How can you trust an app

How can you trust an app? Easy, you say, just download it from a certified app store.

For example, Google Android provides Google Play Protect. This service scans installed apps on your device, as well as all apps submitted to Google Play. Accordingly, it blocks Potentially Harmful Applications, as defined by Google. So if you install your apps from Google Play, then you’re safe, correct?

How can you trust an App
Photo by Michael Geiger on Unsplash

The store keeps me safe from evil code

Not really.

In fact, Google Play Protect has a long history of malware slipping through its defenses. To clarify, Google does its best, and we’re talking about extremely capable developers here! However there are many ways to defeat the system.

For instance, a barcode scanner app with 10+ millions of users managed to sneak past Google’ scan. How? Likely with an update that occurred months after: the original application passed the scan, but the update added the malicious code. Also, it copied the name (and probably the code) of a legit, open source application that did not contain anything malicious. Instead the “good” app got review-bombed by users mistaking it for the “bad” app.

And though Google constantly improves its protection system, malware apps that end up in Google Play still keep on popping up. It won’t stop anytime soon.

And if you think the Apple Store is safer, well, think again. Then again. And again.

The store tells you about data privacy

Indeed, Google generated a list of permissions an app would require to run. For instance, it would say that the app would request permission to access your location, your photos and videos, etc.

Not anymore, though. Google is now replacing that with a Data Safety section. So what’s the problem? Well, the developers become solely responsible from declaring how an app will use and share data. If they don’t want to tell you that they share your purchase history or your location… well too bad for you!

This is not much different from the way the Apple Store handles their privacy “nutrition” labels. As expected, researchers quickly found false declarations on the store.

Additionally, you must take into account the applications preinstalled on your phone. You may not have asked for them, but there they are. And you cannot uninstall them!
How about the permissions you granted to the applications you agreed to install? Are you sure that location information isn’t used without you knowing it? Or that it isn’t being shared with other applications on your phone?

Truth is, as soon as you give permissions to access anything on your phone, the app potentially sells any data it can access to data brokers.

[Update 22/7/2022]

It looks like Google rolled back its decision to hide the permissions an app requires to work. A wise decision indeed. It looks like the public’s reaction brought them back to reason

Ok, so how can you trust an App then?

On the whole, the picture is bleak. Apps, app stores, Android and iOS: they are all businesses after all.

How about open source apps you may ask? Sure, open source is reassuring, if only because experienced developers can analyse the code and determine what the app actually does or does not. But then how can you be sure that the app you download is the same whose code is made open source?

All in all, the only way to trust an app is… to trust the persons who made it.