Aptoide, a Lisbon-based Android app store, launched a new campaign alleging that Google’s built-in security system, Play Protect, issued a warning to its users about Aptoide’s own application being harmful, in order to stifle Aptoide’s growth as an alternative to Google Play. Aptoide pointed to an academic study from Tokyo as evidence of its digital integrity. The study was conducted by Japan’s ABCC prestigious Waseda University and NTT Secure Platform Laboratories, a division of the Nippon Telegraph and Telephone Laboratories, and offers a rare academic view into the security of third party platforms.
With third party app stores ascending, security has become an increasingly important topic. The Google Play Store has long been the dominant application marketplace on Android but recently, a number of western third party app stores and regionally-focused app stores have been increasingly in popularity and competing with Google’s own store. This has created questions about security and competition that academics have tried to answer.
An Emerging Ecosystem
Many of the app stores in question are western alternative app stores like Aptoide and Getjar who are directly competing with Google Play by offering different app store concepts and content that the Play Store has excluded. Many other app stores are country or region-based such as Russia’s Yandex, the Vietnam-based platform Appvn, Cafe Bazaar which caters to Persian-speaking audiences in the Middle East and many Chinese app stores including the Tencent’s app store, Baidu app store, Xiaomi’s app store, Anzhi and AppChina among others.
The English language western-produced app stores are increasingly getting traction among more sophisticated consumers looking for alternatives and regionally-focused third party app stores have the distinct advantage of being tailored to the language, culture and taste of local markets.
Academic Evaluations of App Store Security
The study assesses security across 27 Android app stores and concludes that the oft cited assumption that the most commonly used platforms are the most secure is simply wrong. It concludes that FDroid has the lowest rate of adware or malware among third party app stores but it also says that this is unsurprising considering the limited nature of the app store. As the authors put it “This observation seems to be natural given the nature of the marketplace.” In other words, FDroid is an open source community that hosts a select number of apps that are designed in a specific way. That bodes well for its security but also means it only has about 2,600 applications and is of limited use to the average user looking for consumer choice and selection.
Among the rest, the app store with the highest benign rate was Cafe Bazaar, the largest app store in Iran with over 40 million users. Cafe Bazaar’s applications are mostly made domestically in Iran, and are specifically tailored for that market, so many of its offerings were being exposed to the western anti-virus tools used by digital security researchers for the first time in the context of this study. The authors stated that “It is interesting that Cafebazaar, whose not-scanned rate was the highest, had the highest benign rate” and that “Cafebazaar has an index close to that of Google Play”, referring to the security index they devised to evaluate the relative security of third party platforms and the Play Store itself.
The authors give the best security index to Aptoide, something the Portuguese app store has been fond of advertising during its Play Fair campaign. Google’s own Play Store, Cafe Bazaar and Spain-based UptoDown follow in a virtual tie for second place while the Baidu app store had the highest index among Chinese app stores. Admittedly, the study has certain limitations. China’s more prominent app stores like Tencent and Huawei’s app stores were not even included in this study. The authors are not shy about acknowledging their own limitations and call for further research on different aspects of this issue. As the Android ecosystem becomes more complicated and diverse, it’s important to pay close attention to the security of the ecosystem and companies like Aptoide will be sure to remind us not to concede this role entirely to Google’s own authorities.