Aprile 20, 2020

What are the risks of sideloaded Android applications?

Joel Snyder

“Sideloading” is like downloading or uploading … only different. Sideloading means that you’re moving files between two devices, usually next to one another, and was originally done only over USB or by inserting a memory card. It’s an old technique in the world of technology, and gained wide use when MP3 players became popular, and music was sideloaded from a PC after being downloaded from the internet.

When it comes to Android mobile devices, sideloading has a more specific meaning. The origin is the same — you are moving an Android Package (APK) file containing an application to an Android phone so that it can be manually installed. However, it’s now taken on a broader definition: The installation of any application outside of the normal app store infrastructure is considered sideloading, even if you still download it. If you’re getting an application from Google Play, Amazon Apps or Samsung Galaxy Store, that’s normal; if you’re grabbing an APK file anywhere else on the internet, that’s sideloading.


How do sideloading and security interact?

Sideloading is considered a security risk. Out of the box, Android phones don’t allow it. Android blocks applications from unknown sources. “Unknown” is naturally a vague term, but for most users means any application store not preloaded as trusted by their phone manufacturer — usually a very small set. Even cross-vendor trust isn’t built in. A Samsung phone, for example, won’t load applications from other phone manufacturers, as they constitute an “unknown source.”

If you want to sideload applications, either by installing them manually or from some other Android app store, you have to turn on that feature. With older versions of Android (7 and below), there’s a single check box in the Settings > Lock Screen and Security menu (“Unknown Sources”). If you turn that on, you can load any application you want.

Starting with Android 8 (“Oreo”), things get much more serious: You give each application individual permission to sideload rather than set it up as a global option. Look for this well-hidden option in Settings > Apps and Notifications > Advanced > Special App Access > Install unknown apps. Android 8’s sideload strategy is much more secure, because you pick the apps you want to allow to sideload. If you give permission, for example, to Amazon Underground, which includes Amazon’s app store, then you don’t have to worry about Chrome accidentally sideloading an app you didn’t ask for.

Obviously, sideloading apps comes with a huge security risk, and an even bigger risk for Android 7 and earlier. No one will claim that Google’s Play Protect will keep all malware off of Android phones, but the risk is much higher when end users install applications that they find lying around the internet or on hacker-specific app stores. For this reason, most Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) policies prohibit sideloading.


What if you need to sideload?

Sideloading isn’t always a risk. In fact, it may be required if you’re developing in-house applications, not just for testing but even for application deployment. If sideloading is required for your infrastructure, there are a couple of options for managing it.

One of the best is to continue to go through Google’s Play Store. Applications that aren’t publicly available can still be managed by Google’s infrastructure, which removes the requirement to develop your own app store or worry about how applications will be installed and potentially give inappropriate permissions. Google calls these “private apps,” which can either be hosted on a managed Google Play store or even stored on your own organization’s servers.

If the application is stored on Play Store servers, you can simply link it to a managed Google Play private to your organization that uses Google’s app store infrastructure. As an alternative, you can store the application on your own servers, and simply load the pointer to the information (the APK definition file) on Google’s Play Store. In either case, users who are part of your organization will see the application in their normal Play Store and can download it easily. You can even manage these applications within the Play Store using your normal mobile device management (MDM) or enterprise mobility management (EMM) tool, if they support the Google Play Custom App Publishing application programming interface (API) — which most do.

If you only want a few users, such as developers, to install a few specific applications, then you can also simply distribute the APK file through a private web server and tell users to enable “Install Unknown Apps” for their web browser — then to disable that feature when they’re done installing. You can also (usually) push the application down directly from your MDM/EMM to individual users’ phones.


Securing the app supply chain

IT managers should definitely start with sideloading disabled, and should use their MDM/EMM consoles to ensure that users cannot override that setting. For most organizations, most users have no real need to sideload nonenterprise applications. If you’re getting requests to enable sideloading (or complaints that you’ve blocked it), a little user education on the risks involved may help.

Asking users to balance their need for that “special” app against the organization’s need to avoid a costly data breach may help put things into perspective — especially if you point out the consequences and potential occupational repercussions if a user’s phone is the source of the malware.

When there’s a legitimate need, this feature should be enabled in the MDM/EMM console on a user-by-user basis. But be aware: MDM/EMM products usually do not support selecting specific Android 8 (“Oreo”) per-application installation permissions. This means that if you give a user or group permission to install applications, they won’t have the safety rails to keep them from falling victim to tricky malware.


If you can’t beat ‘em, secure ‘em

If you’d like to accommodate users who want to sideload on their corporate smartphone, another, more secure option is to use containerization or work/home profile features within Android. This option requires more resources and support than simply granting permission, but may be an acceptable compromise where other options — such as simply buying an additional smartphone — won’t work. Android Enterprise’s work profile feature or Samsung’s Knox Platfom for Enterprise lets IT managers partition an Android device so that sideloaded apps can be contained in the nonwork part of the phone, which minimizes their potential damage.

Sideloading from completely unknown and unverified sources represents a considerable risk compared to corporate and Google App stores. Avoid it if you can, and control it carefully if you can’t.


Discover more ways that Samsung’s business security solutions help protect enterprise data on workplace devices.


[Icon] chiudi

Comincia a utilizzare Samsung Knox

[Icona] valigia
Sei un rivenditore, un provider di soluzioni o un provider di servizi?

Diventa un partner Knox e fai crescere la tua azienda oggi.

[Icon] info

Seleziona un prodotto Knox per iniziare:

Soluzione completa
Knox Suite
Rebranding e personalizzazione
Knox Configure
Protezione da frodi e furti
Knox Guard
Piano di protezione dei dispositivi
Samsung Care+ for Business
Altri prodotti e servizi

Inizia a utilizzare

[Image] Knox Suite

Una soluzione completa in bundle, appositamente concepita per la mobilità aziendale.

  • Ottieni una prova gratuira di 90 giorni per un massimo di 30 dispositivi.
  • Un set di strumenti completo per proteggere, distribuire, gestire e analizzare i dispositivi della tua azienda.
  • Prova le straordinarie funzionalità di Knox Suite

Knox Suite comprende:

Knox Mobile Enrollment Gratuito
Knox Manage
Knox Asset Intelligence
Knox Platform for Enterprise Gratuito
Supporto remoto Knox
Knox Capture
Knox Authentication Manager

Inizia a utilizzare

[Image] Logo Knox Configure

Consenti il rebranding e la personalizzazione dei tuoi dispositivi Samsung.

  • Ottieni una prova gratuira di 90 giorni per un massimo di 30 dispositivi.
  • Configura da remoto i dispositivi Samsung in blocco e personalizzali in base alle tue esigenze specifiche per un uso immediato.
  • Configura i tuoi dispositivi per la singola distribuzione o aggiornali tutte le volte che vuoi.

Inizia a utilizzare

[Icon] Logo Knox Guard

Protezione da frodi e furti per i dispositivi Samsung.

  • Ottieni una prova gratuira di 90 giorni per un massimo di 30 dispositivi.
  • Riduci i rischi finanziari e proteggi gli asset controllando in remoto i dispositivi Samsung.
  • Prova tutte le funzionalità di Knox Guard, inclusi controllo della SIM e blocco del dispositivo.

Inizia a utilizzare

[Image] Logo Samsung Care Plus For Business

Piano di protezione per i dispositivi Samsung.

  • Limita le interruzioni delle attività con riparazioni e sostituzioni rapide dei dispositivi. Contatta l'ufficio vendite Samsung per iniziare.
  • Visualizza tutte le informazioni sulla copertura del tuo dispositivo e sul reclamo in un unico luogo.
  • Hai già acquistato Samsung Care+ for Business? Crea un account e attiva il piano nella console Samsung Care+ for Business.

Altri prodotti e servizi

[Image] Logo di altri prodotti

Soluzioni moderne per soddisfare le tue esigenze specifiche.

  • Ricevi supporto tecnico efficiente da parte di un account manager dedicato con Enterprise Tech Support.
  • Crea dispositivi su misura per la tua azienda utilizzando Samsung Software Customization Service.