APK Safety: Unknown Sources Risk

TL;DR

No, APKs installed from unknown sources cannot be considered safe without careful checking. They bypass Google Play Protect’s security checks and can contain malware, viruses, or other harmful software. Even with permissions granted, the risk remains high.

Understanding the Risks

When you install an app from outside of the Google Play Store (using a sideloaded APK), you are essentially trusting the source completely. Google Play Protect scans apps in the Play Store for threats before they’re available to download. Sideloading skips this crucial step.

Step-by-Step Guide: Assessing APK Safety

1. Understand Permissions: Before installing, review the permissions the app requests. Be wary of apps asking for excessive or unrelated permissions (e.g., a simple calculator requesting access to your contacts).
2. Verify the Source: This is the most important step.
   • Official Website: Download APKs only from the official website of the app developer. Double-check the URL for typos or slight variations that could indicate a fake site.
   • Trusted App Stores (Alternatives): If not available on the Play Store, consider reputable alternative app stores like F-Droid (for open-source apps).
   • Avoid Third-Party Download Sites: Websites offering free APK downloads are often riddled with malware.
3. Scan with VirusTotal: Before installing, upload the APK file to VirusTotal. This service scans the file using multiple antivirus engines.

   (No code needed - this is a website.)

4. Check App Hashes (Advanced): App hashes are unique fingerprints of the APK file. If you can find the official hash value published by the developer, compare it to the hash of the downloaded APK.
   • On Linux/macOS: Use the sha256sum command in your terminal:

     sha256sum your_app.apk

   • On Windows (PowerShell): Use the Get-FileHash cmdlet:

     Get-FileHash -Algorithm SHA256 your_app.apk | Format-List

   If the hashes don’t match, the APK has been tampered with and should not be installed.

5. Use a Cybersecurity App: Install a reputable mobile cybersecurity app (e.g., Bitdefender Mobile Security, Norton Mobile Security) to scan your device regularly for threats.
6. Monitor Device Behaviour: After installation, pay attention to any unusual behaviour on your device, such as increased data usage, unexpected battery drain, or new apps appearing without your knowledge.

Permissions Explained

Android permissions control what an app can access on your device. Here’s a breakdown of common permission types and their risks:

• Location: Access to your precise location – be cautious about apps needing this if it’s not core functionality.
• Camera/Microphone: Access to your camera and microphone – ensure the app legitimately needs these features.
• Contacts/Phone: Access to your contacts and phone information – high risk; only grant to trusted apps.
• Storage: Access to files on your device – be careful about granting access to all storage if it’s not necessary.

What About ‘Install Unknown Apps’ Permission?

The ‘Install unknown apps’ permission simply allows you to install APKs from sources other than the Google Play Store. It doesn’t guarantee safety; it just removes a security barrier. Revoke this permission when not actively installing an app.

cyber security Best Practices

• Keep your Android OS updated: Updates often include important security patches.
• Enable Google Play Protect: Ensure it’s active in the Google Play Store settings.
• Be skeptical of app requests: If something seems off, don’t install it.