Dear Lifehacker, I remember reading about some sketchy wallpaper apps, along with other concerns about security in Android's somewhat Wild West-style app Market. How can I keep my phone (and myself) safe from bad apps in the Market and elsewhere? Sincerely, Deliberate Droid Owner
Dear Deliberate, Valid question, and one for which we can provide some guidance, if not a completely fail-proof solution. While no platform is completely immune to security flaws and overly zealous data collection (even the more carefully curated iPhone App Store has had its problems), Android's fairly wide open Market, and the so-detailed-they're-overwhelming permissions requests from apps, make it harder to be certain about the good nature of some apps. So let's run through a few ways to keep yourself safe when you're downloading apps on your Android.
Study New Apps and Their Makers
Yeah, we know — nobody wants to read the instruction manual when they get a brand new toy. But if you're venturing out into the Market and grabbing apps to fill a particular need, and these apps come from developers you don't know otherwise, you should take a second look before clicking Install.
One of the most reliable litmus tests for whether an app is a goodwill gesture or serious production from a determined developer, or just cruftware, is to scroll down to the "About the developer" section after first selecting an app in the Market, then hit "View more applications". Look through the apps this person or team has put out. Do they seem mainly like clones of each other— ringtones, wallpapers, theming packages, sports-based widgets? If it looks like the developer doesn't have much breadth or depth in their efforts, you might not want to jump in, even at the cost of free. You won't necessarily get hit with spyware or viruses, but you'll likely find pop-up requests, a tricky definition of "free" and other disappointments.
The last step before you install a new app on your phone involves reading through the permissions an app will request from your phone to perform its job. On some apps, the list is so long, and the descriptions somewhat generic — you'll likely just get annoyed and click through. And that's understandable, if you understand what, say, Dropbox does, or what the Kindle app intends to do. But for lesser-known apps, take more care.
You don't need to drill down on every specific permission and what it means. Those can be misleading, anyways — the infamous "wallpaper apps" you mentioned above needed access to "phone calls", but actually sent back unique phone identification numbers to the developer's China-based servers. The lesson isn't: "Trust no one", but you do want to think about the scale of your app needs. If a tool that supposedly helps share web pages to Delicious says it needs access to your GPS location, question why it might do so, and compare it against other apps that offer to serve the same purpose.
Obvious but Rare: Email the Developer
If you like the promise of a certain app, but you're not quite sure why it needs certain overreaching permissions, or how it ties into your phone's data, there's a link on the Market page for each app that allows for emailing the developer, if an email address is provided. If there's no email address or no response after a fair waiting period, then the app is likely not worth the risk. The reward, though, can be great: feedback to a developer who might desperately need specifics, assurance that a real human is out to make a great product, and, potentially, a freebie download of a paid app for your help.
Install a Download-Checking Security App
You don't have to rely entirely on your social engineering skills to prevent misfit apps from making their way onto your phone. Two apps provide fairly convenient automatic checking of apps and files you're downloading.
Lookout has the prime advantage of being a free app, along with having a fairly set-and-forget system. Install the app, sign up with a Lookout account, and Lookout watches the apps already on your phone and those coming into your phone through the Market, along with anything trying to install itself on the sly. Lookout also provides data backup and lost phone location tools, and a premium version coming soon will offer remote wipe and lock abilities, among other upgrades.
Norton Mobile Security provides a 101-day preview of all its services for free, including instant scanning of any apps coming into your phone. Presumably, Norton's experience in tracking and alerting to potential malware would translate into the Android sphere, but it's a pretty new realm for all players.
We hope that combination of applied suspicion and helpful free(-ish) apps gives you a little more confidence in the Android app sphere, Deliberate. Fully warned, go forth and make your phone as Kanye Sailor Moon Viking SFX as your heart desires.
P.S. We're open to any additional Android security best practices in the comments, of course!