1. Home
  2. Blog
  3. What are the risks of sideloaded Android applications?
April 20, 2020

What are the risks of sideloaded Android applications?

Joel Snyder

“Sideloading” is like downloading or uploading … only different. Sideloading means that you’re moving files between two devices, usually next to one another, and was originally done only over USB or by inserting a memory card. It’s an old technique in the world of technology, and gained wide use when MP3 players became popular, and music was sideloaded from a PC after being downloaded from the internet.

When it comes to Android mobile devices, sideloading has a more specific meaning. The origin is the same — you are moving an Android Package (APK) file containing an application to an Android phone so that it can be manually installed. However, it’s now taken on a broader definition: The installation of any application outside of the normal app store infrastructure is considered sideloading, even if you still download it. If you’re getting an application from Google Play, Amazon Apps or Samsung Galaxy Store, that’s normal; if you’re grabbing an APK file anywhere else on the internet, that’s sideloading.

 

How do sideloading and security interact?

Sideloading is considered a security risk. Out of the box, Android phones don’t allow it. Android blocks applications from unknown sources. “Unknown” is naturally a vague term, but for most users means any application store not preloaded as trusted by their phone manufacturer — usually a very small set. Even cross-vendor trust isn’t built in. A Samsung phone, for example, won’t load applications from other phone manufacturers, as they constitute an “unknown source.”

If you want to sideload applications, either by installing them manually or from some other Android app store, you have to turn on that feature. With older versions of Android (7 and below), there’s a single check box in the Settings > Lock Screen and Security menu (“Unknown Sources”). If you turn that on, you can load any application you want.

Starting with Android 8 (“Oreo”), things get much more serious: You give each application individual permission to sideload rather than set it up as a global option. Look for this well-hidden option in Settings > Apps and Notifications > Advanced > Special App Access > Install unknown apps. Android 8’s sideload strategy is much more secure, because you pick the apps you want to allow to sideload. If you give permission, for example, to Amazon Underground, which includes Amazon’s app store, then you don’t have to worry about Chrome accidentally sideloading an app you didn’t ask for.

Obviously, sideloading apps comes with a huge security risk, and an even bigger risk for Android 7 and earlier. No one will claim that Google’s Play Protect will keep all malware off of Android phones, but the risk is much higher when end users install applications that they find lying around the internet or on hacker-specific app stores. For this reason, most Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) policies prohibit sideloading.

 

What if you need to sideload?

Sideloading isn’t always a risk. In fact, it may be required if you’re developing in-house applications, not just for testing but even for application deployment. If sideloading is required for your infrastructure, there are a couple of options for managing it.

One of the best is to continue to go through Google’s Play Store. Applications that aren’t publicly available can still be managed by Google’s infrastructure, which removes the requirement to develop your own app store or worry about how applications will be installed and potentially give inappropriate permissions. Google calls these “private apps,” which can either be hosted on a managed Google Play store or even stored on your own organization’s servers.

If the application is stored on Play Store servers, you can simply link it to a managed Google Play private to your organization that uses Google’s app store infrastructure. As an alternative, you can store the application on your own servers, and simply load the pointer to the information (the APK definition file) on Google’s Play Store. In either case, users who are part of your organization will see the application in their normal Play Store and can download it easily. You can even manage these applications within the Play Store using your normal mobile device management (MDM) or enterprise mobility management (EMM) tool, if they support the Google Play Custom App Publishing application programming interface (API) — which most do.

If you only want a few users, such as developers, to install a few specific applications, then you can also simply distribute the APK file through a private web server and tell users to enable “Install Unknown Apps” for their web browser — then to disable that feature when they’re done installing. You can also (usually) push the application down directly from your MDM/EMM to individual users’ phones.

 

Securing the app supply chain

IT managers should definitely start with sideloading disabled, and should use their MDM/EMM consoles to ensure that users cannot override that setting. For most organizations, most users have no real need to sideload nonenterprise applications. If you’re getting requests to enable sideloading (or complaints that you’ve blocked it), a little user education on the risks involved may help.

Asking users to balance their need for that “special” app against the organization’s need to avoid a costly data breach may help put things into perspective — especially if you point out the consequences and potential occupational repercussions if a user’s phone is the source of the malware.

When there’s a legitimate need, this feature should be enabled in the MDM/EMM console on a user-by-user basis. But be aware: MDM/EMM products usually do not support selecting specific Android 8 (“Oreo”) per-application installation permissions. This means that if you give a user or group permission to install applications, they won’t have the safety rails to keep them from falling victim to tricky malware.

 

If you can’t beat ‘em, secure ‘em

If you’d like to accommodate users who want to sideload on their corporate smartphone, another, more secure option is to use containerization or work/home profile features within Android. This option requires more resources and support than simply granting permission, but may be an acceptable compromise where other options — such as simply buying an additional smartphone — won’t work. Android Enterprise’s work profile feature or Samsung’s Knox Platfom for Enterprise lets IT managers partition an Android device so that sideloaded apps can be contained in the nonwork part of the phone, which minimizes their potential damage.

Sideloading from completely unknown and unverified sources represents a considerable risk compared to corporate and Google App stores. Avoid it if you can, and control it carefully if you can’t.

 

Discover more ways that Samsung’s business security solutions help protect enterprise data on workplace devices.

 

You may also like:
GO TO BLOG →
Knox for Business
Get to know the Knox Asset Intelligence Security Center
We are excited to announce the official launch of our Knox Asset Intelligence Security Center for all Samsung Knox customers.
April 9, 2024
News
Making license registration easier for Knox customers
If you’re a Knox customer, the days where you have to manually enter license keys in your Knox Admin Portal have come to an end.
April 8, 2024
Product Updates
Knox cloud service 24.04 release
Learn more about the latest features in the latest Knox cloud service release.
April 5, 2024
[Icon] close

Get started with Samsung Knox

[Icon] suitcase
Are you a reseller, solution provider, or service provider?

Become a Knox Partner and grow your business today.

[Icon] info

Select a Knox product to start with:

All-in-one Bundle
Knox Suite
Rebranding and Customization
Knox Configure
Fraud and Theft Protection
Knox Guard
Device Protection Plan
Samsung Care+ for Business
Other products & services

Get started with

[Image] Knox Suite

All-in-one solution bundle for enterprise mobility.

  • Get a free 90-day trial for up to 30 devices.
  • A complete set of tools to secure, deploy, manage, and analyze your corporate devices.
  • Try powerful features bundled with Knox Suite.

Knox Suite includes:

Knox Mobile Enrollment Free
Knox Manage
Knox E-FOTA
Knox Asset Intelligence
Knox Platform for Enterprise Free
Knox Remote Support
Knox Capture
Knox Authentication Manager

Get started with

[Image] Knox Configure Logo

Rebrand and customize your Samsung devices.

  • Get a free 90-day trial for up to 30 devices.
  • Remotely configure Samsung devices in bulk and tailor them to specific needs, right out of the box.
  • Set up your devices for a one-time deployment, or update them as much as you want.

Get started with

[Icon] Knox Guard Logo

Fraud and theft protection for Samsung devices.

  • Get a free 90-day trial for up to 30 devices.
  • Reduce financial risks and protect assets by remotely controlling Samsung devices.
  • Try all the features of Knox Guard, including SIM control and device locking.

Get started with

[Image] Samsung Care Plus For Business Logo

Device protection plans for your Samsung devices.

  • Limit business interruptions with quick device repairs and replacements. Contact the Samsung sales team to get started.
  • See all your device coverage and claim information in one place.
  • Already purchased Samsung Care+ for Business? Create an account and activate your plan on the Samsung Care+ for Business console.

Other products & services

[Image] Others logo

Modern solutions to address your unique needs.

CONTACT SALES