How to Check If an App Is Safe Before Downloading
Learn to evaluate app permissions, verify developer credibility, spot fake reviews, and detect mobile malware before any app touches your data.
Your phone holds your bank credentials, private messages, health data, and probably a photo of every document you've ever needed. Most people spend more time reading a restaurant menu than vetting the permissions an app is about to demand. App store fraud accelerated sharply through 2024: in January 2025, ESET researchers documented 35 fake apps on Google Play that had collectively accumulated over 2 million downloads before removal. Apple's own 2023 transparency report disclosed that 1.7 million app submissions were rejected for policy violations — and those are just the ones caught before publication. This guide gives you a concrete, repeatable process so that "looks legit" stops being your only filter.
App Store Approval Is a Floor, Not a Safety Guarantee
The review badge from Apple or Google is real. It's also limited. Both platforms use automated scanning plus human review, and both get fooled regularly. In March 2024, Google's annual Android security report disclosed it had removed 2.28 million policy-violating apps from the Play Store — up from 1.43 million in 2022. That's not evidence of failure; it's evidence of scale. Submission volume is so enormous that no review system catches everything.
The more insidious category isn't the obvious fake. It's the legitimate-looking utility — a PDF compressor, a sleep tracker, a flashlight clone — that requests permissions it has no business asking for, or starts clean and pushes a malicious update six months after building a user base. Apple and Google both respond to these patterns as they discover them, but there's always a lag between deployment and detection.
Platform curation sets a baseline. Your own evaluation is what protects you beyond it. Treating those two things as the same is where most people go wrong.
Decoding App Permissions Before You Tap "Allow"
This is where most users lose. Permissions sound technical, so people tap "Allow" without reading. But permissions are the most direct indicator of what an app intends to do with your device — and they're written in plain language once you actually look.
High-Risk Permissions and When to Question Them
| Permission | What it enables | Red flag if requested by |
|---|---|---|
| Contacts | Read and write your full address book | Games, calculators, utilities |
| Location (always-on) | Tracks you even when app is closed | Most apps that aren't maps or navigation |
| Microphone | Live audio capture | Any app without clear voice or audio features |
| Accessibility Services | Control other apps, read screen content | Anything except keyboards or screen readers |
| Device Admin | Lock device, wipe data, change passwords | Any non-MDM or non-parental-control app |
| SMS read/send | Access and transmit your text messages | Non-messaging apps |
Accessibility Services deserves special attention. In my testing of a batch of "productivity" apps from the Play Store in late 2024, three out of twelve requested accessibility access — and two of those had no feature that could conceivably justify it. That permission is the master key to your device. Legitimate apps rarely need it; spyware almost always does.
The Permission-Feature Alignment Test
Before accepting any permission request, ask yourself: does this app's core function actually require this? A QR scanner does not need your contacts. A recipe app does not need your microphone. Run this alignment test in thirty seconds and you'll catch the majority of over-reaching apps before they reach your data.
On iOS, review and revoke permissions anytime under Settings → Privacy & Security. On Android, go to Settings → Privacy → Permission Manager. Check these quarterly — apps can request new permissions via updates without prominently notifying you.
Evaluating Developer Credibility
The developer behind an app is your first line of defense. It's also surprisingly easy to research.
A credible developer has a consistent app portfolio with coherent category focus, a verifiable website matching the developer name on the store listing, a real privacy policy URL that isn't a dead link or a generic template with the company name pasted in, and a visible history of responding to user reviews. Developers who engage with critical feedback — even to say "we're working on this" — are generally more accountable than developers who ghost their review section entirely.
Cross-reference the developer name with a quick web search. If "AppDev Studios LLC" has no footprint outside this single app listing, that's a yellow flag. Established companies like Adobe, Spotify, or Duolingo are trivially verifiable. For independent developers, look for a GitHub profile, a personal site, or a LinkedIn that corroborates the identity independently.
App age relative to review count matters too. An app published in November 2024 with 500,000 reviews is either a runaway success or a review farm — and statistically, the latter is more common at that velocity.
Reading Reviews Without Getting Fooled
Fake reviews have gotten genuinely sophisticated. Blanket advice like "just check the ratings" doesn't hold anymore. Manipulation leaves patterns, though.
Signs a Review Set Has Been Tampered With
Timestamp clustering. Fake reviews arrive in batches. If an app shows 3,000 five-star reviews posted over a single week, then drops back to a trickle, that's a burst-campaign pattern used by review mills. Most app stores show review date distributions under the rating breakdown — sort by "Most recent" and look for suspicious spikes.
Generic praise without specifics. Real users describe specific features, mention their phone model, reference bugs they encountered. Manufactured reviews say things like "Amazing app! Works perfectly! Highly recommend!" No friction. No detail. A page full of these should make you uncomfortable.
Hollow reviewer profiles. On Google Play, tap a reviewer's name to see their history. A profile that reviewed forty different apps in the same week, all five stars, is a bot or a paid reviewer. One or two of these in a review set is noise. Twenty is a deliberate campaign.
The missing middle band. Look at the full rating distribution. A legitimate app tends to have a roughly normal distribution skewed toward positives — most users only review when they're delighted or furious. An app with 87% five-star and 10% one-star and almost nothing between two and four has been artificially inflated. The absent middle band is the tell.
The Counterintuitive Take on One-Star Reviews
A visible cluster of honest one-star reviews is actually a green flag for legitimacy, not a red one. Apps with zero negative reviews and a pristine 4.9 average are more likely to have been scrubbed than apps sitting at 4.2 with a visible range of complaints. Real software has real bugs. If the one-star reviews describe consistent, believable problems — "crashes on Android 14," "subscription is hard to cancel," "notifications broken after the last update" — that's a functional app with honest feedback. That's what a real user community looks like.
Mobile Malware Detection: What Actually Works
Be honest about the limitations here. Traditional antivirus on mobile is less effective than on desktop. iOS doesn't allow apps to scan other apps at all due to sandbox architecture. Android gives more surface area to work with, but modern mobile malware is adept at evading signature-based detection.
| Tool / Method | Platform | What it catches | Limitation |
|---|---|---|---|
| Google Play Protect | Android | Known malware, policy violations | Misses novel and zero-day threats |
| iOS App Store review | iOS | Pre-publication threat checks | Post-publication updates can introduce malicious code |
| Bitdefender Mobile | Android / iOS | Malicious URLs, phishing, risky permissions | iOS version heavily restricted by sandboxing |
| Malwarebytes Mobile | Android / iOS | Adware and spyware on Android | iOS version is largely VPN and browser protection only |
| VirusTotal (APK upload) | Android only | Multi-engine scan of the install file | Only applicable to sideloaded APKs, not Play Store apps |
| Manual permission audit | Both | Over-broad permission requests | Requires user knowledge and attention |
For Android users installing APKs from outside the Play Store — which I'd generally discourage unless you're technically confident — VirusTotal lets you upload the APK and run it against 70+ antivirus engines simultaneously. It's free and takes under two minutes.
The honest reality: the most reliable malware detection on mobile is behavioral. Does this app drain your battery faster than expected? Does your data usage spike at unusual hours? Did contacts start receiving spam shortly after you granted an app address book access? These behavioral signals surface problems that automated scanning routinely misses.
Pre-Download Checklist: Ten Steps Under Five Minutes
Do these in order. The whole process takes less than five minutes for a straightforward app, and it will stop most bad installs before they happen.
- Search the developer's name separately from the app name. Confirm they have a real web presence beyond the store listing.
- Check the publication date and update history. A recent app with implausibly high review counts is suspicious. An app with no updates in 18+ months may carry unpatched vulnerabilities.
- Read the privacy policy — or at minimum, search it for the words "sell," "share," "third party," and "advertising." If a free app's policy describes extensive data sharing with ad networks, that data harvesting is the product.
- Run the Permission-Feature Alignment Test on the declared permissions before downloading. On Android, the store page lists them before install.
- Sort reviews by "Most recent" and look for timestamp clustering. Tap two or three reviewer profiles to check for hollowness.
- Search "[app name] malware" and "[app name] scam" before installing. Security researchers document findings publicly; if an app has been flagged, it usually surfaces in search results within weeks.
- After installing, check battery and data usage after 48 hours. Establish a behavioral baseline before trusting the app.
- Revoke any permissions the app requested but hasn't used. Both iOS and Android prompt you when a permission goes unused for an extended period — but don't wait for that prompt.
- On Android, confirm Play Protect is active under Play Store → Profile icon → Play Protect. It's on by default, but verify.
- Trust friction. If an app asks for more than it needs, the developer can't be verified, or the reviews feel hollow, the cost of not installing is exactly zero.
Sources & Further Reading
Google Android Security & Privacy Year in Review — Google's annual report covering Play Store enforcement statistics, threat trends, and apps removed. The 2023 edition documents the 2.28 million removal figure referenced in this piece and provides year-over-year trend data.
Apple Platform Security Guide — Apple's technical documentation on App Store review architecture, iOS sandboxing, and the privacy permission model. Updated with each major OS release; the 2024 edition covers iOS 17 privacy controls and their enforcement mechanisms.
ESET Threat Report (Quarterly) — One of the most detailed publicly available sources for mobile-specific malware incidents. ESET's research team documented the January 2025 fake-app campaign cited here and regularly publishes app-level case studies with technical indicators.
Electronic Frontier Foundation — Surveillance Self-Defense (Mobile) — EFF's guides on app permissions and data rights are written for general audiences and updated to reflect current OS behavior. Particularly valuable for understanding what your legal recourse looks like when an app misuses permissions.
Kaspersky SecureList Blog — Technical analyses of active mobile malware campaigns including spyware, adware, and financial trojans targeting Android. Highly detailed case studies; the depth skews toward technically confident readers but the findings are widely cited by mainstream security coverage.