The FBI told smartphone users in a March 2026 public service announcement to “only download verified apps from official app stores” and to “disable unnecessary data sharing,” two steps the bureau says can reduce the risk of personal data being siphoned by foreign-developed mobile applications. The warning builds on guidance the agency first issued in 2020 about mobile banking apps, and it aligns with separate consumer advice from the Federal Trade Commission on reviewing app permissions. Together, these federal directives amount to a clear, practical checklist for anyone who installs apps on a phone, yet no agency has published data showing how many users actually follow the steps or how much data exposure drops when they do.
Why the FBI’s app-store warning carries weight right now
The FBI’s Internet Crime Complaint Center issued an alert on foreign-developed apps in a 2026 public notice at a time when millions of people routinely grant broad permissions to software they download from links shared on social media, messaging threads, or unofficial websites. The bureau’s language is direct: stick to official app stores and turn off data-sharing features that an app does not need to function. Those two actions target the most common entry points for data collection by apps whose developers operate under legal frameworks that may compel them to hand user information to foreign governments.
The same core advice appeared in a 2020 FBI notice focused on mobile banking. That earlier alert recommended obtaining smartphone apps only from trusted sources, such as official app stores or bank websites, and framed sideloaded apps as a potential conduit for credential theft. By reiterating essentially the same rule six years later in a broader context, the bureau signals that the underlying threat has not faded. Instead, the expansion from banking-specific concerns to a general caution about foreign-developed apps suggests that more categories of software now pose similar risks to personal data.
A reasonable hypothesis follows from the FBI and FTC materials: smartphone users who restrict app permissions and limit downloads to official stores should see measurably lower volumes of personal data transmitted to unknown servers within 30 days. That outcome could be tested through device telemetry studies comparing data traffic before and after users apply the recommended settings. No federal agency has published such a study, which leaves the practical payoff of following the advice supported by threat logic rather than measured results, even as the guidance grows more emphatic.
Federal agencies and NIST agree on why official stores matter
The FBI’s recommendation to use official app stores is not just a preference. NIST’s Mobile Threat Catalogue explains the structural difference: official stores typically require verified developer identities and evaluate submissions for exploit code or privacy-invasive behaviors, while third-party stores may skip those checks entirely. That gap means an app downloaded from an unofficial source is more likely to contain hidden data-collection routines or outright malware, because no independent review stood between the developer and the user’s device.
The FTC adds a second layer of defense. Its consumer guidance on how apps collect and use personal information advises users to check their phone’s privacy settings, review what each app can access, and turn off permissions that are not necessary for the app to work. If an app asks for access to contacts, location, or the microphone without a clear reason, the agency says users should consider deleting it. This recommendation appears in an explainer on how apps gather personal data, which emphasizes that permissions are often broader than users realize. That step addresses a problem the FBI warning alone does not fully cover: even apps from official stores can collect more data than users expect if permissions are left at their defaults.
Taken together, the FBI, FTC, and NIST guidance forms a three-part filter. First, choose the source carefully by sticking to official stores, which reduces the chance of installing outright malicious software. Second, verify that each app does not demand access to data it has no reason to touch, trimming back unnecessary exposure. Third, disable sharing features that broadcast personal information to servers the user cannot identify. Each step reduces a distinct category of risk, from malware injection to passive data harvesting, and none of them requires specialized technical skills.
What the agencies have not measured or disclosed
The biggest gap in the federal guidance is the absence of hard numbers. Neither the 2026 nor the 2020 FBI public service announcement includes incident counts, breach statistics, or case studies tied specifically to third-party app stores. The NIST threat catalogue describes the mechanism of risk but does not quantify how often sideloaded apps actually compromise user data. The FTC’s consumer page lists protective actions without any before-and-after measurement of data exposure once users change their settings, leaving readers to infer the magnitude of the benefit.
That missing data matters because it makes it difficult for users to gauge how urgent the advice really is. A person who has used a third-party app store for years without an obvious problem may dismiss the FBI’s warning as generic caution. Without published figures showing, for example, the share of malicious apps found on unofficial stores versus official ones, or the volume of data transmissions blocked after users revoke unnecessary permissions, the guidance relies on institutional authority rather than transparent evidence. The result is a set of recommendations that are logically sound but empirically thin in the public record.
There is also no public survey data showing how many smartphone owners currently follow the recommended practices. Adoption rates would help agencies target their messaging. If most users already stick to official stores, the priority shifts to permission management and disabling unnecessary sharing. If sideloading remains common in specific demographics or regions, outreach could be tailored accordingly, focusing on those communities where risk is highest. Neither the FBI nor the FTC has released that kind of breakdown, at least in the materials they have made easily accessible to consumers.
For users who want to act on the federal guidance despite these gaps, the practical steps are straightforward. On both major mobile platforms, security starts with the settings that control where apps can be installed from; leaving those restricted to official stores aligns directly with FBI advice. The next layer is a one-time review of every installed app’s permissions, removing access to contacts, photos, microphone, camera, or location unless the app clearly needs them to function. Finally, turning off in-app options that share analytics, usage data, or advertising identifiers with third parties narrows the stream of information that can be aggregated elsewhere.
Those steps will not eliminate all mobile risk, and federal agencies have yet to quantify exactly how much protection they provide. But the alignment between the FBI’s 2026 alert on foreign-developed apps, its earlier banking-focused warning, and the FTC’s consumer privacy advice suggests a durable consensus on what users can control today. Until agencies pair that consensus with public metrics on outcomes, smartphone owners are being asked to take these precautions on trust-trust that the threat models described in official documents match the realities on their own devices.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
