Abril 20, 2020

What are the risks of sideloaded Android applications?

Joel Snyder

“Sideloading” is like downloading or uploading … only different. Sideloading means that you’re moving files between two devices, usually next to one another, and was originally done only over USB or by inserting a memory card. It’s an old technique in the world of technology, and gained wide use when MP3 players became popular, and music was sideloaded from a PC after being downloaded from the internet.

When it comes to Android mobile devices, sideloading has a more specific meaning. The origin is the same — you are moving an Android Package (APK) file containing an application to an Android phone so that it can be manually installed. However, it’s now taken on a broader definition: The installation of any application outside of the normal app store infrastructure is considered sideloading, even if you still download it. If you’re getting an application from Google Play, Amazon Apps or Samsung Galaxy Store, that’s normal; if you’re grabbing an APK file anywhere else on the internet, that’s sideloading.

 

How do sideloading and security interact?

Sideloading is considered a security risk. Out of the box, Android phones don’t allow it. Android blocks applications from unknown sources. “Unknown” is naturally a vague term, but for most users means any application store not preloaded as trusted by their phone manufacturer — usually a very small set. Even cross-vendor trust isn’t built in. A Samsung phone, for example, won’t load applications from other phone manufacturers, as they constitute an “unknown source.”

If you want to sideload applications, either by installing them manually or from some other Android app store, you have to turn on that feature. With older versions of Android (7 and below), there’s a single check box in the Settings > Lock Screen and Security menu (“Unknown Sources”). If you turn that on, you can load any application you want.

Starting with Android 8 (“Oreo”), things get much more serious: You give each application individual permission to sideload rather than set it up as a global option. Look for this well-hidden option in Settings > Apps and Notifications > Advanced > Special App Access > Install unknown apps. Android 8’s sideload strategy is much more secure, because you pick the apps you want to allow to sideload. If you give permission, for example, to Amazon Underground, which includes Amazon’s app store, then you don’t have to worry about Chrome accidentally sideloading an app you didn’t ask for.

Obviously, sideloading apps comes with a huge security risk, and an even bigger risk for Android 7 and earlier. No one will claim that Google’s Play Protect will keep all malware off of Android phones, but the risk is much higher when end users install applications that they find lying around the internet or on hacker-specific app stores. For this reason, most Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) policies prohibit sideloading.

 

What if you need to sideload?

Sideloading isn’t always a risk. In fact, it may be required if you’re developing in-house applications, not just for testing but even for application deployment. If sideloading is required for your infrastructure, there are a couple of options for managing it.

One of the best is to continue to go through Google’s Play Store. Applications that aren’t publicly available can still be managed by Google’s infrastructure, which removes the requirement to develop your own app store or worry about how applications will be installed and potentially give inappropriate permissions. Google calls these “private apps,” which can either be hosted on a managed Google Play store or even stored on your own organization’s servers.

If the application is stored on Play Store servers, you can simply link it to a managed Google Play private to your organization that uses Google’s app store infrastructure. As an alternative, you can store the application on your own servers, and simply load the pointer to the information (the APK definition file) on Google’s Play Store. In either case, users who are part of your organization will see the application in their normal Play Store and can download it easily. You can even manage these applications within the Play Store using your normal mobile device management (MDM) or enterprise mobility management (EMM) tool, if they support the Google Play Custom App Publishing application programming interface (API) — which most do.

If you only want a few users, such as developers, to install a few specific applications, then you can also simply distribute the APK file through a private web server and tell users to enable “Install Unknown Apps” for their web browser — then to disable that feature when they’re done installing. You can also (usually) push the application down directly from your MDM/EMM to individual users’ phones.

 

Securing the app supply chain

IT managers should definitely start with sideloading disabled, and should use their MDM/EMM consoles to ensure that users cannot override that setting. For most organizations, most users have no real need to sideload nonenterprise applications. If you’re getting requests to enable sideloading (or complaints that you’ve blocked it), a little user education on the risks involved may help.

Asking users to balance their need for that “special” app against the organization’s need to avoid a costly data breach may help put things into perspective — especially if you point out the consequences and potential occupational repercussions if a user’s phone is the source of the malware.

When there’s a legitimate need, this feature should be enabled in the MDM/EMM console on a user-by-user basis. But be aware: MDM/EMM products usually do not support selecting specific Android 8 (“Oreo”) per-application installation permissions. This means that if you give a user or group permission to install applications, they won’t have the safety rails to keep them from falling victim to tricky malware.

 

If you can’t beat ‘em, secure ‘em

If you’d like to accommodate users who want to sideload on their corporate smartphone, another, more secure option is to use containerization or work/home profile features within Android. This option requires more resources and support than simply granting permission, but may be an acceptable compromise where other options — such as simply buying an additional smartphone — won’t work. Android Enterprise’s work profile feature or Samsung’s Knox Platfom for Enterprise lets IT managers partition an Android device so that sideloaded apps can be contained in the nonwork part of the phone, which minimizes their potential damage.

Sideloading from completely unknown and unverified sources represents a considerable risk compared to corporate and Google App stores. Avoid it if you can, and control it carefully if you can’t.

 

Discover more ways that Samsung’s business security solutions help protect enterprise data on workplace devices.

 

[Icon] fechar

Comece a usar o Samsung Knox

[Icon] mala
Você é revendedor, provedor de soluções ou provedor de serviços?

Torne-se um parceiro Knox e comece a expandir seus negócios hoje.

[Icon] informações

Selecione um produto Knox para começar:

Pacote completo
Knox Suite
Reformulação da marca e personalização
Knox Configure
Proteção contra fraude e roubo
Knox Guard
Plano de proteção do dispositivo
Samsung Care+ for Business
Outros produtos e serviços

Comece a usar o

[Image] Knox Suite

Pacote de solução multifuncional para mobilidade empresarial.

  • Obtenha uma avaliação gratuita de 90 dias para até 30 dispositivos.
  • Um conjunto completo de ferramentas para proteger, implantar, gerenciar e analisar seus dispositivos corporativos.
  • Experimente os recursos poderosos fornecidos com o Knox Suite.

O Knox Suite inclui:

Knox Mobile Enrollment Gratuito
Knox Manage
Knox E-FOTA
Knox Asset Intelligence
Knox Platform for Enterprise Gratuito
Knox Remote Support
Knox Capture
Knox Authentication Manager

Comece a usar o

[Image] Logotipo do Knox Configure

Reformule e personalize seus dispositivos Samsung.

  • Obtenha uma avaliação gratuita de 90 dias para até 30 dispositivos.
  • Configure remotamente dispositivos Samsung em massa e adapte-os às necessidades específicas, imediatamente.
  • Configure seus dispositivos para implantação única ou atualize-os quantas vezes quiser.

Comece a usar o

[Icon] Logotipo do Knox Guard

Proteção contra fraude e roubo para dispositivos Samsung.

  • Obtenha uma avaliação gratuita de 90 dias para até 30 dispositivos.
  • Reduza os riscos financeiros e proteja os ativos por meio do controle remoto dos dispositivos Samsung.
  • Experimente todos os recursos do Knox Guard, inclusive controle do SIM e bloqueio de dispositivo.

Comece a usar o

[Image] Logotipo do Samsung Care Plus for Business

Planos de proteção para seus dispositivos Samsung.

  • Limite as interrupções dos negócios com trocas e reparos rápidos de dispositivo. Entre em contato com a equipe de vendas da Samsung para começar.
  • Veja todas as informações sobre reivindicações e cobertura do dispositivo em um só lugar.
  • Já adquiriu o Samsung Care+ for Business? Crie uma conta e acesse seu plano no console do Samsung Care+ for Business.

Outros produtos e serviços

[Image] Outros logotipos

Soluções modernas para atender às suas necessidades exclusivas.

CONTATO PARA VENDAS