1

Background

I moved from ios to Android so now can't rely on Apple doing some checks on the apps.

I was told that Google does some automated checks and if you buy/download apps from large organisations, a.k.a. Microsoft, then you should be ok, given you check the permissions requested.

But this question is for small projects, small developer teams where they have solved a need but one may struggle to trust them or have the skills to vet every line of their code to prove you can trust them.

Safe

Good enough for the average user, like secure enough

  • You can just download the app from the Google Play Store and run it.
  • It won't be so buggy that it is unsafe
  • It won't contain malware or code that will execute later that gives you issues

Average user => not someone on the run, but maybe someone unsafe like being stalked ect... Not sure how to define safe.

Related questions but not on this exactly as Google should do some checks

This question about Android/Google Play store apps I'm not sure has been asked. Google should do some checks, the fact they don't seem to isn't the users' fault...

Is there any such thing as an independent code vetting project which works for free to vet open source projects?

Do people even exist who actually vet all the updates to their open source software?

schroeder
  • 125,553
  • 55
  • 289
  • 326
maskin
  • 129
  • 7
  • It's unclear what you are asking. If you are asking how an individual can vet a project, then it doesn't matter if/how Google runs checks. If you are asking about how good Google's checks are, then that's not what you've asked. So, what is it that you want to know? – schroeder Dec 07 '22 at 11:44
  • @schroeder How about now? – maskin Dec 07 '22 at 11:48
  • Sure, this is much clearer, but we already have an answer to this question (spoiler: such a user can't) – schroeder Dec 07 '22 at 11:49
  • @schroeder So what should andriod users do then, use an iphone or ios? – maskin Dec 07 '22 at 11:50
  • 1
    I think you answer your own question: use large commercial projects. If you want to use a small-developer project, you take your own risk. Same as for iOS... – schroeder Dec 07 '22 at 11:51
  • @schroeder thanks, evidence for ios being the same as andriod for small developers? I heard apple did some checks but then I'm not sure apple check the code line by line – maskin Dec 07 '22 at 11:56
  • Both Google and Apple perform checks. But neither are perfect. – schroeder Dec 07 '22 at 11:57

1 Answers1

-1

So far the answer is:

Some checks to vet the risk:

  • Has been updated in last few months (maintained)
  • Developer has resources to debug
  • Big Organisation where reputation loss is an issue

If no to any of these, then don't use the app.

  • Reviews do not mention security issues

  • App asks for odd permissions that shouldn't be needed (privacy labels may not be reliable on Google Play Store, Feb 2023 [2])

If Yes to any of these, then don't use the app

Project/developer has reviewers/Large, popular open source app across multiple platforms

  • This may be ok but I'm unsure if that works, as it depends if the code is reviewed by sufficient 'Good' Actors I assume?

Related:

What security reviews are done on apps in mobile app stores? This question is listed as out of scope but perhaps research blogs if you want more information. Currently no change to the advice above

[2] https://arstechnica.com/gadgets/2023/02/mozilla-says-most-top-apps-on-android-have-misleading-privacy-labels/

maskin
  • 129
  • 7
  • This really isn't an Apple/Google issue. So I removed that line. – schroeder Dec 07 '22 at 11:59
  • 1
    Apple is a lot stricter about what gets into their store, but it's not clear that is a good thing. A risk that is often overlooked is that of the store owner maliciously excluding legitimate apps because they don't like the developers business model, politics, negative press about the app store owner, or even straight up because the app developer competes in a market the app store owner would like to dominate. Store-imposed delays in letting developers patch their apps to fix bugs also is detrimental to security. – Ben Voigt Dec 08 '22 at 17:08
  • 2
    @maskin: I said "store owner" several times exactly because it applies to all of them and not just Apple. All the big players have been caught denying apps which are perceived to compete with their own services. – Ben Voigt Dec 08 '22 at 18:40
  • @BenVoigt (EDITED) Agreed, though there are levels to this. (Google is quite restrictive and it takes a while to get updates for android devices and also only for 2 years?) I'd prefer not to make it a community wiki but then not sure I'll get much reputation from this question anyway... Thanks for commenting :-) – maskin Dec 09 '22 at 09:13
  • 1
    You keep delving into irrelevant tangents. You do not ask about which Store does the best checks. You are asking how an individual can perform checks. Therefore, a discussion about which store performs better checks is irrelevant as I mentioned first off. And discussions about the need for checks is also irrelevant to the question of ***how*** to perform checks. – schroeder Dec 09 '22 at 09:19
  • @schroeder ok, can you send me a link to a question covering which store does the best checks, as this is about how to download apps for android safely which seems almost impossible/impractical? What's wrong with my notes on ios and permissions This is about Google Play, we agree it's not possible to vet the apps, so the so what is use another store like ios? – maskin Dec 09 '22 at 09:26
  • @schroeder Ok, I'll create a new question, sorry I mean do you think we can get more info to this question or is it 'answered enough' in your view and please split out the related issues into other questions basically? – maskin Dec 09 '22 at 09:29
  • 1
    A non-technical user needs to trust quite a lot of things. So, the advice to non-technical users is to check on the artifacts of trust. And this condensed answer covers that. – schroeder Dec 09 '22 at 09:32
  • 1
    @maskin: I'm pretty sure we are talking about apps here, not OS updates. I was anyway. So the duration of OS update support is beside the point. I can continue downloading updates for individual Android apps long after there are no longer OS package updates. – Ben Voigt Dec 09 '22 at 15:50
  • @BenVoigt True, I can't quite square that one would be using an insecure OS and up to date apps... I think that is somewhat the case with android though... So I feel both OS and apps are strongly linked... For example, the move away from Windows XP was slow I hear due to being in various infrastructures and various old OS probably still are like in hospitals or industrial settings... :-( – maskin Dec 09 '22 at 17:00
  • 1
    @schroeder note the checks are to some extent specific to the store. If Store X does very good checking then a sufficient user check might be that it's safe as long as it's listed on Store X – user253751 Jan 02 '23 at 18:07