[1nverseMtx]

> Most people accept that "free" apps should be able to be installed any way that people like.

That doesn't make it legal or safe. Re-distributing copyrighted material is questionable even in Portugal.

But more importantly there's no guarantee the app binary was not modified and repackaged to include malicious code.

[opencl]

It is very easy to verify these apps have not been modified if you also have access to a known good copy of the same app. Install known good copy -> install suspect APK as upgrade -> signature check performed on upgrade verifies that it was signed with the same key as the old version, so if the upgrade succeeds there has been no modification.

[kop316]

Actually Google is adding a way to verify it came from them:

https://android-developers.googleblog.com/2018/06/google-pla...

They specifically cite being able to do this peer to peer.

[ihuman]

How do you get access to a known good copy of the app?

[liotier]

Especially since the normal use of an APK intermediary is that one does not have access to a known good source such as Google Play

[ocdtrekkie]

Android apps are generally signed by the developer in question. APKMirror verifies the apps they distribute are signed by the original developers.

Legality of distributing "free as in beer" stuff that isn't "free as in speech" is always an interesting topic, in the case of Europe, I suspect we'll see more revision on that front as these cases regarding the Play Store and the license changes develop. It's possible, for instance, that the EU might feel that preventing sideloading of a Google app "ties" it to the Play Store in a way they find distasteful.

It's interesting to me that as of yet, Google has tolerated APKMirror, likely because it's run by Google/Android enthusiasts, and not intended for circumventing Google's business model. I'd be very curious how Google distinguishes Aptoide as something to be stopped, but APKMirror as something to be permitted.

[m-p-3]

The apps are signed. If you modify them and try to install an updated version on top of the one you already had from the Play Store, it will not match the signature and fail to install.