Quick Answer: The official Tachiyomi APK is safe its source code is publicly auditable on GitHub, it requests minimal permissions, and it collects no personal data. The actual risks come from unofficial APK mirrors and unvetted third-party extensions. Download only from tachiyomi.site and stick to the official extension repository.
Every week, someone on a manga forum asks some version of the same question: "I'm about to install Tachiyomi and my phone is warning me about unknown apps should I be worried?" It's a fair concern. You're bypassing the Play Store, dismissing a Google security warning, and installing software from a source most people haven't heard of. That combination triggers reasonable skepticism.
The actual security picture is more nuanced than "yes, it's totally fine" or "no, it's dangerous." The app itself has a clean record. But the ecosystem around it APK mirrors, third-party extension repositories, the source websites those extensions connect to has real variation in trustworthiness. This guide separates each layer and tells you exactly where the risk is and isn't.
Is Tachiyomi Safe? The Short, Honest Answer
Tachiyomi is a free, open-source Android manga reader whose entire source code is publicly available and has been independently reviewed by the developer community for years. There is no documented case of the official Tachiyomi APK or its successor Mihon containing malware, spyware, adware, or data-harvesting code.
That said, "safe" is conditional here. The app is safe. An unofficial, modified version of the app downloaded from a random APK mirror site? That's a different question entirely and it's the question that most people are actually at risk from without realizing it.
The security of your Tachiyomi experience depends on three separate variables: where you got the APK, which extensions you installed, and which source websites those extensions connect to. The official app scores well on all three by default. The moment you deviate from official sources, you take on risk that the app's open-source nature can't protect you from.
Does Tachiyomi Have Malware, Spyware, or Adware?
The official APK does not. This isn't just a claim it's verifiable. The Tachiyomi source code was hosted publicly on GitHub from the project's inception until its archival in early 2024, and its successor Mihon continues that transparency. Any developer can and the community has reviewed the codebase for suspicious behavior.
When you download an open-source app from its official repository, you're getting a binary that corresponds to code anyone can read. That's a fundamentally stronger security position than closed-source apps, including many mainstream paid apps on the Play Store, where you have no visibility into what the code actually does.
The documented risk vector is unofficial mirrors. Sites that host "Tachiyomi APK free download" or "latest Tachiyomi mod" are distributing binaries you cannot verify. Some of these have been reported by community members to include injected ad SDKs code that wasn't in the original and generates revenue for whoever repackaged the APK. That's adware, and it comes from the mirror, not from Tachiyomi.
What Permissions Does Tachiyomi Actually Need?
One of the clearest signals of whether an app is trustworthy is the permissions it requests and more importantly, whether those permissions match what the app actually needs to do.
Tachiyomi requests a small, justified set:
| Permission | Why It's Needed | Risk Level |
|---|---|---|
| Internet access | Fetch manga from source servers | Low — expected for any content app |
| Storage (read/write) | Save downloaded chapters offline | Low — needed for offline reading |
| Notification access | Chapter update alerts | Low — optional feature |
| Vibration | Reader haptic feedback | None |
| Wake lock | Keep screen on while reading | None |
| Recommended for | Privacy-conscious Android users | ✅ No location, contacts, camera, or microphone |
Notice what's absent: no location access, no contacts, no camera, no microphone, no access to your messages or call logs. Those are the permissions that signal data harvesting. Tachiyomi doesn't request any of them because it has no business reason to.
Compare this to some free manga apps on the Play Store that request location and contacts permissions with no plausible connection to reading comics and the permission profile starts to look like a genuine advantage for Tachiyomi.
Why Does Google Play Protect Warn About Tachiyomi?
When you install Tachiyomi, you'll almost certainly see a Play Protect warning. On some Android versions it says the app "may be harmful"; on others it prompts you to send the APK to Google for scanning. Neither of these means Tachiyomi is actually harmful.
Play Protect is designed to scan apps installed through the Play Store and apps Google has previously scanned. When it encounters a sideloaded APK it hasn't catalogued, the default response is a warning regardless of the app's actual safety profile. It's a provenance check, not a malware detection.
The practical implication: if you downloaded the APK from tachiyomi.site, you can safely dismiss the Play Protect warning. If you downloaded it from a site you found via a search ad or a random Discord link, the warning is actually meaningful don't dismiss it. Verify your source first.
To verify the APK before installing:
Step 1: Note the file size of the APK you downloaded.
Step 2: Cross-reference it with the file size listed on the
official GitHub releases page (github.com/tachiyomiorg or mihon.app).
Step 3: If you want deeper verification, upload the APK to
virustotal.com — it scans against 70+ antivirus engines.
Step 4: Check the APK's SHA-256 hash if the official release
page publishes checksums (Mihon does).The Real Risk: Unofficial APK Mirrors
This is the part most "is Tachiyomi safe" articles skip. The app is safe. The mirror ecosystem is not uniformly safe. And because searching for "Tachiyomi APK download" returns dozens of third-party sites before (or instead of) the official one, a lot of people end up at mirrors without realizing it.
What happens at unofficial mirrors varies. In the best case, they're hosting a legitimate old version of the app outdated but not harmful. In worse cases, they've repackaged the APK with additional code. That code might be an aggressive ad SDK, an analytics payload, or in documented extreme cases, spyware.
You have no way to verify a mirror's binary without checking the APK signature or running a hash comparison. Most people don't do either. The practical defense is much simpler: bookmark tachiyomi.site and never download from anywhere else. That takes ten seconds and eliminates the primary risk vector entirely.
| Source | Trust Level | Verification Possible? |
|---|---|---|
| tachiyomi.site | ✅ Official | Yes — matches GitHub release |
| mihon.app | ✅ Official successor | Yes — SHA-256 checksums published |
| GitHub Releases page (tachiyomiorg/Mihon) | ✅ Official | Yes — signed by maintainers |
| F-Droid | ⚠️ Third-party repo | Partial — F-Droid signs its own builds |
| "APK download" sites (not above) | ❌ Unofficial mirror | No guarantee |
| Modified/Modded APK sites | ❌ High risk | No — binary integrity unknown |
| Recommended for | Safe install | Use top three sources only |
Extension Safety: What You’re Actually Connecting To
Extensions are where the security picture gets more complex and where most security guides stop doing the work.
An extension is a small plugin that tells Tachiyomi how to read content from a specific manga host. The extension code itself is reviewed by Tachiyomi/Mihon maintainers before it is added to the official repository. That review covers obvious malicious behavior the extension shouldn't be doing anything other than fetching manga content.
What the review doesn't cover is the manga host's own behavior. When you install the MangaDex extension and browse MangaDex, you're connecting to MangaDex's servers, subject to MangaDex's privacy practices. For a platform like MangaDex, that's fine they're a legitimate operation with a published privacy policy.
For unofficial or piracy-oriented source hosts, the picture is different. Those servers may log your IP, serve aggressive ad overlays with misleading close buttons, or in edge cases attempt to push additional software through browser-like pop-ups in the reader. The extension doesn't introduce these risks the host site does.
Three extension safety tiers:
Official Tachiyomi/Mihon Repository
Extensions in the official repository have been reviewed by maintainers. They're as safe as the source hosts they connect to. Use these by default.
Unofficial Extension Repositories
Third-party repos operate outside the official review process. Some are maintained carefully; others aren't. If you add a third-party repo, you're accepting that those extensions haven't been audited by anyone accountable to the project.
Individual Extension APKs from Unknown Sources
Never install an extension by sideloading a standalone APK someone linked you to on Discord or a forum. An extension is just code there's no reason a legitimate one couldn't be delivered through the standard repo mechanism.
Security Benchmarks: How Tachiyomi Compares
For context on where Tachiyomi sits relative to other manga reading options:
| App | Open Source | Permissions | Data Collection | APK Source |
|---|---|---|---|---|
| Tachiyomi / Mihon | ✅ Yes | Minimal | None (official) | Sideload required |
| MangaDex (website) | Partial | N/A (browser) | Standard web analytics | Play Store / browser |
| Viz Media app | ❌ No | Moderate | Account data | Play Store |
| Shonen Jump app | ❌ No | Moderate | Account + reading data | Play Store |
| Generic "free manga" apps | ❌ No | Often excessive | Unknown | Play Store |
| Recommended for | Security-aware users | Tachiyomi wins clearly | Tachiyomi wins | Tie (Play Store is easier; sideloading is safer if done correctly) |
Data based on publicly available permission disclosures and privacy policies. Verify current permissions before installing any app.
The trade-off is that Play Store apps go through Google's review process, which catches obvious malware but misses subtler data-collection practices. Open-source sideloaded apps skip that review but give you the source code to audit instead. For a security-aware user who downloads from the right place, Tachiyomi's model is at least as safe as mainstream alternatives.
Who Should and Shouldn’t Use Tachiyomi
If you are a casual user who wants maximum simplicity: Tachiyomi is safe, but it requires you to install it correctly and be thoughtful about which sources you use. If you can follow the install guide and stick to official extension sources, the security overhead is genuinely minimal. If you'd rather not think about it at all, the official apps from licensed manga publishers carry less user-side responsibility.
If you are a regular manga reader who values privacy: Tachiyomi is a strong choice. It makes no network requests beyond the manga sources you deliberately access, creates no user account, and stores everything locally. Compared to apps that tie your reading history to an account and share it with advertisers, Tachiyomi's data footprint is essentially zero.
If you are a parent setting this up for a child: Be aware that extensions connect to external websites, some of which may host mature content or serve aggressive ads. Restrict extension installs to MangaDex or other vetted sources, and be aware that the app itself has no content filtering features; parental controls would need to come from your Android device's OS-level settings.
Is Tachiyomi Legal? Where the Line Actually Is
The app itself is legal. It's software there's no legal prohibition on installing a manga reader on your own Android device. The legality question is about what content you access through it.
Extensions that connect to officially licensed platforms operate in a legal gray zone that's tolerated by many publishers. Extensions that connect to sites hosting pirated scans without authorization from rights holders are in a clearer gray-to-red zone, and the legal exposure is on the user and the hosting site, not on the app.
This is why Tachiyomi was shut down the original maintainers received legal pressure related to specific extensions in their official repository, not the app itself. The response was to close the official project and launch Mihon without those contested extensions. The app architecture is legal. Specific uses of it may not be, depending on your jurisdiction and which sources you connect to.
The honest summary: if you use Tachiyomi with legitimate sources, you're in legally safe territory. If you use it primarily to access pirated content, the app isn't the source of your legal exposure but it isn't a shield either.
Security Best Practices for Tachiyomi Users
Good install hygiene covers most of the risk surface. Four practices that matter:
Download exclusively from official sources. Bookmark tachiyomi.site or mihon.app. Search results for "Tachiyomi APK download" will surface mirror sites above the official one ignore them. If you're not sure whether a URL is official, check the domain against what's listed on the project's GitHub page.
Revoke the install permission after setup. After installing Tachiyomi, go back to Settings → Apps → [your browser] → Install unknown apps and toggle it OFF. Leaving this permission enabled indefinitely makes your device more vulnerable to accidental APK installs from other sources.
Stick to the official extension repository. In Browse → Settings (or Extensions settings), verify the repository URL points to the official Tachiyomi or Mihon extension repo. Don't add third-party repositories unless you've researched them specifically and understand what you're accepting.
Verify the APK before installing if you have any doubt. Upload the APK to virustotal.com before opening it. It takes 60 seconds and scans against 70+ engines. A clean scan doesn't guarantee safety, but it catches the most common threat vectors.
Troubleshooting Security-Related Issues
Problem 1: Play Protect keeps blocking the install even after tapping "Install anyway"
Cause: Some Samsung and Xiaomi device profiles are configured to hard-block sideloaded apps that Play Protect flags.
Fix: Open the Play Store → profile icon → Play Protect → Settings → temporarily disable "Scan apps with Play Protect." Install Tachiyomi, then immediately re-enable the setting. This is safe to do for a known-good APK from the official source.
Problem 2: Antivirus app flags Tachiyomi after install
Cause: Most mobile antivirus apps flag sideloaded APKs generically, regardless of content.
Fix: This is almost certainly a false positive if you downloaded from the official source. Check the specific detection name a generic "PUP" or "potentially unwanted" flag on a sideloaded APK is not the same as a specific malware detection. You can verify by uploading the APK to virustotal.com before installing.
Problem 3: Tachiyomi is requesting permissions I didn't expect
Cause: Either you installed a version that's been modified (mirror download), or a new version added a feature with a new permission requirement.
Fix: Uninstall and download fresh from tachiyomi.site. Compare the permissions listed in the official GitHub release notes with those your install requests. If they don't match, you have a modified APK.
Problem 4: An extension is redirecting me to suspicious websites
Cause: The source host the extension connects to has implemented ad redirects or the extension itself is from a third-party repo with less oversight.
Fix: Uninstall the extension immediately. Go to Browse → Extensions, find the extension, and tap Uninstall. If it's from a third-party repository, remove that repo from your settings. Report the behavior to the Mihon GitHub if the extension came from the official repo.
Problem 5: Someone told me Tachiyomi gave their phone a virus
Cause: Almost always one of: they downloaded from a mirror, they installed a third-party extension, or they clicked through an ad overlay on a source website that attempted to install something.
Fix: Determine the actual source of the APK they installed. If it wasn't tachiyomi.site or mihon.app, the issue is the mirror, not Tachiyomi. If they're on the official app and experiencing strange behavior, a factory reset after backing up their data is the safest course of action.
FAQ
Q: Is Tachiyomi safe to use in 2024 and beyond?
The official Tachiyomi project has been archived, but its successor, Mihon, continues to be actively developed with the same codebase and security practices. Mihon is the recommended install for new users and is safe by the same criteria as Tachiyomi. Using either from the official distribution source or with official extensions is as secure as using most mainstream apps.
Q: Does Tachiyomi track what manga you read?
No. Tachiyomi doesn't have a backend server and doesn't create a user account, so there's nowhere for that data to go. Your reading progress is stored locally on your device. The only external parties that could have visibility into your reading are the manga source servers your extensions connect to, and that depends on the source's own logging practices.
Q: Can I get in trouble for installing Tachiyomi?
Installing the app itself carries no legal risk. The legal gray area involves using extensions to access content from unauthorized sources, a practice that varies by jurisdiction. The app is a tool; your use of that tool is where legal questions arise. Accessing licensed content through legitimate sources is unambiguously fine.
Q: Is the Mihon fork as safe as the original Tachiyomi?
Yes — Mihon is maintained by contributors from the original Tachiyomi project, uses the same codebase, and publishes its source code on GitHub. It's the actively maintained version and receives ongoing security patches that the now-archived Tachiyomi does not. For security purposes, Mihon is the safer choice going forward.
Q: Should I install Tachiyomi on a phone I use for banking?
It’s better to avoid installing Tachiyomi on the same phone you use for banking.
While Tachiyomi itself is an open-source Android app, installing any APK outside the Google Play Store carries some additional risk, especially if the file comes from an unofficial source. Your banking apps contain highly sensitive information, so it’s safer to keep your financial activities on a device with only trusted apps installed.
If you still want to use Tachiyomi on your main phone, download it only from the official source, keep Android updated, avoid modified APKs, and never install unknown extensions or apps from untrusted websites. For maximum security, using a separate device or profile for entertainment apps is the safer option.
Q: What should I do if I have already downloaded from a mirror site?
Uninstall it. Download the official APK from tachiyomi. site or mihon.app. Run the new install over the old one (Android will flag a signature mismatch if the signatures differ, that's your confirmation that the old one was modified). Check your battery and data usage after switching; if they normalize, the old install likely had background behavior that the official one doesn't.
Conclusion
Tachiyomi is safe when you treat it like any other open-source software: download from the verified source, install extensions from the official repository, and understand that the source websites those extensions connect to are outside the app's control.
Three steps to a secure Tachiyomi setup:
- Download from tachiyomi.site or mihon.app only — bookmark it now, before you go searching for the APK and end up on a mirror.
- Revoke the install permission immediately after setup — Settings → Apps → [your browser] → Install unknown apps → OFF.
- Stick to the official extension repository — if a source isn't available through official extensions, research it specifically before adding a third-party repo.
One honest caveat: the extension ecosystem is community-maintained, and "official" extensions still connect you to third-party servers that Tachiyomi's maintainers don't control. The app's security is as good as open-source software gets. The broader ecosystem requires you to stay thoughtful about which sources you access.
For the latest APK and extension updates, visit tachiyomi.site. The open-source model means security improvements happen continuously and publicly which is exactly the kind of transparency you want from software on your phone.
Latest Post:
