April 20, 2020

What are the risks of sideloaded Android applications?

Joel Snyder

“Sideloading” is like downloading or uploading … only different. Sideloading means that you’re moving files between two devices, usually next to one another, and was originally done only over USB or by inserting a memory card. It’s an old technique in the world of technology, and gained wide use when MP3 players became popular, and music was sideloaded from a PC after being downloaded from the internet.

When it comes to Android mobile devices, sideloading has a more specific meaning. The origin is the same — you are moving an Android Package (APK) file containing an application to an Android phone so that it can be manually installed. However, it’s now taken on a broader definition: The installation of any application outside of the normal app store infrastructure is considered sideloading, even if you still download it. If you’re getting an application from Google Play, Amazon Apps or Samsung Galaxy Store, that’s normal; if you’re grabbing an APK file anywhere else on the internet, that’s sideloading.


How do sideloading and security interact?

Sideloading is considered a security risk. Out of the box, Android phones don’t allow it. Android blocks applications from unknown sources. “Unknown” is naturally a vague term, but for most users means any application store not preloaded as trusted by their phone manufacturer — usually a very small set. Even cross-vendor trust isn’t built in. A Samsung phone, for example, won’t load applications from other phone manufacturers, as they constitute an “unknown source.”

If you want to sideload applications, either by installing them manually or from some other Android app store, you have to turn on that feature. With older versions of Android (7 and below), there’s a single check box in the Settings > Lock Screen and Security menu (“Unknown Sources”). If you turn that on, you can load any application you want.

Starting with Android 8 (“Oreo”), things get much more serious: You give each application individual permission to sideload rather than set it up as a global option. Look for this well-hidden option in Settings > Apps and Notifications > Advanced > Special App Access > Install unknown apps. Android 8’s sideload strategy is much more secure, because you pick the apps you want to allow to sideload. If you give permission, for example, to Amazon Underground, which includes Amazon’s app store, then you don’t have to worry about Chrome accidentally sideloading an app you didn’t ask for.

Obviously, sideloading apps comes with a huge security risk, and an even bigger risk for Android 7 and earlier. No one will claim that Google’s Play Protect will keep all malware off of Android phones, but the risk is much higher when end users install applications that they find lying around the internet or on hacker-specific app stores. For this reason, most Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) policies prohibit sideloading.


What if you need to sideload?

Sideloading isn’t always a risk. In fact, it may be required if you’re developing in-house applications, not just for testing but even for application deployment. If sideloading is required for your infrastructure, there are a couple of options for managing it.

One of the best is to continue to go through Google’s Play Store. Applications that aren’t publicly available can still be managed by Google’s infrastructure, which removes the requirement to develop your own app store or worry about how applications will be installed and potentially give inappropriate permissions. Google calls these “private apps,” which can either be hosted on a managed Google Play store or even stored on your own organization’s servers.

If the application is stored on Play Store servers, you can simply link it to a managed Google Play private to your organization that uses Google’s app store infrastructure. As an alternative, you can store the application on your own servers, and simply load the pointer to the information (the APK definition file) on Google’s Play Store. In either case, users who are part of your organization will see the application in their normal Play Store and can download it easily. You can even manage these applications within the Play Store using your normal mobile device management (MDM) or enterprise mobility management (EMM) tool, if they support the Google Play Custom App Publishing application programming interface (API) — which most do.

If you only want a few users, such as developers, to install a few specific applications, then you can also simply distribute the APK file through a private web server and tell users to enable “Install Unknown Apps” for their web browser — then to disable that feature when they’re done installing. You can also (usually) push the application down directly from your MDM/EMM to individual users’ phones.


Securing the app supply chain

IT managers should definitely start with sideloading disabled, and should use their MDM/EMM consoles to ensure that users cannot override that setting. For most organizations, most users have no real need to sideload nonenterprise applications. If you’re getting requests to enable sideloading (or complaints that you’ve blocked it), a little user education on the risks involved may help.

Asking users to balance their need for that “special” app against the organization’s need to avoid a costly data breach may help put things into perspective — especially if you point out the consequences and potential occupational repercussions if a user’s phone is the source of the malware.

When there’s a legitimate need, this feature should be enabled in the MDM/EMM console on a user-by-user basis. But be aware: MDM/EMM products usually do not support selecting specific Android 8 (“Oreo”) per-application installation permissions. This means that if you give a user or group permission to install applications, they won’t have the safety rails to keep them from falling victim to tricky malware.


If you can’t beat ‘em, secure ‘em

If you’d like to accommodate users who want to sideload on their corporate smartphone, another, more secure option is to use containerization or work/home profile features within Android. This option requires more resources and support than simply granting permission, but may be an acceptable compromise where other options — such as simply buying an additional smartphone — won’t work. Android Enterprise’s work profile feature or Samsung’s Knox Platfom for Enterprise lets IT managers partition an Android device so that sideloaded apps can be contained in the nonwork part of the phone, which minimizes their potential damage.

Sideloading from completely unknown and unverified sources represents a considerable risk compared to corporate and Google App stores. Avoid it if you can, and control it carefully if you can’t.


Discover more ways that Samsung’s business security solutions help protect enterprise data on workplace devices.