Permissions
The app declares only one Android permission:
| Permission | Status | Why |
|---|---|---|
INTERNET |
Required | Used to fetch videos, audio, and images from the websites you specify. No background network access occurs without your explicit request. |
| Contacts, SMS, Call log | Not present | The app never reads or writes your contacts, messages, or call history. |
| Location | Not present | The app does not access your location. |
| Camera / Microphone | Not present | The app does not use the camera or microphone. |
| Accessibility service | Not present | No accessibility service overlay or screen-reading permission is declared. |
| Install packages | Not present | The app cannot install other apps or update itself. |
| Device admin / Overlay | Not present | No device administrator or system overlay permission is declared. |
Local-only processing
Downloads are performed directly from the source website to your device storage. No intermediary server is involved for the media itself. Your download history and settings are stored in a local database on your device. Nothing is sent to our servers unless you explicitly use a feature that requires it (e.g. license key validation).
Why Android warns you during beta installation
Google Play Protect and Android's installer warn users when an app is installed from outside the Google Play Store. This warning appears for all apps that are not yet in the Play Store — regardless of their actual safety profile.
DownloadThat is currently distributed as a direct sideload APK because the Google Play internal testing track is not yet active. The warning reflects the distribution channel, not the app's behavior or intent.
What to do: Tap "Install anyway" if you received the APK link directly from the project owner. Do not disable Play Protect permanently — it protects you from genuinely malicious apps.
Play Console status
The developer account is being set up. Google Play internal testing is expected to become available within the next few weeks. Once the testing track is active, distribution will move to the Play Store and the sideload flow will be retired.
Release integrity
Every release APK is built by GitHub Actions (not a local machine), signed with a stable release keystore, and the SHA-256 checksum is published alongside each release. You can verify the checksum of the APK you downloaded against the published hash on the GitHub release page.
Contact and responsible disclosure
If you find a security issue, please report it privately to [email protected] before disclosing it publicly.