How to tell if an app is safe before you download it

Most people download apps on autopilot. They see something recommended, search for the name, tap install, and move on. That workflow skips a handful of checks that take about two minutes combined and can protect you from giving your data, money, or device access to something you didn't intend to trust.

App stores do filter out some malicious apps, but they're not perfect. Both the Apple App Store and Google Play have hosted apps that turned out to be scams, data harvesters, or malware in disguise. Google removed over 1.4 million policy-violating apps from the Play Store in 2023 alone, which gives you a sense of how many problematic apps make it through initial review.

Here's what to actually check before installing anything, organized by what's most important.

Check the publisher name, not just the app name

This is the single most important check and the one most people skip entirely. App stores contain many apps with names designed to closely resemble legitimate, well-known applications. A fake "WhatsAp" with one p missing, or "lnstagram" spelled with a lowercase L instead of a capital I, can look identical to the real thing in a quick search result.

Before you install anything, look at the developer or publisher name directly below the app title on the listing page. For well-known apps, this should be the company's official name: "WhatsApp LLC" for WhatsApp, "Meta Platforms, Inc." for Instagram, "Uber Technologies, Inc." for Uber, "Spotify AB" for Spotify. If the publisher name is an individual's name, a company you don't recognize, or a slight variation of the expected company name, stop and investigate further before installing.

On the Apple App Store, the developer name appears directly under the app name on the listing page. On Google Play, it's shown under the app title as "By [Developer Name]." This check takes five seconds and catches the most common type of app impersonation.

Look at the download count and release date on Google Play

Apple doesn't display download counts on the App Store, but Google Play does, and this number is a useful signal for spotting suspicious apps.

A well-known app with millions of users worldwide should have millions of downloads on the Play Store. If you're searching for what you think is a major app and the result shows 50,000 installs where you'd expect 500 million, something is wrong. You might be looking at a copycat, a regional variant, or a fake.

The release date and update history also matter. If an app claims to be an established service but was only published last month, that's suspicious. Legitimate versions of major apps have years of version history on their store listings.

Download counts aren't a perfect indicator on their own. New legitimate apps start small, and niche apps may never reach millions of downloads. But for any app that represents itself as a well-known service, low download numbers relative to what you'd expect are a reliable warning sign.

Read the 1-star reviews specifically

Five-star reviews on app stores are a mix of genuine satisfaction, prompted reviews that catch people at exactly the right moment, and sometimes purchased fake reviews. They're not worthless, but they're not where the most useful information lives.

One-star reviews are written by people frustrated enough to take the time to describe what went wrong. Read twenty of them on any unfamiliar app and look for patterns. Individual complaints about specific bugs or personal preferences aren't concerning. But if you see the same complaint repeated by multiple reviewers, that's a real signal.

Patterns to watch for specifically: multiple reviewers reporting unexpected charges or subscription traps, complaints about the app requesting permissions that don't match its function, reports of the app becoming aggressive with ads after initial use, claims of data being shared or accounts being created without consent, and descriptions of the app behaving differently from what the listing promises.

One specific red flag worth highlighting: if multiple reviews mention "this is a scam" or describe being charged for something they didn't agree to, take that very seriously. These complaints are often accurate descriptions of dark patterns in the app's monetization, such as free trials that convert to expensive subscriptions without adequate notice, or subscription cancellation processes that are intentionally difficult to find.

Examine the permissions before and after installation

Both iOS and Android show you what permissions an app requests, either at installation time or the first time a feature needs access. These permission requests deserve your attention rather than an automatic "Allow" tap.

Some permissions are obviously necessary and appropriate. A navigation app needs location access. A camera app needs camera access. A messaging app needs access to contacts and microphone. A fitness app needs access to health data. These make sense and shouldn't concern you.

What should concern you are permission requests that don't match the app's stated purpose. A flashlight app requesting access to your contacts, call log, or camera has no legitimate reason for those permissions. A calculator app asking for your precise location is unusual. A simple game requesting access to your microphone raises questions.

You can audit permissions at any time after installation:

On iOS, go to Settings, then Privacy and Security, then tap any permission category like Location Services, Camera, or Microphone to see every app that has requested it and its current access status.

On Android, go to Settings, then Privacy, then Permission Manager, which shows the same information organized by permission type.

If an app has permissions you don't remember granting and that don't logically connect to the app's function, you can revoke them individually without uninstalling the app. The app may lose specific functionality, but core features usually continue working.

Check the last update date

Apps that haven't been updated in two or three years are either abandoned by their developer or maintained by someone who isn't actively engaged with the product. Both situations are problematic from a security perspective.

Software vulnerabilities are discovered regularly in the frameworks and libraries that apps are built on. Apps that receive regular updates incorporate security patches for these vulnerabilities. Apps that are abandoned don't, which means known security holes remain open indefinitely.

The update date is visible on both app store listing pages, usually in the "Version History" or "What's New" section. For any app that handles financial data, health information, login credentials, or personal communications, a recent and regular update history is a reasonable expectation.

This doesn't mean every app needs weekly updates. But if the last update was two years ago and the app handles any kind of sensitive data, consider whether there's a more actively maintained alternative.

Verify the app has an identifiable online presence

Legitimate apps from legitimate companies have websites. Before installing anything that isn't a household name, search for the app name plus "official website" or "official site" and check whether what you find matches the developer name on the app store listing.

Look for a domain that makes sense for the company (not myapp-downloadfree.net or similar), a privacy policy accessible from the website, contact information including an email address or physical address, and consistency between what the website says and what the app listing describes.

If an app has no traceable online presence beyond its app store listing, no website, no company information, no way to contact the developer, that absence is worth considering before trusting it with access to your device.

Higher standards for financial apps

For any app that touches your money, whether it's a payment app, banking app, budgeting tool, or investment platform, the verification bar should be higher.

In the United States, legitimate financial apps are typically affiliated with an FDIC-insured bank (and will say so clearly in their terms or marketing), registered with FinCEN as a money services business, and licensed as a money transmitter in the states where they operate.

You can verify FDIC membership at fdic.gov. For payment apps, searching for the app name plus "FinCEN registration" or "state money transmitter license" will usually confirm whether they're operating legally. Legitimate financial apps are transparent about their regulatory status because it builds trust. If a financial app doesn't mention any regulatory affiliation anywhere in its materials, that's a significant red flag.

What none of this guarantees

Even a legitimate, well-reviewed, properly regulated app can have privacy practices you wouldn't agree with if you read the details. Many popular apps collect and monetize user data in ways that are technically disclosed in their privacy policies but that most users would find surprising if they understood the specifics.

The checks described here protect you from fake, malicious, and scam apps. They don't protect you from legitimate companies doing things with your data that you might not choose if you were fully informed. For that layer of awareness, reading the privacy policy, specifically the sections on data collection, sharing with third parties, and advertising, is the only real tool available. It's tedious, but for apps you use daily and trust with personal information, it's worth the ten minutes.