How to determine if it is safe to install apk files from alternative android app stores?
Initial Analysis
I think the most thorough way to test 3rd party apps is to:
- Download the Android SDK/Tools
- Create a virtual Android Device with the Android version of your phone.
- Enable Android Debugging through USB on your device. (Can be turned off later)
- Check with ADB that your emulator is detected:
adb devices - Install the 3rd party app with ADB: `adb install
You can analyze what's going on in the device using different logs that are constantly running. These can be tough to capture, but you can capture the logcat of your device with adb logcat. You can learn how to use Logcat like a Pro.
The Android Virtual Device (AVD) uses your internet connection like a WiFi connection. At this point you can perform all kinds of analysis. My post on how to analyze malware could be helpful (as far as tools and techniques to use). Wireshark will be a helpful tool to analyze network traffic. See what the app with its networking connections.
Reverse Engineering
So now you'll be getting down and dirty into seeing what exactly the APK is doing. For this you'll need a few tools. Here is an online tool (I have not used it) that claims to decompile an Android APK back into its Java code. If you would like to understand the process and do it yourself I would look at this Stack Overflow answer.
An APK is just a .zip file. So the steps (with tools from that Stack Overflow answer)
unzip example.apk
Now we have the following files and directories:
-rw-rw-r-- 1 3708 Oct 14 2013 AndroidManifest.xml
-rw-rw-r-- 1 2751916 Oct 14 2013 classes.dex
drwxrwxr-x 2 4096 Aug 3 12:12 META-INF
drwxrwxr-x 23 4096 Aug 3 12:12 res
-rw-rw-r-- 1 363640 Oct 14 2013 resources.arsc
The classes.dex is what we want. It contains all the Java classes used for the application.
./d2j-dex2jar.sh ../example.apk
Now we have a ./example-dex2jar.jar JAR file that can be decompiled into Java code. Here is where JD-GUI and ApkTool can be useful. Now you can look at the exact code that is executed by the APK.
Keep in mind though that some portions (if not most) of the Java code will be obfuscated. This is common and you'll often see function symbols ripped out and replaced with a, b, etc. Not only functions, but packages, methods, variables. Seeing obfuscated Java like z = (a) b.d() would not be uncommon. But you can see strings, typical imports, and any JNI shared object functions they may use.
All that being said. Do you want to do that for every app you download? Probably not. It comes down to whether you trust the Store that you're using, and/or the software company that put out the app. I personally don't use any apps outside of the Google Play store. The Apps I do download I base on companies that developed them, user reviews (these can be faked), friend/forum recommendations, etc.
You have to give some sort of trust to the app you're downloading, or analyze each and every app you install. Either way you've got to use caution.
To verify whether an APK is safe, you can upload it to e.g. Virustotal. It will use a bunch of virus scanners to detect whether anything is wrong with the APK.
Note that APKs are (at this moment of writing) the #1 file type being scanned by Virustotal.