How to verify if an app is malicious when Malwarebytes can't access app storage?

natoal

For example, apps of dubious repute like Lucky Patcher or even FOSS apps which almost nobody uses and you're not going to audit

Since all apps are sandboxed how's one supposed to check if a program is really safe

ignoramous

rdns dev here

natoal all apps are sandboxed how's one supposed to check if a program is really safe

There are many other forms of analyses. Since Google expects folks to use the Play Store to install apps, it does those analyses, marks out PHAs (potentially harmful applications), reviews apps wanting sensitive permissions, then, if everything checks out, makes the app available for installs. You can see a stricter version of this play out (no pun) with
3p app store like Accresent.

Now this isn't to say Google's Play Protect program is all fine and dandy (God knows there are many chinks in the armor, including spyware/trackerware companies buying already approved apps, like they do with browser extensions), but the notion that Smartphones need a desktop-class overbearing anti-virus app is a misplaced concern, precisely given the sandboxing & other gatekeeping mechanisms that come out-of-the-box on Android-certified devices.

As for sophisticated adversaries such as CSVs (commerical surveillance vendors), such anti-virus apps will be ineffective against them anyway (as these usually target & breach multiple sandboxing & isolation layers to compromise the OS/Kernel itself), unless the exploit is known and these apps can glean indicators of compromise from within their sandbox (not always possible), but then, so can Play Protect.

Apps and tools that do a specific job (like debloating ROM, cloning installed apps, monitoring data usage, blocking ads & trackers, using alternative frontends, etc) are more important given Android's security model (which prevents end-users from modding the ROM or apps to suit their liking). rooting (or using userdebug / eng builds of 3p ROMs) is a common way to get absolute control over Androids but it comes at a grave cost (regardless of the safety latches that come built-in with superuser tools like Magisk). It is okay if you know what you're doing, which isn't the case for an overwhelming majority of the 3bn of us that use Android.

otoh, antivirus apps (especially on Smartphones) have onerous privacy policy, and the data they sometimes collect & the permissions they require in the guise of "scanning" should ring alarm bells to anyone careful enough to use ROMs like GrapheneOS.

From a sandboxing PoV, Google is right to revoke this blanket storage permission granted to Android apps. From what I know, iOS never granted such "entitlements" to 3p apps.

tldr Ditch AV apps.

natoal

ignoramous

So it's a gamble installing from F-Droid then, and if I'm not wrong Accrescent has too few apps

and you're right, scanners are even more useless on iOS

ignoramous

natoal So it's a gamble installing from F-Droid then

F-Droid builds from source and signs using keys it owns (which is controversial), and has its own approval process (via static analysis using tools like Exodus, which scans for trackers, and pithus which unfortunately is no longer maintained, and so it is not used currently) that marks apps with what they call "anti-features", but you're right, it does not have a comparable program to Play Protect, mostly because it deals with ₃₀₀₀+ apps whilst Play Store has ₁.8mn+