Trust
How we verify every app
Every Trust Report is built the same way — the same checks, in the same order, with dates on everything.
Where downloads come from
Every report starts at the source. We download each build ourselves, directly from the developer's official release channel — their own domain, their signed releases. We never link to mirrors, bundlers or download portals, because that is where most tampering happens.
If we cannot confirm an official source for a build, the report says so plainly, and we don't link to it.
What we check
Nine checks, run in the same order for every app. No app skips a step, and no step is weighted more than the report shows.
- Official source. The download link points to the developer's own domain or verified release channel — never a mirror, never an aggregator.
- Code signature & notarization. The binary is signed by the developer and the certificate chain validates. On macOS we also verify notarization; on Windows, the Authenticode signature.
- SHA-256 checksum. We compare our download against the developer's published checksum. If none is published, we compute and publish one ourselves.
- Malware scan. The file goes through a multi-engine malware scan. The result — including the engine count — is recorded in the report with a date.
- Permissions. Every permission the app requests, listed exactly as declared, so you can see what it can reach before you install it.
- Trackers. We inspect the app package for known tracker SDKs and cross-reference against observed network endpoints — behavior, not the privacy policy.
- Known CVEs. Published vulnerabilities affecting the current release, and whether the shipping version has patched them.
- Data policy summary. What the developer's privacy policy says is collected and linked to you, restated in plain words with a link to the source.
- Signs of life. Recent releases, active repositories and responsive maintainers — whether the project is still being cared for.
What the statuses mean
We state, we don't score. There are no numeric scores and no letter grades anywhere on Altapp, because a single number would hide exactly the reasoning you came here to see. Instead, every check carries one of four statuses:
- Verified. We performed the check ourselves and the evidence matched what the developer claims.
- Reported. The claim comes from the developer or a third party. We cite it, but we haven't independently reproduced it.
- Not applicable. The check doesn't apply to this kind of app — notarization for a web app, for example.
- Unknown. We couldn't complete the check. Absence of evidence is stated as such, never guessed around.
How often reports refresh
A Trust Report is never evergreen. Each check carries its own freshness window: fast-moving checks like the malware scan and CVE review re-run frequently, while slow-moving facts like license and developer identity are revisited on a longer cycle. When a window expires, the check is re-run before the page shows it as current — and every result carries the date it was performed.
A new release resets the clock. Findings are only ever claimed for the version they were measured on.
Sponsored content
If a placement is ever paid for, it is labeled as sponsored and kept visually separate from organic results — always. Sponsorship never touches a Trust Report: the checks, the statuses and the verdict are the same whether anyone pays or not.
Questions about the method, or evidence we should look at? Read why Altapp exists or write to hello@altapp.store.