If you don’t trust Google Play / Apple Store apps (why?)
This is Google Play specifically, I can’t say anything about App Store.
Most likely off-topic, but just so people can understand the risks.
Whenever you download and install an application on Google Play, these data are automatically transmitted to the developer via the Play Developer Console:
System-on-chip name
Application binary interface
Number of cores
GraphicsLibraryES Version
Available RAM
Screen class
Density class
Screen width
Screen height
Device-independent pixel width
Device-independent pixel height
Screen refresh rate (for some apps, usually games)
Android version
Android SDK
Device brand
Device model
Device Manufacturer (OEM)
Virtual Machine
Android ID (supposed to be reserved for “privileged” apps)
Advertising ID
Play Referral ID
Root state (especially for security-oriented and banking apps)
SafetyNet attestation state (for security-oriented and banking apps)
Available sensors (including significant_motion, wake_gesture, glance_gesture, and stationary_detect sensors; typically for pedometer utilities, navigation apps, etc.)
Google Account email (ostensibly for feedback, but take a moment to contemplate the many ways in which this could be abused)
Approximate location (borough, county, city, state, etc.)
Country
Region
(Preferred) Language
Installation date and time
Uninstallation date and time (also used to arbitrate refunds)
When you buy an app (or subscribe to an ezine) via Google Play, or perform an in-app transaction, these data are also transmitted:
Asset purchased
(Subscription schedule)
Transaction value
Transaction currency
Transaction date and time
Transaction state
Card Issuer
Resolving merchant and/or bank
These sensitive points are transmitted the moment the application is installed by the Google Play client. You don’t have to launch the app.
This is why app bundling and geolocking are possible on Google Play.
Now, just imagine you downloaded spyware via the Play Store…
Source: https://web.archive.org/web/20220407133857/https://www.reddit.com/r/fdroid/comments/kxf860/is_there_any_difference_between_downloading_an/gjbkj0x (web archive because for some reason r/fdroid became a private subreddit)