Fight Android malware by quitting Google Play and using F-Droid for Android apps
In the wake of Google’s malware scandals, you can opt for an open-source app store to make your phone more secure.
Rae HodgeFormer senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
It's a good time to check your phone for malicious apps. And an even better time to take F-Droid for a spin, the security-focused Android app marketplace that replaces the Google Play store with a catalog of installable Fully Open Source Software (FOSS).
"Fundamentally, consumers have very few tools and cues that they can use to reasonably control their privacy and make decisions about it," Egelman said earlier this year. "If app developers can just circumvent the system, then asking consumers for permission is relatively meaningless."
With so few tools, you can consider wielding one of the most effective ones -- opting out of the
Is F-Droid safe?
While Google Play promises to scan its apps, the outbreak of
found in their software proves that no app repository is ever 100% safe.
But as an open-source project, F-Droid shows us their math: None of the applications found within the catalog include tracking or hidden costs, a community of developers are easily able to examine source code to spot suspicious behavior and F-Droid has rigorously documented its own external security audits and has established a history of addressing vulnerabilities. If F-Droid sees apps with potentially non-compliant features, they get flagged.
Not incidentally, sticking purely to open source apps means an F-Droid app left unsupported by a developer is not necessarily a death sentence for any personal data you might want to save.
On the privacy front, F-Droid has numerous precautions: It sends everything over HTTPS, avoids leaking app search and browsing data, supports Tor, and includes all supported languages in its metadata so its servers don't even know what language you're speaking.
With an eye toward security concerns, CNET previously reconsidered its recommendations on sideloading third-party Android apps or APK (Android's app file-package that includes executables comparable to Windows' EXE files) which aren't officially supported by
. But $5 billion worth of antitrust damages have a way of putting things into perspective.
For those interested in finding the right privacy-focused apps, have a look at the F-Droid-approved Guardian Project. Their easy-to-use security app suite is the perfect place to begin building your data-safe mobile usage routine.
If you're using an older version of Android, you'll need to allow software from unknown sources via System Settings. But if you're running Android 8 Oreo (or later), you've got a handy new setting we recommend enabling which allows only certain apps (like F-Droid and the Play store) to install APKs. This keeps other applications such as email clients from silently installing malware via hijacked attachments.
We recommend that F-Droid adopters stick to APKs found F-Droid's app store, in order to ensure you're installing only those apps which have cleared a strict security screening. If you'd like to use both F-Droid and the Play store, we recommend enabling Google Play Protect if you haven't already.
It's not a magic shield, but it acts as a first line of defense by tapping into Android's suite of built-in security controls to screen apps you install from both inside and outside of the Play store. But, Play Protect isn't enough. You should also use at least one of the other 16 non-Google security apps that outperformed Play Protect when AV Test fired 18,000 rounds of malware at them during last year's marathon.
Open source software offers better overall security odds.
A stringent security auditing process for apps ensure you don't get tracked.
No hidden costs in apps, and greater customization of each app.
Without a visible rating system, you may have to poke around and experiment to find the best apps.
There are only about 2,600 apps in F-Droid, compared to more than 2.5 million in the Play store. Worth noting here is a Play store filtration app approved by F-Droid, Yalp. It allows you to search Play store apps while filtering out those with ads, hidden costs and a history of blacklisting, and then directly download each app's APK files from the Play store.
Most of your F-Droid apps will have to be manually updated, while Play store apps tend to be automatically updated.
For those looking to stay within the bounds of the Play store, Android's 31-page official 2019 security and privacy report may offer reason for optimism. Despite a reported 0.02% to 0.04% year-on increase in potentially harmful applications (PHAs) downloaded from the Play store, Google attributes much of this increase to improvements in its own tracking methods, including the wider implementation of Play Protect which it says now scans over 50 billion apps every day across more than 2 billion devices. Google has also taken seemingly good faith action in bouncing hundreds of thousands of malicious apps from its ranks, and says it tightened security further by rejecting 55% more apps' requests to join the Play store.
This year's report also found that "only 0.08% of devices that exclusively used Google Play had one or more PHAs installed (unchanged from last year). In contrast, 0.68% of devices that installed apps from outside of Google Play were affected by one or more PHAs in 2018."
CNET asked what portion of that 0.68% were F-Droid users, and whether Google had any further security advice for users who want to try out apps outside of the Play store. Google responded by redirecting CNET to a help center article, and advised users to download apps from the Google Play store to avoid risks to personal information.
Editors' note: While using a third-party app store like F-Droid to get apps rather than the Google Play store can give you more control and better privacy and security, it also takes more diligence. It's for power users. Installing any third-party apps on Android is still something you have to do at your own risk. So, make sure you're comfortable taking that risk.