Google’s Play Store remains the primary source of apps for Android users. However, it isn’t the only app store in the market. While there are several browser-based third-party app stores, some smartphone OEMS (original equipment manufacturer) such as Xiaomi, Oppo and Vivo are also offering pre-loaded app stores on their devices.
These stores contain some of the older apps, unique categories and rewards systems that are not even offered on Google’s Play Store. For instance, Xiaomi’s app store has a category for Lite apps, which shows all Lite and compressed apps on a single page.
They also have a temporary section based on ongoing events, like all the apps to catch up on the action and movies nominated for Oscar awards. The app store also rewards users with virtual coins for logging into the store, which can be used to buy accessories or Mi coupons.
Going by the latest market reports, people are downloading more apps. One such report by App Annie, published in January 2019, suggests that the total number of app downloads have risen by 35% on both Android and iOS in the last two years, while in India, it has surged 165%. It is no surprise that OEMs want to cash in on this.
Most of these pre-loaded app stores show ratings, reviews and number of downloads for the apps. To assure users about the security aspect, the Xiaomi app store has a security certification based on tests carried out using security tools such as Avast, Tencent and Kingsoft. According to the store, apps that have the certification have been cleared of any viruses or hidden payments. Vivo also has a security certification for apps that have been scanned and cleared for any potential threats. However, some of the apps that were taken down from Google Play Store like Offroad Extreme for displaying full-screen ads, monitoring screen unlocking functionality and running in background, was still available on the Xiaomi app store. This suggests the rules governing what shows on these app stores may not be as stringent as they are on Play Stores or App Store.
Apps stores like Google’s Play Store are also using machine learning tools to identify peer groups of apps with similar functionality, metadata, text descriptions, user metrics and number of installs. They use these peer groups to detect potentially harmful signals and identify apps which do not fit into them and can pose a security risk.
While Oppo and Vivo’s stores look like stand-alone stores, the apps store on Xiaomi phones seems more like an aggregator for third party app stores.The apps it has mentions third party app stores like 9Apps, Aptoide as the source. We reached out to Xiaomi for clarification but didn’t receive any response.
In order to contain potentially harmful apps (PHA) from third-party app stores, Google replaced the runtime permission feature, which has to be enabled to allow installation of apps from unknown sources, with a new permission system.
This option does not apply on pre-loaded app stores like Xiaomi and Oppo’s stores, even when disabled they can download apps. “Android’s PHA feature while a definite improvement over previous versions which allowed any application to be downloaded—still isn’t foolproof since there is no guarantee that the source you are pointing to has safe applications or not. So it is always important to have legitimate and reputed security software installed that monitors downloads and warns of bad links" points out Venkat Krishnapur, vice-president of engineering and managing director, McAfee India.
According to Norton Security, third-party apps on Play Store and Apple App store have to follow strict development criteria. These stores also vet the apps for malicious content before letting them on their platform. Third party apps do not show the same level of alacrity when it comes to scrutinising these apps, which is what increases the risk of threat. The fact some of the pre-loaded app stores by phone makers are linked to them also casts aspersions on them.