during the search for apps I came across a few alternative app stores like Uptotown or Aptoide. These two I liked especially because they offer downgrades to older app versions. Of course there is also F-Droid and surely others.
My question is rather general. How can I be sure that those app stores and the apps they offer are not a security thread? How can I be sure that there is no malware within the apps or the app store itself?
Any guidelines on how to find out things like that?
And does anyone have concerns in using Aptoide or Uptotown or F-Droid?
And just for the sceptic in me: Why is “App lounge” trustworthy?
I’d look at two elements of trust: authenticity and security.
Authenticity (is this from Whatsapp?) can be verified - albeit with some effort - by comparing signing certificates, no matter where you got the apk from - to the canonical truth: the Playstore or in some cases the publishers website (Signal). I wrote about this here and here (longer time ago - lots of dead links).
Security (is this apk malware?) is up to the stores scanning detection mechanism or a device local app that is fed a list of results done by a security provider. Do you expect the Playstore to have sufficient detection? Do you expect the authentic publisher (think Whatsapp or Bank) to include malware?
AppLounge and Aurora download from the Playstore directly, they’re not 3rd party stores and are also easy to inspect. If Google has it available at time of install in those clients, that version isn’t deemed malware. When it is at a later time, it’s unpublished and Playprotect would uninstall (unavailable outside Google Android).
F-Droid can by its nature point at the source they published as binary, making inspection straightforward in case of suspicions. They will unpublish and warn publicly, but they have no uninstall method.
My issue with closed-source 3rd party stores is more in their store client than the apks they distribute. The individual apks you can verify against the Playstore.
I understand your explanations for apps. My questions targets the app stores. It would be far easier to rely on one or two app stores instead of checking on each app coming from there.
discussion on apks and store trust is taking place with users having mental models of apks like early windows era .exe files - and that is insufficient to have a meaningful discussion, for both: authenticity and how Android ensures continuity of the signing certificate(s) when updating Apps.
You asked for guidelines - that is how you can check if aptoide and uptotown gives you what the playstore releases. Anything else is relying on ownership or brand reputation.
There is an easy (and sad?) answer to “can I trust this alternative appstore?” in the form of Googles 2026 / Android 16 (QPR2) initiative Android Verified Developer at the cost of introducing centralization and control:
If enacted like planned, future Google Android will phone home (or act on a cached list) on every apk install, no matter where you got it from - if appid, certificate and developer/publisher-id is known in its records and only if positive go forward on first time installation.
OK. I see the challenge in this. So we need to rely on reputation when it comes to app stores…
There is an easy (and sad?) answer to “can I trust this alternative appstore?” in the form of Googles 2026 / Android 16 (QPR2) initiative Android Verified Developer at the cost of introducing centralization and control:
Would that be the end of /e/OS? I guess and hope not.
Or would it “only” mean all the app developers must publish in the play store?
reputation: as shown wrongdoing can be detected, appstores acting not dilligent or malicious could face public scrutiny.
apkmirror, apkpure and aptoide will show you a cert fingerprint somewhere in the UI (uptodown not), but that isn’t much help if users can’t easily crosscheck with the Playstore.
It’s also just UI - and then things can get technically more complicated when more than one (legitimate) signing cert is involved.
Would that be the end of /e/OS? I guess and hope not. Or would it “only” mean all the app developers must publish in the play store?
“no” and “no”. Customroms can remove or make a check optional. Developers can still distribute where they want, but need to be verifed at Google. It will stiffle small-time opensource development.
Google could’ve gone less centralized routes to enact such a feature (like just a public appid-cert log), but the sole reason you created this thread is for there to be a need for trust infrastructure.