How to determine if it is safe to install apk files from alternative android app stores?
So "trust" is basically you're answer. That's what you'll need to use with 3rd-party sites too. Sorry that there's not a better answer.
@NeilSmithline, there are two separate "trusts" in this case. (1) I trust that Google's scripts etc. do a better job than me in spotting security issues; (2) I do not trust apk files on alternative sites to be malware-free.
I think the most thorough way to test 3rd party apps is to:
- Download the Android SDK/Tools
- Create a virtual Android Device with the Android version of your phone.
- Enable Android Debugging through USB on your device. (Can be turned off later)
- Check with ADB that your emulator is detected:
- Install the 3rd party app with ADB: `adb install
You can analyze what's going on in the device using different logs that are constantly running. These can be tough to capture, but you can capture the
logcatof your device with
adb logcat. You can learn how to use Logcat like a Pro.
The Android Virtual Device (AVD) uses your internet connection like a WiFi connection. At this point you can perform all kinds of analysis. My post on how to analyze malware could be helpful (as far as tools and techniques to use). Wireshark will be a helpful tool to analyze network traffic. See what the app with its networking connections.
So now you'll be getting down and dirty into seeing what exactly the APK is doing. For this you'll need a few tools. Here is an online tool (I have not used it) that claims to decompile an Android APK back into its Java code. If you would like to understand the process and do it yourself I would look at this Stack Overflow answer.
An APK is just a
.zipfile. So the steps (with tools from that Stack Overflow answer)
Now we have the following files and directories:
-rw-rw-r-- 1 3708 Oct 14 2013 AndroidManifest.xml -rw-rw-r-- 1 2751916 Oct 14 2013 classes.dex drwxrwxr-x 2 4096 Aug 3 12:12 META-INF drwxrwxr-x 23 4096 Aug 3 12:12 res -rw-rw-r-- 1 363640 Oct 14 2013 resources.arsc
classes.dexis what we want. It contains all the Java classes used for the application.
Now we have a
./example-dex2jar.jarJAR file that can be decompiled into Java code. Here is where JD-GUI and ApkTool can be useful. Now you can look at the exact code that is executed by the APK.
Keep in mind though that some portions (if not most) of the Java code will be obfuscated. This is common and you'll often see function symbols ripped out and replaced with
b, etc. Not only functions, but packages, methods, variables. Seeing obfuscated Java like
z = (a) b.d()would not be uncommon. But you can see strings, typical imports, and any JNI shared object functions they may use.
All that being said. Do you want to do that for every app you download? Probably not. It comes down to whether you trust the Store that you're using, and/or the software company that put out the app. I personally don't use any apps outside of the Google Play store. The Apps I do download I base on companies that developed them, user reviews (these can be faked), friend/forum recommendations, etc.
You have to give some sort of trust to the app you're downloading, or analyze each and every app you install. Either way you've got to use caution.