Apps you get from an app store aren’t necessarily trustworthy. A top app in the Mac App Store hoovering up browsing data is just the latest example. Even an app you get from an app store might do bad things with your data.

The Mac App Store Certainly Isn’t Safe

Apple polices its app stores strictly, requiring manual human review and regularly denying apps for various reasons. Apple is also known for caring about user privacy. You might expect a lot of protection for your data from apps in Apple’s app stores. But, if you do, you’ll be disappointed.

Adware Doctor, which was one of the top sellers on the Mac App Store, was capturing Mac users’ web history and uploading it to a server in China. Apple had known this for an entire month, but only removed the app from sale when it was reported publicly.

This wasn’t a one-off problem. Shortly after this public shaming worked against Apple, Reed Thomas of Malwarebytes exposed a variety of Mac App Store apps that behaved in the same way. He wrote that Malwarebytes had been reporting software like this to Apple for years, but that Apple rarely took immediate action. It might take six months for Apple to remove a bad app. Apple removed those apps, too, but only after they were exposed publicly.

As we pointed out a few years ago, the Mac App Store is full of scams. Thomas recommends you “treat the App Store just like you would any other download location: as potentially dangerous.” Apple isn’t policing it properly.

Apple Now Requires Each App Have a Privacy Policy You Won’t Read

Apple is doing something related to the problem, though! As of October 3, 2018, all new apps uploaded to the store must have a visible privacy policy. New and updated apps on the store—in other words, not actually every app—will have a link on its app store page you can tap to view a privacy policy.

According to Apple’s App Store guidelines, that privacy policy must identify what data the apps collect, explain what the data is used for, and outline how you can request the data be deleted.

There’s your protection: Apple requires the app tell you what it’s doing in fine print almost no humans on the planet will ever read.

Google similarly requires a privacy policy for many apps. But all this does is require some additional fine print.

You Probably Agreed To Data Sharing Already

Why are you upset your data is being hoovered up, sent off to a company’s servers, and shared with a bunch of partners? You probably agreed to it already!

That’s right. Much of this data capture and sharing is disclosed in the various terms and conditions, user agreements, and privacy policies you have to tap your way through while installing software or creating user accounts.

Almost no one reads these things because we all have better things to do than scroll through an extended contract every time we install an app or create a new account online. Everyone knows this, including the people who write them. But that doesn’t matter. This is all about legal ass-covering. You agreed to all this data sharing when you installed the app, started using it, or created an account.

Who Knows What the App is Doing With Your Data?

It’s tough to tell exactly what an app is doing with your data. An app on your device—iPhone, iPad, Android, Windows PC, Mac, or whatever else—can grab any data to which it has access. Apps usually communicate over encrypted connections anyway. An app can send whatever it likes over an encrypted connection, and no one can peek inside.

Even if you trust the company, after your private data is stored on that app’s servers, it can do whatever it wants with it. While the privacy policy might say it’s not sold, it may be “shared with partners” or something like that, which often amounts to practically the same thing. The app might update its privacy policy to allow sharing of previously collected data in the future. And who’s to say a company isn’t doing bad things with your data in violation of its privacy policy? How would you even know?

Consider your decision carefully when an app wants access to your contacts, photos, or other private data. Deny the permission request if you don’t trust the app. If you’re installing an older Android app, don’t install the app if it requires permissions with which you’re uncomfortable.

Stay away from browser extensions that want access to all your browsing history, too, unless you trust the company not to abuse that access. Chrome extensions are frequently sold, turn evil, and abuse their permissions to snoop on you. Google’s Chrome Web Store struggles to keep on top of this problem. It’s not just a Chrome problem, though. Mozilla’s add-on site struggles with the same problem.

Don’t Trust the App Store to Save You

Apple, Google, Microsoft, and other companies running app stores don’t necessarily have your back when it comes to your data. Even when the store’s policies are clear and on your side, they aren’t necessarily enforced. Apple might take six months to pull down an app that’s misbehaving, and that’s for the apps we know about. Google is continually removing bad apps from Google Play, too. Chrome and Firefox extensions frequently abuse the trust users place in them.

Just because you get an app from an app store, that doesn’t mean the app store is protecting your data. You should still only download apps you trust and be careful about what data you share with those apps. If you don’t trust a company, don’t give its app access to your contacts or other private data you don’t want to share.

It would be nice if we could trust app stores to enforce more protections around our private data, but instead, we’re just getting mandated fine print. We don’t think you should be paranoid, but be warned: You can’t rely on Apple, Google, or Microsoft to make these apps behave nicely.

That doesn’t mean the app stores are bad. They’re probably still safer than getting apps from outside the stores. But they don’t protect users as much as we’d like.