Abril 20, 2020

What are the risks of sideloaded Android applications?

Joel Snyder

“Sideloading” is like downloading or uploading … only different. Sideloading means that you’re moving files between two devices, usually next to one another, and was originally done only over USB or by inserting a memory card. It’s an old technique in the world of technology, and gained wide use when MP3 players became popular, and music was sideloaded from a PC after being downloaded from the internet.

When it comes to Android mobile devices, sideloading has a more specific meaning. The origin is the same — you are moving an Android Package (APK) file containing an application to an Android phone so that it can be manually installed. However, it’s now taken on a broader definition: The installation of any application outside of the normal app store infrastructure is considered sideloading, even if you still download it. If you’re getting an application from Google Play, Amazon Apps or Samsung Galaxy Store, that’s normal; if you’re grabbing an APK file anywhere else on the internet, that’s sideloading.

 

How do sideloading and security interact?

Sideloading is considered a security risk. Out of the box, Android phones don’t allow it. Android blocks applications from unknown sources. “Unknown” is naturally a vague term, but for most users means any application store not preloaded as trusted by their phone manufacturer — usually a very small set. Even cross-vendor trust isn’t built in. A Samsung phone, for example, won’t load applications from other phone manufacturers, as they constitute an “unknown source.”

If you want to sideload applications, either by installing them manually or from some other Android app store, you have to turn on that feature. With older versions of Android (7 and below), there’s a single check box in the Settings > Lock Screen and Security menu (“Unknown Sources”). If you turn that on, you can load any application you want.

Starting with Android 8 (“Oreo”), things get much more serious: You give each application individual permission to sideload rather than set it up as a global option. Look for this well-hidden option in Settings > Apps and Notifications > Advanced > Special App Access > Install unknown apps. Android 8’s sideload strategy is much more secure, because you pick the apps you want to allow to sideload. If you give permission, for example, to Amazon Underground, which includes Amazon’s app store, then you don’t have to worry about Chrome accidentally sideloading an app you didn’t ask for.

Obviously, sideloading apps comes with a huge security risk, and an even bigger risk for Android 7 and earlier. No one will claim that Google’s Play Protect will keep all malware off of Android phones, but the risk is much higher when end users install applications that they find lying around the internet or on hacker-specific app stores. For this reason, most Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) policies prohibit sideloading.

 

What if you need to sideload?

Sideloading isn’t always a risk. In fact, it may be required if you’re developing in-house applications, not just for testing but even for application deployment. If sideloading is required for your infrastructure, there are a couple of options for managing it.

One of the best is to continue to go through Google’s Play Store. Applications that aren’t publicly available can still be managed by Google’s infrastructure, which removes the requirement to develop your own app store or worry about how applications will be installed and potentially give inappropriate permissions. Google calls these “private apps,” which can either be hosted on a managed Google Play store or even stored on your own organization’s servers.

If the application is stored on Play Store servers, you can simply link it to a managed Google Play private to your organization that uses Google’s app store infrastructure. As an alternative, you can store the application on your own servers, and simply load the pointer to the information (the APK definition file) on Google’s Play Store. In either case, users who are part of your organization will see the application in their normal Play Store and can download it easily. You can even manage these applications within the Play Store using your normal mobile device management (MDM) or enterprise mobility management (EMM) tool, if they support the Google Play Custom App Publishing application programming interface (API) — which most do.

If you only want a few users, such as developers, to install a few specific applications, then you can also simply distribute the APK file through a private web server and tell users to enable “Install Unknown Apps” for their web browser — then to disable that feature when they’re done installing. You can also (usually) push the application down directly from your MDM/EMM to individual users’ phones.

 

Securing the app supply chain

IT managers should definitely start with sideloading disabled, and should use their MDM/EMM consoles to ensure that users cannot override that setting. For most organizations, most users have no real need to sideload nonenterprise applications. If you’re getting requests to enable sideloading (or complaints that you’ve blocked it), a little user education on the risks involved may help.

Asking users to balance their need for that “special” app against the organization’s need to avoid a costly data breach may help put things into perspective — especially if you point out the consequences and potential occupational repercussions if a user’s phone is the source of the malware.

When there’s a legitimate need, this feature should be enabled in the MDM/EMM console on a user-by-user basis. But be aware: MDM/EMM products usually do not support selecting specific Android 8 (“Oreo”) per-application installation permissions. This means that if you give a user or group permission to install applications, they won’t have the safety rails to keep them from falling victim to tricky malware.

 

If you can’t beat ‘em, secure ‘em

If you’d like to accommodate users who want to sideload on their corporate smartphone, another, more secure option is to use containerization or work/home profile features within Android. This option requires more resources and support than simply granting permission, but may be an acceptable compromise where other options — such as simply buying an additional smartphone — won’t work. Android Enterprise’s work profile feature or Samsung’s Knox Platfom for Enterprise lets IT managers partition an Android device so that sideloaded apps can be contained in the nonwork part of the phone, which minimizes their potential damage.

Sideloading from completely unknown and unverified sources represents a considerable risk compared to corporate and Google App stores. Avoid it if you can, and control it carefully if you can’t.

 

Discover more ways that Samsung’s business security solutions help protect enterprise data on workplace devices.

 

[Ícono] cerrar

Comenzar con Samsung Knox

[Ícono] maletín
¿Es un distribuidor, un proveedor de soluciones o un proveedor de servicios?

Conviértase en socio de Knox y haga crecer su empresa hoy mismo.

[Ícono] información

Seleccione un producto Knox para comenzar:

Paquete todo en uno
Knox Suite
Cambios de marca y personalización
Knox Configure
Protección contra el fraude y el robo
Knox Guard
Plan de protección de dispositivos
Samsung Care+ for Business
Otros productos y servicios

Comience con

[Imagen] Knox Suite

Paquete de soluciones todo en uno para ofrecer movilidad empresarial.

  • Obtenga una prueba gratuita de 90 días para hasta 30 dispositivos.
  • Un conjunto completo de herramientas para proteger, implementar, administrar y analizar los dispositivos corporativos.
  • Pruebe funciones potentes incluidas en el paquete de Knox Suite.

Knox Suite incluye lo siguiente:

Knox Mobile Enrollment Gratuita
Knox Manage
Knox E-FOTA
Knox Asset Intelligence
Knox Platform for Enterprise Gratuita
Soporte remoto de Knox
Knox Capture
Knox Authentication Manager

Comience con

[Imagen] Logotipo de Knox Configure

Personalice sus dispositivos Samsung y cámbieles la marca.

  • Obtenga una prueba gratuita de 90 días para hasta 30 dispositivos.
  • Configure de forma remota los dispositivos Samsung en masa y personalícelos según las necesidades específicas, desde el primer momento.
  • Configure sus dispositivos para una implementación de una sola vez o actualícelos cuantas veces quiera.

Comience con

[Ícono] Logotipo de Knox Guard

Protección contra el fraude y el robo para dispositivos Samsung.

  • Obtenga una prueba gratuita de 90 días para hasta 30 dispositivos.
  • Reduzca los riesgos financieros y proteja los activos mediante el control remoto de dispositivos Samsung.
  • Pruebe todas las funciones de Knox Guard, incluidos el control de SIM y el bloqueo de dispositivos.

Comience con

[Imagen] Logotipo de Samsung Care Plus For Business

Planes de protección de dispositivos para dispositivos Samsung.

  • Limite las interrupciones empresariales con reparaciones y reemplazos de dispositivos rápidos. Comuníquese con el equipo de ventas de Samsung para comenzar.
  • Vea toda la cobertura para dispositivos e información de reclamaciones en un solo lugar.
  • ¿Ya compró Samsung Care+ for Business? Cree una cuenta y active su plan en la consola Samsung Care+ for Business.

Otros productos y servicios

[Imagen] Otros logotipos

Soluciones modernas para abordar sus necesidades únicas.

  • Obtenga soporte técnico eficiente de un administrador de cuentas dedicado con el Soporte técnico empresarial.
  • Cree dispositivos a medida para su empresa mediante Samsung Software Customization Service.
CONTACTAR CON VENTAS