-4

Further to my previous question.

I'm now asking for the 'so what' for all app stores...

Which app store performs better checks so non-technical users can trust the protection? Including 3rd party app stores available

I realise that security is somewhat of a moving target, but perhaps an answer should include which sources one will likely remain good.

Which app stores are the most or least secure, and what checks do they do. This will change over time but then What action points are there for non-technical users?

Safe Definition

I am aware 100% safety is impossible

Good enough for the average user, "secure enough" for average use and threat

  • You can just download the app from Store and run it.
  • It won't be so buggy that it is unsafe
  • It won't contain malware or code that will execute later that gives you issues
schroeder
  • 125,553
  • 55
  • 289
  • 326
maskin
  • 129
  • 7
  • 1
    Does this answer your question? [How does a non technical user/beginner vet Android apps to ensure they are safe?](https://security.stackexchange.com/questions/266873/how-does-a-non-technical-user-beginner-vet-android-apps-to-ensure-they-are-safe) – Chenmunka Dec 14 '22 at 13:53
  • @Chenmunka No sorry, need to cover most app stores such as ios but I guess similar tips apply. I annoyed people by not being specific enough/off topic, hence this question, but it's already been voted down... why do I bother trying with these queries here...:-( For example, one need way to say this store is vetted enough to trust small developers or this isn't for non technical users? I assume ios is decent, google play not, but not sure about other 3rd party stores, amazon might be good, no idea... hence answer, as I can reference sources but i'm not an expert. – maskin Dec 14 '22 at 14:05
  • 1
    How do you know for a program you download on your PC? – allo Dec 14 '22 at 15:21
  • The problem here is that your question is very poorly defined. And your answer is a massive wall of text that is difficult to understand. And as you discovered, the answer is very, very complex and not straightforward. So, like your other question, the answer is: a non-technical user can't be sure... – schroeder Dec 14 '22 at 16:36
  • @allo You have a wider choice of options and can run different/better or other programs, mobile apps are restricted to some sources, see the related question at the bottom of the answer. But yes it's hard for PC too, the tips you use on PC aren't I think all possible on mobile but most of the mobile tips apply to PC – maskin Dec 15 '22 at 09:08
  • @allo If you think an andriod phone can be a 'main PC' with keyboard, mouse ect... please let me know but that's out of scope... I have read people doing with the large phones and bluetooth keyboard and mouse and have some notes if you want to discuss this further. – maskin Dec 15 '22 at 09:29
  • @schroeder I'm aware of the meta site or sites, the rules are the rules... It's more how to split a problem that has several connected topics into separate questions or not ask some parts even if I believe they need to be considered but let me try again and not bother you more I worry. – maskin Dec 16 '22 at 09:26
  • 1
    You have a clear problem in your head: Android apps from small developers presenting a potential threat, a threat that a non-technical user is not equipped to mitigate. However, that problem has many facets and many potential ways to mitigate, and those facets and mitigations are not related except through the lens of the problem statement. I'm trying to get you to set the "big problem" aside in order to take the individual problems atomically. But, as I've mentioned, you are trying to tackle a "wicked problem" that is not easy to solve. And even more difficult to ask on a Q&A site. – schroeder Dec 16 '22 at 09:46
  • 1
    As a Q&A site, we are different in how we handle topics. It's what makes us different, but it is also why some questions just don't fit. But just because they don't fit *here* doesn't make the question not worthwhile to ask elsewhere. – schroeder Dec 16 '22 at 09:48
  • Code review of open source apps isn't really done based on below questions, so not unrealistic to assume that mobile apps have the same problem, but then I think we don't have quite the same attack surface or risks on desktops that we do on mobile. Like everything it depends... :-) This is of almost no help to non-technical users, as say Google or Microsoft isn't coded reviewing all/most Google Play apps... or maybe ios apps have limited checks I guess? This makes it difficult, possibly very difficult to stay safe I guess, but 100% will be impossible. – maskin Dec 16 '22 at 10:32
  • https://security.stackexchange.com/questions/241642/do-people-even-exist-who-actually-vet-all-the-updates-to-their-open-source-softw?noredirect=1&lq=1 https://security.stackexchange.com/questions/239725/is-there-any-such-thing-as-an-independent-code-vetting-project-which-works-for-f?noredirect=1&lq=1 – maskin Dec 16 '22 at 10:33
  • :-) thanks, (not sure if asking on Reddit is better, or where I'd look for half-decent advice.) **Well, I need to avoid framing Qs to get the answer I want... ** How to manage a user, what you can expect a user to do is one of the harder problems in security I guess? Hard to not just assume ios safe enough, andriod/Google Play for technical users, but then most people use andriod on % coverage... and andriod has other things going for it... – maskin Dec 16 '22 at 10:35
  • 1
    @maskin It was kind of a rhetoric question. On the PC you don't have sandboxes and install programs you download from the internet, still you probably know how to avoid malware. So judge alternative appstores and downloads of single app packages in he same way you would judge where to download your .exe files. – allo Dec 19 '22 at 19:55

1 Answers1

-2

iOS vs Android

iOS has an edge on providing secure apps over Android:

“The risk of malicious apps tends to be higher on Android because it’s a more open operating system. It’s incredibly difficult to download an app that isn’t from the Apple App Store on an iOS device, which is one of the benefits of the company’s walled garden approach.

https://www.trustedreviews.com/news/mobile-news/are-iphones-more-secure-than-android-phones-4205231 Date: 2022

"Android’s open Google Play Store marketplace has far more apps to choose from than on Apple's App Store, but there’s a far greater chance that hackers can make it onto the platform to distribute malware through malicious apps.

On numerous occasions, highly ranked apps with hundreds of thousands of downloads from the Google Play Store have been discovered to contain Android malware.

https://nordvpn.com/blog/ios-vs-android-security/ - Date 2022

"Android operating system Popularity: The Android operating system is hugely popular. This means that developers are constantly building new apps designed to run on the system. That’s good for users ... mostly. The problem comes when hackers create apps designed to infect your mobile devices.

There is an app review process for Google Play. Unfortunately, the process is far less stringent than what developers face when adding apps to Apple’s App Store.

It's easier, then, for malicious apps to sneak onto the Google Play store and easier for users to accidentally install one."

emphasis added for bold https://us.norton.com/blog/mobile/android-vs-ios-which-is-more-secure# Date 2022

https://www.makeuseof.com/apple-vs-android-which-is-more-secure/ - Date 2022

https://www.howtogeek.com/224096/why-iphones-are-more-secure-than-android-phones/ - Date 2015

Android

3rd party Android stores

??

Amazon AppStore

??

F-Droid

We do not currently recommend F-Droid as a way to obtain apps. F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity.

F-Droid additionally has reproducible builds for some applications and is dedicated to free and open-source software. However, there are notable problems with the official F-Droid client, their quality control, and how they build, sign, and deliver packages.

Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust.

Other popular third-party repositories such as IzzyOnDroid alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories.

However, it is not something that we can recommend, as apps are typically removed from that respository when they make it to the main F-droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates.

That said, the F-droid and IzzyOnDroid repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer.

It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method.

Note

In some rare cases, the developer of an app will only distribute it through F-droid (Gadgetbridge is one example of this). If you really need an app like that, we recommend using Neo Store instead of the official F-droid app to obtain it.

Formatting added

Date: October 24, 2022 https://www.privacyguides.org/android/?h=f+droid#f-droid

Other app stores

I've ignored anything I've not heard of or I figure has too few apps/coverage to be helpful to include or cover only specific areas like Games

Reference: https://en.wikipedia.org/wiki/List_of_mobile_app_distribution_platforms https://www.androidpolice.com/best-google-play-store-alternatives/

APKMirror

??

Aptoide

??

Reference: https://alternativeto.net/software/slideme-market/

Related

Why do mobile apps have fine-grained permissions while desktop apps don't?

maskin
  • 129
  • 7
  • This answer was all over the place, reflecting the unfocused nature of the question. As a Q&A site, we can't fix all the problems in a single domain (mobile apps across all ecosystems) in a single post. If asking which app store performers better checks, then this focused answer gets you there. If asking for a universal guide for all possible apps in any context, that's too broad for Stackexchange. – schroeder Dec 14 '22 at 16:49
  • @schroeder deleted 14214 characters in body, much of that text is relevant to the question, such as sandboxed google play, aurora store (this is a 3rd party front end for Google play), dummy google account... It might be worth covering how much of an edge ios has over Google Play store, which I worry is quite high. – maskin Dec 15 '22 at 09:21
  • @schroeder "If asking for a universal guide for all possible apps in any context, that's too broad for Stackexchange." I'm not sure why as the same rules you'd follow in one apply to the next store, beyond the differences between stores that affect the answers. + my notes to a table so less 'long answer' This could be several questions but again not sure people will answer those. I'm not asking for 100% security but good enough, as in who does enough checks and which stores are they, possibly none, or maybe ios... that's of no help to the majority of people using andriod phones I guess? – maskin Dec 16 '22 at 09:08
  • *One/I could add my long answer into a table or mind map if that's easier but ... – maskin Dec 16 '22 at 09:11
  • This is a Q&A site. Not a blog. There needs to be a clear question with a clear answer. We can't solve all facets of every problem. – schroeder Dec 16 '22 at 09:12
  • @schroeder Yeah, I don't agree, posters ask complex problems on these sites I think all the time, but I do understand the need to be specific, which I have tried to do. If I found a creditable blog (how?) with a summary I'd use that... but then most people who'd answer here are reasonably creditable... Anyway, thanks for your help If this site is only for simple, very specific problems, I worry we do need that made clearer when signing up, but I covered this on how do you keep this who site up to date enough, as security changes a lot? – maskin Dec 16 '22 at 09:14
  • 1
    There is a fundamental difference between asking complex questions and asking a handful of different complex questions that are tangentially related. Clear questions can be complex. – schroeder Dec 16 '22 at 09:22
  • @schroeder Ok, I do understand that, but let me try to summarise again! :-( Maybe try 3 will be better – maskin Dec 16 '22 at 09:24