Security & Trust

What this app does — and doesn't do

DownloadThat requests very few Android permissions and processes everything locally on your device. This page explains every permission the app uses, why Android may warn you during beta installation, and the current Play Store status.

Permissions

The app declares only one Android permission:

PermissionStatusWhy
INTERNET Required Used to fetch videos, audio, and images from the websites you specify. No background network access occurs without your explicit request.
Contacts, SMS, Call log Not present The app never reads or writes your contacts, messages, or call history.
Location Not present The app does not access your location.
Camera / Microphone Not present The app does not use the camera or microphone.
Accessibility service Not present No accessibility service overlay or screen-reading permission is declared.
Install packages Not present The app cannot install other apps or update itself.
Device admin / Overlay Not present No device administrator or system overlay permission is declared.

Local-only processing

Downloads are performed directly from the source website to your device storage. No intermediary server is involved for the media itself. Your download history and settings are stored in a local database on your device. Nothing is sent to our servers unless you explicitly use a feature that requires it (e.g. license key validation).

Why Android warns you during beta installation

Google Play Protect and Android's installer warn users when an app is installed from outside the Google Play Store. This warning appears for all apps that are not yet in the Play Store — regardless of their actual safety profile.

DownloadThat is currently distributed as a direct sideload APK because the Google Play internal testing track is not yet active. The warning reflects the distribution channel, not the app's behavior or intent.

What to do: Tap "Install anyway" if you received the APK link directly from the project owner. Do not disable Play Protect permanently — it protects you from genuinely malicious apps.

Play Console status

The developer account is being set up. Google Play internal testing is expected to become available within the next few weeks. Once the testing track is active, distribution will move to the Play Store and the sideload flow will be retired.

Release integrity

Every release APK is built by GitHub Actions (not a local machine), signed with a stable release keystore, and the SHA-256 checksum is published alongside each release. You can verify the checksum of the APK you downloaded against the published hash on the GitHub release page.

Contact and responsible disclosure

If you find a security issue, please report it privately to [email protected] before disclosing it publicly.