Ask HN: How do I trust/sandbox apps on Android?

[shipstain]

I have been shy to install applications on Android, and am generally shy of closed source applications.

I'm trying to remove unwanted applications from an Android. I do want a File Manager, Gallery App, and Music Player. Most of these require read/write access to the file system/memory card.

If you dig through Google Play, to try and find the permissions, many have network access. So in theory could read your file system, and upload files.

So the question is, how do we trust these applications?

Do the gatekeepers to the applications stores test these applications for these kind of exploits?

Beyond uploading my Photos, and Music, and Downloaded Files, is there any other risk of an application having access to the file system. Or rather, are things like a Contacts database encrypted and only accessible by trusted applications?

Can you sandbox applications? With native Android tools, or possibly other applications?

I'm not overtly paranoid but don't have trust on these platforms enough to use them for phone calls and messaging at this point.

Any pointers welcome, and thank you in advance.

[Fragoel2]

What you are asking is a well-known research problem (try opening Google Scholar and type in 'Android Sandbox') and I'm afraid no real solution exists at the moment. You can mitigate the problem in many ways and if you're concerned about your privacy I would suggest using mostly open-source apps (https://f-droid.org)

[shipstain]

Thanks, F-droid looks interesting.

Stuff like this just baffles me:

https://f-droid.org/en/packages/org.metabrainz.android/

Ver 2.4(27)

read phone status and identity Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.

I'd run a mile from that app if I saw those perms listed on Google Play.

And something like Google Calendar being > 50MB.