Fight Android malware: Get your apps here instead
Things haven't been looking great for Android users' privacy recently. After Google purged 50 malicious apps from its Play store with upward of 25 million downloads a couple of years back, another 200 Android apps were found infected with malware in March, followed by July's discovery of 1,000-plus Android apps harvesting data even after you deny permissions and a Chrome extension security meltdown in May.
It's a good time to check your phone for malicious apps. And an even better time to take F-Droid for a spin, the security-focused Android app marketplace that replaces the Google Play store with a catalog of installable Fully Open Source Software (FOSS).
Once you've done that, consider the words of Serge Egelman, the director of usable security and privacy research the International Computer Science Institute, which found 1,325 malicious Android apps.
"Fundamentally, consumers have very few tools and cues that they can use to reasonably control their privacy and make decisions about it," Egelman said earlier this year. "If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless."
With so few tools, you can consider wielding one of the most effective ones -- opting out of the Google Play store.
Is F-Droid safe?
While Google Play promises to scan its apps, the outbreak of malware found in their software proves that no app repository is ever 100% safe.
But as an open-source project, F-Droid shows us their math: None of the applications found within the catalog include tracking or hidden costs, a community of developers are easily able to examine source code to spot suspicious behavior and F-Droid has rigorously documented its own external security audits and has established a history of addressing vulnerabilities. If F-Droid sees apps with potentially non-compliant features, they get flagged.
Not incidentally, sticking purely to open source apps means an F-Droid app left unsupported by a developer is not necessarily a death sentence for any personal data you might want to save.
On the privacy front, F-Droid has numerous precautions: It sends everything over HTTPS, avoids leaking app search and browsing data, supports Tor, and includes all supported languages in its metadata so its servers don't even know what language you're speaking.
With an eye toward security concerns, CNET previously reconsidered its recommendations on sideloading third-party Android apps or APK (Android's app file-package that includes executables comparable to Windows' EXE files) which aren't officially supported by Google. But $5 billion worth of antitrust damages have a way of putting things into perspective.
Times have changed. Besides F-Droid, there are other non-Google app store competitors not seen on the Play store, including Amazon's Appstore and Samsung's Galaxy Apps. And they all operate with varying degrees of data security. Staying safe is no longer a matter of sticking with the biggest brands on the block; it's about upping your scrutiny and layering your security.
F-Droid is among the most scrutinized Play store alternatives we can advise. So have a critical look at its security model to judge F-Droid for yourself, and review its most recent security audit.
How do I install F-Droid?
If you want to download F-Droid, you won't find it on the Play store. Instead, you can download it directly from the F-Droid site. Once prompted by your phone, confirm installation and you're ready to browse. If you want a visual tour of the two-click install, PrivacyPro has a screenshotted walkthrough (along with a list of their favorite starter apps).
For those interested in finding the right privacy-focused apps, have a look at the F-Droid-approved Guardian Project. Their easy-to-use security app suite is the perfect place to begin building your data-safe mobile usage routine.
If you're using an older version of Android, you'll need to allow software from unknown sources via System Settings. But if you're running Android 8 Oreo (or later), you've got a handy new setting we recommend enabling which allows only certain apps (like F-Droid and the Play store) to install APKs. This keeps other applications such as email clients from silently installing malware via hijacked attachments.
We recommend that F-Droid adopters stick to APKs found F-Droid's app store, in order to ensure you're installing only those apps which have cleared a strict security screening. If you'd like to use both F-Droid and the Play store, we recommend enabling Google Play Protect if you haven't already.
It's not a magic shield, but it acts as a first line of defense by tapping into Android's suite of built-in security controls to screen apps you install from both inside and outside of the Play store. But, Play Protect isn't enough. You should also use at least one of the other 16 non-Google security apps that outperformed Play Protect when AV Test fired 18,000 rounds of malware at them during last year's marathon.
For those looking to stay within the bounds of the Play store, Android's 31-page official 2019 security and privacy report may offer reason for optimism. Despite a reported 0.02% to 0.04% year-on increase in potentially harmful applications (PHAs) downloaded from the Play store, Google attributes much of this increase to improvements in its own tracking methods, including the wider implementation of Play Protect which it says now scans over 50 billion apps every day across more than 2 billion devices. Google has also taken seemingly good faith action in bouncing hundreds of thousands of malicious apps from its ranks, and says it tightened security further by rejecting 55% more apps' requests to join the Play store.
This year's report also found that "only 0.08% of devices that exclusively used Google Play had one or more PHAs installed (unchanged from last year). In contrast, 0.68% of devices that installed apps from outside of Google Play were affected by one or more PHAs in 2018."
CNET asked what portion of that 0.68% were F-Droid users, and whether Google had any further security advice for users who want to try out apps outside of the Play store. Google responded by redirecting CNET to a help center article, and advised users to download apps from the Google Play store to avoid risks to personal information.
Editors' note: While using a third-party app store like F-Droid to get apps rather than the Google Play store can give you more control and better privacy and security, it also takes more diligence. It's for power users. Installing any third-party apps on Android is still something you have to do at your own risk. So, make sure you're comfortable taking that risk.