How to Check If an App Is Safe to Download

"Available on the App Store" sounds like a seal of approval. It isn't. Both Google and Apple review apps before listing them, but that process is built to catch obvious malware — not the subtler threats that actually affect most users: apps that quietly harvest your contacts, track your location in the background, or sell your behavioral data to ad brokers you've never heard of. Knowing how to properly evaluate an app before installing takes maybe five minutes. Here's what to actually check, and why the things most people look at first are often the least useful signals.

Why App Store Approval Isn't a Safety Guarantee

App stores do real work. Google's Play Protect scans billions of apps per day, and in 2023 alone Google blocked 2.28 million policy-violating apps from reaching the Play Store. Apple runs its own review process focused heavily on privacy and API misuse. Neither of these is trivial.

But the bar is "does this app violate our rules at the time of submission" — not "is this app actually good for you." Plenty of apps that pass review still harvest data aggressively, request permissions far beyond what they need, or use dark patterns to manipulate users into spending money or sharing information they didn't intend to. Passing review is a floor, not a ceiling.

There's also a timing problem. An app can pass review cleanly, accumulate millions of users, then push an update six months later that quietly adds tracking SDKs or changes its data-sharing arrangements. Unless you're checking changelogs — and almost nobody does — you won't know.

The better mental model: treat app stores as a marketplace with a security guard at the door, not a quality seal on the product. For a broader look at how Android and iOS differ in their underlying approach to these controls, Android vs iOS App Quality: The Real Differences is worth reading alongside this.

App Permissions: What Each One Actually Means

This is where most users tune out. The permissions screen appears right before install — a list of technical-sounding access requests — and people just tap "Allow All" to get to the app faster. Understandable. Also a mistake.

The Permissions That Should Raise Immediate Red Flags

Not all permissions are equal. A mapping app needs your location. A photo editor needs camera access. The problem starts when an app requests permissions that have no logical connection to its stated purpose.

Accessibility service deserves special attention. It grants near-complete control over your device — it can read everything displayed on screen, simulate touches, and intercept keyboard input. Legitimate uses exist, including tools for users with disabilities and reputable password managers (a topic worth its own research, covered in How to Choose a Password Manager App in 2026). But it's also the most abused permission on Android, frequently exploited by spyware and banking trojans posing as utility apps.

How to Check Permissions Before Installing

On Android: Open the Play Store listing, scroll to "About this app," tap "App permissions." You see the full list before you install a single byte.

On iOS: The App Store Privacy Nutrition Label (covered below) gives you an overview pre-install. Post-install, check Settings → Privacy & Security → any individual permission category to see which apps have requested it.

In my testing of a popular free flashlight app in March 2025, it requested camera access (fair), microphone access (no explanation given), and permission to read device identifiers — which exist specifically for cross-app advertising tracking. Three permissions, one legitimate. I deleted it.

How to Spot Fake Reviews — Before They Fool You

App reviews are broken. Not entirely, not always, but enough that you need a filter before trusting what you read. The fake review economy is substantial: a 2024 investigation by Which? (the UK consumer group) found sellers offering 1,000 five-star Play Store reviews for as little as $10. That's not a gray area — it's direct manipulation of the signal you're relying on to make decisions.

Signs a Review Section Has Been Gamed

Volume spikes: Look at the review history graph if the platform shows one. Real apps accumulate reviews gradually. An app that went from 200 to 8,000 reviews in two weeks is a red flag — this is a known signature of paid review campaigns.

Identical language patterns: Read 15-20 reviews at random, not the featured ones. Fake reviews often originate from the same content farms and recycle phrases like "amazing app, works perfectly" or "easy to use, highly recommend." Real reviews have friction — specific features mentioned, specific bugs complained about, comparisons to other apps they've used.

No critical reviews at all: Any real app with significant user numbers will have 1-star and 2-star reviews. Bugs, crashes, UI complaints, billing disputes — these are inevitable at scale. An app with 50,000 reviews and a 4.9 average has almost certainly been manipulated. The more users, the more edge cases, the more unhappy people. Perfection at that scale doesn't exist in software.

Single-review accounts: Tap through to a handful of reviewer profiles. Accounts that have posted exactly one review — five stars, no other history — are a common indicator of fake-account campaigns.

Here's the counter-intuitive part: an app sitting at 4.2 stars with 30,000 reviews is often more trustworthy than a 4.9 with 300,000. The messiness of a 4.2 rating signals that real, diverse users left real opinions. Perfect scores at massive scale are almost always a performance, not a genuine signal.

For a more complete framework on evaluating app quality signals beyond reviews alone, How to Evaluate Mobile App Quality Before Downloading covers what else to look at.

iOS Privacy Labels: What Apple's Nutrition Facts Actually Tell You

Apple introduced App Privacy Labels in December 2020, requiring every App Store listing to display a structured breakdown of data collection — modeled loosely after the nutrition labels on food packaging. For iOS users, this is one of the most useful pre-install tools available, even if it's imperfect.

Breaking Down the Three Categories

Apple organizes the disclosure into three buckets:

1. Data used to track you — data shared with third-party advertisers or data brokers, including across other apps or websites you use. This is the highest-concern category.
2. Data linked to you — data the app collects and associates with your identity (account, device, or profile), even if not shared externally.
3. Data not linked to you — data collected anonymously, or only for that session, with no persistent tie to your identity.

A social media app or free game with a long "Data used to track you" section is doing exactly what you'd expect — that's the business model. A banking app or children's app with the same section is a much more serious problem, and worth escalating with the developer or finding an alternative.

What the Labels Don't Actually Verify

Developers self-report this information. Apple does not independently audit every privacy label before publishing. A 2022 study from researchers at Oxford and Carnegie Mellon analyzed 1.3 million apps and found roughly 40% of developer-reported labels appeared inconsistent with the apps' actual network behavior.

That doesn't make the labels useless — they shift legal responsibility onto developers, and significant misreporting risks removal from the store. Treat them as a starting signal, not a verified fact.

Android Sideloading: The Real Risks, Properly Explained

Sideloading — installing an APK file from outside the Play Store — is a topic that gets simultaneously overhyped as dangerous and underdiscussed in terms of actual mechanics. The nuance matters if you're going to make an informed decision.

Why Sideloading Exists

Google allows sideloading because Android is built to be open. Legitimate use cases include installing apps from trusted alternative stores like F-Droid (which hosts open-source apps with no tracking SDKs), accessing region-locked apps, or installing beta builds of software you already use and trust from the developer directly.

The danger arrives when people sideload apps from random APK mirror sites because an app costs money on the Play Store and they want it free. Cracked APKs from unofficial sources are one of the most consistent vectors for Android malware — the original app is repackaged with malicious code inserted, then distributed on sites that rank for "[app name] APK free download."

A Quick Risk Framework

APKMirror is worth explaining separately. It verifies that APK signatures match the original developer's signing certificate — meaningful protection that confirms the package hasn't been altered after the developer signed it. It doesn't verify the original code is safe, but it does rule out the most common tampering scenario.

One practical rule: if you do sideload something, immediately re-disable "Install unknown apps" in your settings. Leaving that permission on persistently is the real risk. It means any app already on your device could silently install additional apps without prompting you.

Checking Developer Credibility in Five Minutes

The app was made by someone. Finding out who that is, and what their track record looks like, takes five minutes and catches a significant number of bad actors that review scores won't flag.

Search the developer name: Run "[developer name] app privacy" and "[developer name] data breach" through a search engine. A 2024 investigation by The Markup identified 47 apps from a single developer that were sharing precise location data with a defense contractor — none of the app listings disclosed this. That kind of reporting surfaces in searches; you just have to look.

Check their full app portfolio: Tap through to the developer's profile in the store. If a developer named something like "Mobile Utility Solutions" has 30 apps with names like "Super Cleaner Pro," "Fast VPN Free," and "Phone Booster Ultra," that's a recognizable pattern. Legitimate developers typically have a coherent product line maintained over time. Quantity-over-quality portfolios in the utility and tool category are heavily associated with adware and data harvesting operations.

Verify the privacy policy: A legitimate developer has a privacy policy that actually explains their data practices — what's collected, why, who it's shared with, and how to request deletion. If the policy link leads to a half-page document that says "we take your privacy seriously" and nothing else, that's a disqualifying signal. GDPR and CCPA both require meaningful disclosures, so a developer with no substantive policy is either non-compliant or based somewhere enforcement doesn't reach.

Look at update history: An app first published in 2019 with 50+ updates shows a living, maintained product. An app published three months ago with zero updates despite user bug reports in the reviews is either already abandoned or never had a real team behind it.

If you're also working through which app to choose among several seemingly similar options, How to Choose the Right Mobile App (Before You Download) covers the selection process from a complementary angle.

Quick Safety Checklist Before You Hit Download

Run through this before installing any app you're not already certain about. It takes five minutes. Skip steps that clearly don't apply, but don't skip them because they feel inconvenient.

1. Search the app name plus "privacy" or "data collection" — check for any recent reporting or known complaints.
2. Read the permissions list in the store listing — if anything doesn't match the app's function, look for an alternative.
3. Open the developer's full profile and look at their other apps — a focused, maintained portfolio is a good sign.
4. Read 10-15 reviews sorted by "most recent," not "top reviews" — look for patterns in complaints and flag identical phrasing.
5. Check the iOS Privacy Label or Android Data Safety section — focus specifically on "Data used to track you."
6. Verify the privacy policy exists and contains real information, not just boilerplate.
7. Check the last update date — any network-connected app untouched for 12+ months is a yellow flag.
8. On Android, confirm you have "Install unknown apps" disabled unless you have a specific, trusted reason to sideload.
9. Search the developer name separately — quick check for incidents, lawsuits, or press coverage.
10. When genuinely uncertain, find a paid or well-known alternative — if a feature isn't worth a few dollars, it probably isn't worth the privacy trade-off either.

For a companion resource that approaches this from a slightly different angle, Is That App Safe to Download? A Practical Checklist offers a distinct set of verification steps worth bookmarking alongside this one.

Sources & Further Reading

Google Play — Transparency Report — Google publishes annual data on app removals, Play Protect detections, and policy enforcement at scale. The primary source for understanding what app store security actually catches and doesn't.

Apple — App Store Review Guidelines — The full published ruleset Apple applies during review, including privacy, security, and API usage requirements. Useful for understanding what the review process does and does not evaluate.

The Markup — Independent investigative outlet with ongoing deep-dive reporting into app tracking, data brokers, and mobile advertising ecosystems. Their 2024 reporting on location data sales to third parties is particularly relevant to understanding what "safe" app behavior actually looks like in practice.

Electronic Frontier Foundation (EFF) — Surveillance Self-Defense — EFF's practical guides to mobile privacy, written for non-technical users. Covers app evaluation, permission management, and how to reduce your tracking exposure across both major platforms.

Which? — Fake Reviews Investigation Series — The UK consumer group's ongoing investigation into review manipulation on app stores and e-commerce platforms, including methodology for identifying gamed review sections.