Two fellows from the Yale Privacy Lab advised consumers in a Wired column last weekend to stop using the Google Play Store. Instead, Android owners should download their apps from F-Droid, an alternative Android app store, they say. Why? Because, they reason, the Google Play Store hosts “scary new malware,” as well as apps “filled with trackers.”

As co-author of the Android Hacker’s Handbook and an independent Android security researcher, I strongly disagree with the column’s message. It’s incredibly bad advice for most consumers. Here’s why.

The authors’ argument focuses on privacy and tracking rather than on security. It ignores multiple studies pointing to the weak security of alternative Android app stores. It also fails to acknowledge that it contradicts other advice published in Wired.



READ MORE ON ANDROID SECURITY

Parallax Primer: Why are Androids less secure than iPhones?
How to FBI-proof your Android
Hidden inside Dark Caracal’s espionage apps: Old tech
How to wipe your phone (or tablet) for resale


F-Droid hosts only open-source and free, or FLOSS, Android apps. It accepts only apps that comply with its strict rules. Ads are allowed, but apps offered in the store must be maintained in a publicly accessible repository, must not use any Google services, and must not implement proprietary tracking or analytics.

These restrictions are quite limiting. In the F-Droid store today, you can find mostly small utility apps such as text editors, small games, and apps also available on Google Play such as the Open Street Map. But in some ways, the restrictions might not be limiting enough.

F-Droid’s guidelines do not mention whether the app store checks apps for their security features or potentially malicious behavior. They do say the store will host any app that is free and open source, even if it engages in practices it flags as “antifeatures.” These practices include displaying ads and relying on proprietary, closed-source software like Google Maps. To me, the guidelines indicate that F-Droid prioritizes the FLOSS ethos over consumer security.

Google actively invests in identifying malicious app behavior. In Google Play, it has integrated a user rating system, user comments, and app author information. It also allows consumers to flag an app as dangerous, and its “copycat or impersonation” option makes for useful security feedback. F-Droid lacks all these security features.

Third-party free services such as F-Droid simply do not have the resources to effectively identify or root out malicious app behavior, even when they have access to the source code of the apps they host. The authors of the 2016 paper “Evaluating Malware Mitigation by Android Market Operators,” which did not specifically examine F-Droid, concluded that Google Play appears to be the only marketplace actively removing malware.

Critically, to use F-Droid, you must activate the “allow alternative sources” setting on your Android device. This setting allows installation of any Android application outside of Google Play until the setting is disabled again. So to just install F-Droid (or any other third-party app store), you need to make your phone much more vulnerable to malicious software.

 

The notion that an alternative Android app store is safer than Google Play is just plain wrong. And the promotion of an app store that allows ads for its pro-privacy stance is hypocritical.

Once you allow alternative sources, any website could push an Android app to your phone and present you with an install button. If you aren’t careful, you could get tricked into installing malicious apps. This is how the just-revealed Dark Caracal spyware campaign infected Androids around the world.

Android Oreo (Android 8) allows users to install apps from “unknown sources” on a per-app basis, which could do much to reduce the “unknown sources” problem. But more than five months after Oreo’s release, only 0.7 percent of Android devices run it.

Researchers have been exposing critical security flaws in third-party Android marketplaces since 2012. That year, researchers found that Google Play hosted 0.02 percent malicious apps, while alternative app stores hosted between 0.2 percent and 0.47 percent malicious apps. They also found that potentially malicious application repackaging was rampant in third-party marketplaces. Between 5 percent and 13 percent of all apps they looked at in third-party marketplaces were repackaged.

The notion that an alternative Android app store is safer than Google Play is just plain wrong. And the promotion of an app store that allows ads for its pro-privacy stance is hypocritical.

The risks of using F-Droid outweigh the benefits. You may have valid privacy concerns about Google Play, but switching to a third-party app store is a security risk few consumers should ever take.