Safety guidance
Installing APKs safely
Installing an APK by hand puts you, rather than a store, in charge of deciding whether a file is trustworthy. This page explains what that responsibility involves, how to check a download before you run it, and what to do when an install goes wrong.
- Last updated
- 14 July 2026
- Applies to
- All downloads
1. What sideloading actually changes
When you install from an official store, the store has already done several things on your behalf: it scanned the binary, it checked that the developer account matches the package name, and it keeps a route open to pull the app from every device if it later turns out to be malicious. Installing an APK directly skips all three. Google Play Protect still scans the file on most devices, but the account check and the remote kill switch are gone.
That is not a reason never to sideload. It is a reason to sideload deliberately: from a publisher you can name, with a file you can verify, for a reason you can articulate. Prefer the official store link on any APKBrowse listing when one exists. We put it first for exactly this reason.
2. Before you install
Run through this list. It takes under a minute and catches most bad files.
- Confirm the package name, not the app name. Anyone can call their app Signal. Only one developer can publish
org.thoughtcrime.securesms. The package name is the identity that matters. - Check who the publisher is. A verified publisher on APKBrowse has demonstrated control of the package. An unverified upload has not — it has only been reviewed.
- Read the version history. A package whose signing certificate changed recently, or whose size jumped without explanation, deserves scepticism.
- Ask why you are sideloading. Wanting an older version, a region-locked release, or a build your device no longer receives are good reasons. Wanting a paid app for free is not — and those files are where nearly all Android malware lives.
3. Verifying a download
Every version we list publishes a SHA-256 hash of the exact file we hold. A hash is a fingerprint of the bytes: if one bit of the file differs — a corrupted download, an injected payload, a substituted file — the hash changes completely. After downloading, compute the hash yourself and compare it, character for character, with the one on the listing.
Compute a SHA-256
macOS / Linux shasum -a 256 app.apk
Windows certutil -hashfile app.apk SHA256
Android (adb) adb shell sha256sum /sdcard/Download/app.apkIf the hashes do not match, delete the file. Do not install it "just to see". A mismatch means you are not holding the file we reviewed, and the reasons for that range from a truncated download to an attacker on your network.
4. What a signing certificate proves
Every Android app is signed with a private key held by its developer. The APK carries the matching certificate, and Android refuses to install an update whose certificate differs from the one already on the device. This is the single strongest guarantee in the ecosystem — and it is worth understanding precisely what it does and does not tell you.
A matching certificate proves continuity: this build came from whoever built the version you already have. It does not prove the developer is honest, competent, or that the app is safe. It proves only that the author has not changed. That is a narrow claim, but it is the one that catches repackaged apps, which are the most common way a familiar-looking APK turns hostile.
APKBrowse records the SHA-256 fingerprint of the signing certificate for every version we hold and compares each new upload against it. A mismatch blocks approval outright. When you see "Signature verified" on a listing, it means this exact claim has been checked: same certificate, same publisher, no repackaging between the developer and you.
5. Permissions worth a second look
Permissions are only meaningful in context — a camera app should want the camera. What should give you pause is a permission that has no plausible relationship to what the app claims to do. These are the ones most often abused:
- Accessibility Service. Designed for users with disabilities; grants the ability to read everything on screen and act on your behalf. The most powerful permission on Android and the one banking trojans want most. A wallpaper app has no use for it.
- Device admin. Can lock, wipe, or make the app difficult to uninstall. Legitimate outside enterprise management only in rare cases.
- SMS and call log access. The usual route to intercepting one-time passcodes. Very few apps genuinely need it.
- Install unknown apps. Lets the app install further APKs. A dropper asks for this so the payload arrives after the initial scan.
- Display over other apps. Enables overlays that can sit invisibly on top of other apps and capture taps intended for them.
Every listing shows the full permission set for each version, so you can compare across releases. A permission that appears in an update without a matching changelog entry is worth asking about before you install.
6. Rolling back a bad install
If an app misbehaves, act quickly and in this order. First, put the device in aeroplane mode to cut the app off from the network. Second, revoke its permissions in Settings → Apps → Permissions, starting with any accessibility or device-admin grant, since an app holding device admin cannot be uninstalled until that is withdrawn. Third, uninstall it. If the uninstall option is greyed out, boot into safe mode — hold the power button, then long-press "Power off" — which loads the system without third-party apps and lets the removal go through.
Downgrading to an earlier version is a different problem: Android does not allow installing a lower version code over a higher one, so you must uninstall first, and uninstalling clears the app's data. Export anything you need before you start. Where an app supports a backup or export feature, use it; there is no general-purpose way to preserve app data across a downgrade on an unrooted device.
After removing anything you suspect was malicious, change the passwords for any account you used on that device and check for unrecognised sessions. Assume that anything the app could see, it saw.
7. If something looks wrong
Use the report action on any listing to tell us. Reports go straight to the moderation queue, and we can take an app out of the catalogue while we investigate. Include the version, what you observed, and the hash of the file you downloaded if you still have it — that last detail is what lets us tell a bad listing apart from a bad download.
APKBrowse is a demonstration catalogue: the apps listed here are fictional and exist to show how a provenance-first registry works. The guidance on this page is not fictional, and applies to any APK you install from anywhere.