would hope that even though they just made it harder to figure out if an app dev is asking more than s/he was for a previous version, Google has a vested interest in not having malicious apps spread across their ecosystem. Not sure on Aptoid's motives. – ctt Jun 22 '14 at 17:56
  • Thanks for the comments! As for Google Play, I'm not that much concerned for "malicious apps" in the common sense (though several of them slip through Google's control for a while every now and then as well), but rather for "data collectors" and the like (with Google being one of the biggest). And not being sure about Aptoid is the reason I ask this question :) I don't want to replace a problem with another one. And I want to know for sure what I can recommend others. – Izzy Jun 22 '14 at 18:10 
  • Ah crap, I flagged this by mistake guys, my apolgies! It was a Stack Overflow question in the other tab. That's my cue to take a break! – RossC Jun 23 '14 at 9:44 
  • You left out an important point - does Aptoide even offer an app upgrade process that notifies you of permission changes? Given the obvious decrease in security and safety when using a decentralized and piracy-ridden infrastructure, it should offer some benefits besides just being not Google. If you're worried about sneaky data collection, I'd say you're in more danger when getting apps from a storefront with apps uploaded in bulk and not by the developers (and possibly modified). – ProjectJourneyman Mar 24 '15 at 15:37
  • 1
    @ProjectJourneyman Google Play doesn't give such hints on updating (if new permissions are added to "the same group"). With Aptoide, F-Droid, and others being "3rd party markets", they always have to invoke the "local package installer", which shows you all permissions of the app-to-be-updated/installed before you can proceed to install. Though, unfortunately, not a "diff" to the current version. – Izzy Mar 24 '15 at 17:11
24

Thank you for raising these questions. Here is some information about Aptoide that I hope is useful for you and the Stackexchange/Android community:

  1. Malware is something that we take very seriously. Currently, we have 3 different systems to detect malware as they arrive in any Aptoide-powered app store:
    • we run 3 different anti-virus in emulators in run-time
    • we have an in-house system of signatures to detect recurring threats
    • we have implemented a chain of trust based in the signature of the developer
  2. The task of creating a safe environment to the end user is a moving target. We are working with several universities and research centres and in a recent article (not yet published) we compare well with the other app stores. We also proposed a European research project with 2 anti-virus companies and 3 universities / research centres to deal with this topic. There is a lot of work to be done and the feedback of the community is important.
  3. F-Droid is in fact very similar to Aptoide. They are a fork of Aptoide and they maintain all the concepts we developed, like multiple stores. They have a more centralised approach and a central signature which if of course different from our approach.
  4. At Aptoide we have the "Trusted" stamp. If you see the Trusted stamp in an app, we are 99.99% certain that the app doesn't contain a threat to the end-user.

Best,
Paulo Trezentos (Aptoide co-founder)

  • Thank you very much for your details, Paulo! Though I expected as much, it's good to have these details first-hand. Is there anything to be said about which repositories are considered "safer"/"main" (like the central one in F-Droid – which besides is IMHO the only one using the central signature you mentioned in 3.), to be recommended to the "more cautious user" – or are they all threated similarly? What about those "black markets" Aptoide is related to so often? And is the "trusted" stamp of 4. somehow coded in the XML I've mentioned (to be e.g. auto-detected by a script)? – Izzy Jun 24 '14 at 15:16
  • @all Missing details have been sent to me by mail, parallel to Paulo's post here. Find them summed-up in my answer to What are the alternative Android app markets? – Izzy Jun 25 '14 at 8:28
  • Respect, convinced me – l0Ft Jan 2 '16 at 17:32
  • 1
    Malware is something that we take very seriously Really? I reported a potential issue via their web-form and after a week nothing happened. See aptoide-how-to-report-potential-abuse-without-becoming-a-member – k3b Jun 3 '16 at 9:49
  • Thanks for answering here. Can you additionally explain why the apks have different certificates than the originals and why folders like "facebook", "airbnb" or "smaato.soma" are injected into the apks even if the original had no connection to these applications? I am talking about "trusted" apps, e.g. WhatsApp. – kaiya Sep 15 '20 at 11:56 
10

After Paulo's answer, some more mail exchanges with him, I already wrote a detailed description in my answer to another question – and also in an article on my own site: Android Markets: How safe are alternative sources?

Following that, I kept a close watch on Aptoide ever since then, and still do – so let me add a few more details (including some points already mentioned before, for context):

  • Aptoide is not a "single area for apps" like Google Play or the Amazon App-Store. It's rather comparable to what Launchpad is for Ubuntu: Everyone and his little sister can open their own repository here, which is presented as a "store" separated from the others. There's a global search (for apps and stores), though.
  • There's only one repository which is "manually curated" by Aptoide itself, called "Apps". Here the Aptoide team decides what apps are entering the repository. Here I …
    • didn't find a single "pirated payed app", be it for money or for free
    • checked the signatures of some apps and found them matching those from Google Play for all I checked
    • don't remember any app without the "trusted" stamp (meaning, the so marked app has been checked for malware with multiple scanners (including Aptoide's own "bouncer"), signatures have been verified to match those of other markets (mostly Google Play), and more – see my already mentioned other answer for details on this)

So my conclusion is in fact it is pretty safe to use this repository.

However, I've also taken a look at several of the other repositories – where you indeed can find lots of obviously "pirated apps" (payed apps from GPlay "for free" are always a signal for that). At those places, not only was the "trusted" stamp missing often – but instead I frequently found the "untrusted" stamp – which means the app was probably contamined (details differed; most often I found the signature to be the issue: "it was used elsewhere to sign another developers package" is 99% sure to indicate a "hack").


Summed up: A general answer cannot be given here (that would be answering the question whether "the Earth" is a safe place to live). How safe it is to use Aptoide pretty much depends on your choice of the repository. One is known to be manually curated and, I dare say, as safe as Google PlayAmazon App Store, and others. A few can be assumed as pretty safe – especially if you know so about their owners, and stick to apps showing the "trusted" shield.

Avoid apps not being assigned the (currently green) "trusted" shield, especially stay well clear of those showing the (currently yellow) "untrusted" shield, best also stick to the Apps repository alone – and Aptoide should be a safe place for you.

I consider the Apps repository safe enough to link it from my app lists – next to F-Droid and Google Play.