alternative markets - How safe is it to use Aptoide?

As with the latest update to Google Play one now longer sees the full list of permissions requested by an app on install/update¹, I feel my privacy invaded. Even worse, an app could sneak in additional permissions with an update, and without the user knowing^2,3.

So I'm looking towards alternatives.

TL;DR:

I know we've got What are the alternative Android app markets?, but a) that's more or less a listing of other markets (without giving backgrounds)⁴, and b) it's not even mentioning Aptoide.

I don't want another app that has to run in background permanently to "check license validity", so things like the Amazon Appstore or AndroidPIT are out. AppBrain is just another front-end to Google Play – so nice as it is, it doesn't solve the issue, as for app installs and updates it just has to re-direct to Google Play – which I'm rather about to "flee".

I've already checked out F-Droid a few days ago, and feel it pretty fitting my needs (follow the link for details) – but with just about 1.200 Apps (as of 6/2014) it leaves too many gaps.

Aptoide on the other end is said to serve more than 120.000 apps currently. As the name suggests, it uses APT style repositories, which I'm used to from Linux (Debian and derivates). It even lets you have your own private repo to share apps between devices (or with friends). All apps are offered for free, so no need for a "license server". But how safe is it for the end-user? I've googled (and ducked) for hours, but could not find any source on this. Instead I found a lot of links of the type "get paid apps for free", "black market", and other piracy-oriented stuff – which is definitely not what I'm after. I'm more than open to pay for good apps⁵, so "getting them for free" is not the intention behind my question. Like F-Droid, Aptoide has multiple repositories – but I couldn't figure out whether there's a "trust-able" main repository like with F-Droid.

There is related information available in the package description (e.g. this one) indicating safety measures such as malware scan, signature validation, and third-party-validation. But as the corresponding web page shows, this information seems to be at least partly relying on user feedback (which could be faked/manipulated), or is not even presented to the user (the package info e.g. names 3 scanners used to check, I cannot find this info on the web page). While I might be able to look things up via package info, I cannot ask e.g. my 70+ years old parents to do so. On this page, Aptoide also points out how to see results of their security measures, and explicitly states:

Aptoide Anti-Malware platform analyses applications in run-time and disables potential threats across all stores.

(Emphasis mine) – which suggests a malware protection comparable to that of Google Play (how does that go together with those "black market rumors"? Maybe they just don't remove offending apps, but only mark them instead?).

So finally

The question:

Is there a way to safely use Aptoide as source for apps? If so, how?⁶ If not, why not?

Bonus points for an "idiot proof" way which could be recommended to less experienced users.

---

Footnotes

¹ I know it would be possible opening the Google Play Store web page of the app, scroll through it, and click the corresponding link when found – but you can't call that user-friendly, or expect users doing this on every update.
² e.g. on first install it requested the "unsuspecting" READ_PHONE_STATE with the usual justification. With an update, it could request CALL_PHONE, PROCESS_OUTGOING_CALLS, and others – and the Play app would not bring that up, as they belong to the "same group".
³ To figure "new permissions", one had to compare those of the installed version with those of the present one. Have fun!
⁴ I've just edited two answers and added some details on AppBrain and F-Droid to fill those gaps
⁵ I've bought a lot of apps on Google Play (or donated to the dev directly), and e.g. F-Droid has donation buttons on each app's page to make this possible
⁶ I could imagine by knowing (and restricting your use to) "safe Aptoide repositories" this could be achieved. But as I wrote, I couldn't figure out which ones to consider "safe". The Aptoide article on Wikipedia suggests there's a "default repo" on install, and more repos need to be added manually; so it might be sticking to that first one is safe.

Answer

Thank you for raising these questions. Here is some information about Aptoide that I hope is useful for you and the Stackexchange/Android community:

1. Malware is something that we take very seriously. Currently, we have 3 different systems to detect malware as they arrive in any Aptoide-powered app store:
   
   
   
   
   • we run 3 different anti-virus in emulators in run-time
   
   
   • we have an in-house system of signatures to detect recurring threats
   
   
   • we have implemented a chain of trust based in the signature of the developer
   
   
   
   


2. The task of creating a safe environment to the end user is a moving target. We are working with several universities and research centres and in a recent article (not yet published) we compare well with the other app stores. We also proposed a European research project with 2 anti-virus companies and 3 universities / research centres to deal with this topic. There is a lot of work to be done and the feedback of the community is important.


3. F-Droid is in fact very similar to Aptoide. They are a fork of Aptoide and they maintain all the concepts we developed, like multiple stores. They have a more centralised approach and a central signature which if of course different from our approach.


4. At Aptoide we have the "Trusted" stamp. If you see the Trusted stamp in an app, we are 99.99% certain that the app doesn't contain a threat to the end-user.

Best,
Paulo Trezentos (Aptoide co-founder)