Most of us will download an app from Google Play or the iOS App Store without a second thought, confident the giant corporations behind the stores are keeping us safe from digital harm. If you own a recent Huawei phone you must rely on the AppGallery for your app needs, and when an app isn’t available, it points you towards installing an APK file from an unofficial source.
But are these files equally safe, and what is Huawei doing to make sure you’re not being put at risk from malware, viruses, and data theft? Digital Trends spoke to Dr. Jaime Gonzalo, VP of Huawei Mobile Services Europe, and Fernando Garcia Calvo, Director of Huawei Petal Search Europe, to find out.
What is an APK?
Before we go much further, let’s talk about APK files. APK stands for “Android Package Kit,” and it’s the file format used to install apps on Android. Think of it as being a bit like a .exe file for Windows or a .dmg file for MacOS. Normally, at least if you use Google Play, you’ll never have to deal with an APK file.
However, anyone who owns an Android phone can download and install apps using APK files, a practice often referred to as “sideloading.” These files are generally distributed through third-party repositories, although some companies also let you download official APK files directly. Huawei lost access to the Google Play Store in 2019 and has since used its Petal Search app to push owners towards APK files to get the apps its own store is missing.
Because it’s simply a file format, there are no legal issues with downloading and installing APKs. But this does not forgive copyright infringements or breaking the terms and conditions of the app contained in the APK file.
OK — but is it safe?
Because of the way APK files are distributed and installed on a phone, there is a somewhat greater chance of the app being a security risk than when you use an official store. On most Android phones, sideloading an app bypasses the protections offered by Google Play, and it’s possible an APK may have been modified to include malware prior to installation on your phone.
This puts anyone with a recent Huawei phone in a difficult position. Why? Huawei’s Petal Search will lead you to APK repositories when you search for an app not available in the AppGallery. This happens if you want Twitter, Instagram, Netflix, VSCO, Waze, Microsoft Teams, Fitbit’s app, Duolingo, and many other common, often-used apps. Petal Search recommends APK files from sites like APKPure, APKMonk, AppParks, and Uptodown.
We wanted to understand what Huawei is doing to protect you from harm when using these sites and the APKs they provide. Dr. Jaime Gonzalo said Petal Search only looks at publicly available sites, not those hidden from Google or other search engines, and that it only references sites it considers legitimate. For instance, the site needs to be a registered company in Europe or the U.S. But Huawei goes beyond this, as Gonzalo explained.
How Huawei scrutinizes APK downloads
“First, we ensure the source is trustworthy and make a daily check of all the results, and we check the safety and compatibility for the device,” Gonzalo explained, stating Huawei’s top-level efforts for checking the credibility of the site Petal Search links to. “Second, when the app is installed the channel is encrypted, so any messages sent outside of the process will be blocked. And third, we have a real-time anti-virus and malware process, which means during regular use [of APK sites] you will be protected.”
When you search for apps, Huawei’s system first prioritizes the App Gallery. But if the app is not there it will look for official sources. If it’s not in either, the search includes third-party sources.
“We look at the site and app’s popularity to assess credibility, and we make sure the page has the latest app version available as this usually has the latest security patches. At the end of the process, we make an internal check to look for malware.”
All this happens before the app is installed — so what happens then?
“On the device itself during the download, the app’s integrity is checked so it doesn’t decompile or install another APK in parallel, and the app’s name is verified. Next is malware and virus threat protection, then our own AI security protection. This watches for the app to do anything unexpected, such as trying to access something that it shouldn’t. If the AI detects this it will block the installation. After all this, if there are no threats, the app can be installed.”
Gonzalo said, “We can say the security risk is low,” regarding installing APK files. Fernando Garcia Calvo added to this confidence, revealing that since Huawei lost access to Google Play in 2019, 830 million apps have been downloaded using the Petal Search system and more than half were not from the AppGallery. During this time, no copyright claims have been made against it, there have been no developer complaints against the system, and no official user complaints regarding malware or loss of data due to a virus either.
Not all APKs are created equal
Huawei certainly appears to be doing plenty to keep you, your phone, and your personal data safe. But it doesn’t recommend downloading APK files in all cases. Take banking apps as an example. Calvo said Huawei has had conversations with banks on the subject of apps.
“We encourage them [banks] to upload apps to App Gallery,” he said. “In the beginning, we were reluctant to show banking app APKs at all in Petal Search, but we realized people want to find them anyway and without our security. For this reason, the links in Petal Search for banking apps go to the web version of the banks and not an APK.”
Huawei doesn’t have any commercial relationships with APK repositories, but Gonzalo said he considers the use of APK repositories as, “accepted and safe, considering the amount of time [the sites] have been up and running.” We contacted APKPure, which is one of Huawei’s top recommendations in Petal Search, for comment on this story. However, the company did not respond to our emails.
Huawei’s warnings paint a clear picture
Obviously, Huawei wants you to get the apps you want on your phone, and while it is working to keep you safe when using third-party APK sites, the experience on the phone itself may still cause you concern.
“Downloading apps from external sources may put your devices and personal data at greater risk. By touching Allow, you indicate that you accept these risks.”
“The apps listed below, including linked content and pages, are internet search results automatically generated based on keywords you entered. AppGallery only displays these search results, and is not responsible for their content.”
These are just two of the warnings you get when you download any non-App Gallery app, effectively removing Huawei from any legal obligations should something go wrong. Additionally, despite promises it would link to official sources before third-party sources, Petal Search still pushed me towards AppParks for WhatsApp and Facebook before the official website source.
What do people who work in security or app development think about APK files? Assistant Professor Cori Faklaris, who studies usable security at the University of North Carolina, told Digital Trends in a Twitter message that APK file downloading, or sideloading in general, is a “downloader beware” situation. Leaving aside APK files from trusted sources, she said:
“If you think you can handle a malware infection or analyze the app yourself for security vulnerabilities, and the mobile device belongs to you and will only be used on a private network, I’d say go for it. But I would not download APKs to phones that connect to public networks or institutional secure networks like businesses or schools. Then you’re not just putting your data at risk but that of anyone who potentially is exposed to a hack through your phone app being connected to the network.”
What about developers? App developer Roscoe Juckett told Digital Trends via a Twitter message that while he has no problem releasing an app on sites like APKPure, he does still have concerns:
“My concern is people will download it, infect it, and republish it,” referencing the problem of then managing updates to cure issues outside of an official store. Perhaps tellingly, he added. “I deploy all my client’s apps on Google Play, none have asked me to deploy anywhere else.”
APK file downloading, or sideloading in general, is a “downloader beware” situation.
While scandals regarding APK repositories aren’t all that common, they do happen. In April 2021 Kaspersky covered a Trojan infection in APKPure’s own mobile app, which came from a malicious advertising SDK. While a worry, apps downloaded from official sources have also contained malicious advertising and other forms of malware in the past, so it’s not a problem that’s unique to an APK repository.
Safety not guaranteed
The fact that malware has been found in apps downloaded from Google Play shows apps, in general, can be security risks — regardless of where they are downloaded from. Huawei phone owners downloading APK files for apps are arguably a little less protected than anyone using Google Play, but Huawei has made an effort to make the download and installation safe. However, it doesn’t have any control over the apps or the third-party sites, and as its warnings in the App Gallery show, the company doesn’t take any responsibility for any issues that come from using those apps.
Where does this leave you? There’s some peace of mind that comes from Huawei sharing its security and safety practices, but its warnings in the App Gallery and Petal Search emphasize you’re very much on your own here. If you’re worried, perhaps you should use Huawei’s treatment of banking apps as a barometer. If you consider the information stored or input into an app as sensitive or you are using it for work, then using a version sourced from an unofficial repository may not be advisable.