How to determine if it is safe to install apk files from alternative android app stores?

  • Several sites offer APK downloads (1, 2, 3). Is there a way to determine if a given website/apk is safe to install?

    Besides actually running it, no, not really.

    Reverse-engineer it or run it in a sandbox.

    How do you determine if an APK from the Play store is safe?

    @NeilSmithline, Google does it for me.

    So "trust" is basically you're answer. That's what you'll need to use with 3rd-party sites too. Sorry that there's not a better answer.

    @NeilSmithline, there are two separate "trusts" in this case. (1) I trust that Google's scripts etc. do a better job than me in spotting security issues; (2) I do not trust apk files on alternative sites to be malware-free.

    @steve including actually running it, no, not really. Just because it doesn't immediately burn down your house, the indoor flamethrower app might eventually prove to have been a poor choice.

  • RoraΖ

    RoraΖ Correct answer

    6 years ago

    Initial Analysis

    I think the most thorough way to test 3rd party apps is to:

    1. Download the Android SDK/Tools
    2. Create a virtual Android Device with the Android version of your phone.
    3. Enable Android Debugging through USB on your device. (Can be turned off later)
    4. Check with ADB that your emulator is detected: adb devices
    5. Install the 3rd party app with ADB: `adb install

    You can analyze what's going on in the device using different logs that are constantly running. These can be tough to capture, but you can capture the logcat of your device with adb logcat. You can learn how to use Logcat like a Pro.

    The Android Virtual Device (AVD) uses your internet connection like a WiFi connection. At this point you can perform all kinds of analysis. My post on how to analyze malware could be helpful (as far as tools and techniques to use). Wireshark will be a helpful tool to analyze network traffic. See what the app with its networking connections.

    Reverse Engineering

    So now you'll be getting down and dirty into seeing what exactly the APK is doing. For this you'll need a few tools. Here is an online tool (I have not used it) that claims to decompile an Android APK back into its Java code. If you would like to understand the process and do it yourself I would look at this Stack Overflow answer.

    An APK is just a .zip file. So the steps (with tools from that Stack Overflow answer)

    1. unzip example.apk

    Now we have the following files and directories:

    -rw-rw-r--  1       3708 Oct 14  2013 AndroidManifest.xml
    -rw-rw-r--  1    2751916 Oct 14  2013 classes.dex
    drwxrwxr-x  2       4096 Aug  3 12:12 META-INF
    drwxrwxr-x 23       4096 Aug  3 12:12 res
    -rw-rw-r--  1     363640 Oct 14  2013 resources.arsc

    The classes.dex is what we want. It contains all the Java classes used for the application.

    1. ./ ../example.apk

    Now we have a ./example-dex2jar.jar JAR file that can be decompiled into Java code. Here is where JD-GUI and ApkTool can be useful. Now you can look at the exact code that is executed by the APK.

    Keep in mind though that some portions (if not most) of the Java code will be obfuscated. This is common and you'll often see function symbols ripped out and replaced with a, b, etc. Not only functions, but packages, methods, variables. Seeing obfuscated Java like z = (a) b.d() would not be uncommon. But you can see strings, typical imports, and any JNI shared object functions they may use.

    All that being said. Do you want to do that for every app you download? Probably not. It comes down to whether you trust the Store that you're using, and/or the software company that put out the app. I personally don't use any apps outside of the Google Play store. The Apps I do download I base on companies that developed them, user reviews (these can be faked), friend/forum recommendations, etc.

    You have to give some sort of trust to the app you're downloading, or analyze each and every app you install. Either way you've got to use caution.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM