Sideloading and Unknown Sources on Android: How to do it and fix errors

Unknown Sources
Unknown Sources (Image credit: Android Central)

To install apps that you downloaded from somewhere besides the "official" app store from Google or the company that made your phone, you need to allow installation from "unknown sources". There has always been a bit of confusion about what exactly this is and how things work. We're going to remedy that and talk through everything you need to know about unknown sources. Don't worry, it's gonna be fine.

What are 'Unknown Sources'?

No, not people who leak government stuff to the press. The Android kind of unknown sources. It's a scary label for a simple thing: a source for apps you want to install that is not trusted by Google or the company that made your phone.

Unknown = not vetted directly by Google.

When we see the word "trusted" used this way, it means a little more than it usually would. In this case, trust means the same as it does for a web certificate and everyone involved on all sides will vouch for the source. Google says you can trust Google Play. Samsung goes one more step and says you can trust Samsung Apps or the Amazon App Store (for example). Because these sources are trusted, you don't have to enable the installation of unknown (not in the circle of trust) sources to install apps from them. Someone who is in charge of making these kinds of decisions is vouching for these app sources.

In short, a trusted source is one that the company you gave your money to, the company that built it, and the company that wrote the software all have vouched for.

Why is there even a setting for this?

Half the people reading this will think that no company should allow us to install apps they do not trust. The other half will think that nobody should be telling me what apps I can and can't install. Having a setting in place is the only real solution.

It's not really a good idea to just let any app from any place get installed on your phone. When you block app installs from places not in that trusted circle, random drive-by downloads can't happen. Full stop. It's insanely difficult to find an exploit that can force you to install an app you don't want. It should be because that sort of trickery is never done for a good reason. Going one step further and just outright blocking the darn things is the type of over-the-top phone security Google loves.

And Google doesn't claim that apps from other places are a bad thing. It has a whole page that tells app devs how to go about offering apps without putting them in the Play Store. All Google has to say about the Unknown Sources setting is:

User opt-in for apps from unknown sourcesAndroid protects users from inadvertent download and install of apps from locations other than Google Play (which is trusted). It blocks such installs until the user opts in to Unknown sources in Settings > Security on their device. Users need to make this configuration change before they download your apps to their devices.Note that some network providers don't allow users to install applications from unknown sources.

Google is cool with developers doing it and cool with you downloading and installing them. But they make sure you opt-in for it before you do.

Are unknown sources a bad thing?

Nope. But enabling the setting for no good reason or leaving it on all the time is.

The internet is a big place. There are plenty of places to get apps that are as trustworthy as Google or Samsung or any other company with their own on-device app store. You just need to do a tiny bit of poking around to make sure a place is trustworthy before you grab an app from it.

The Unknown Sources setting is like the stove: turn it off when you're done using it.

Reading this article is a good start. Read other Android websites, too. We're not afraid to tell you when you can trust something or someplace. Here are two places I trust as much as anything from Google: Amazon and F-Droid. I use them both and am not afraid to tell you to use them if they have something you want. And everyone else here would say the same thing.

In essence, Android Central trusts Amazon and F-Droid and thinks you can, too. But because of Google's definition of trust, in this case, they can't. Knowing that both Amazon and the folks running F-Droid scan all their files and are diligent about how they are distributing them isn't enough for Google because they need to do those things themselves before they trust a source. Google has more at stake because they are Android, for better or for worse.

What is a bad habit is leaving the unknown sources box checked if you don't need to. If an app you installed will run with the setting disabled, disable it until you need it again. If an app won't run without it enabled, find out why before you install it.

How the process works

When you want to install an app you downloaded from somewhere that's not trusted as described above, you just download it and tap the apk file to start the process.

As with any app installation, you're given a list of permissions the app requests. One of those permissions stands out — a request to allow the application you used to download the apk to install it. Like any other permission, you can choose to allow or deny this request.

Unknown sources

Source: Google (Image credit: Source: Google)

If you choose to allow it — and you must if you wish to install an app this way — the installation will continue as normal. If you deny the request, the application can not be installed.

Here's the thing — this permission sticks once it is enabled. Let's say you downloaded an app through Google Chrome. When you went to install it, you granted permission for Google Chrome to install apps. From that point onward, Google Chrome can install apps without asking for explicit permission to do so. Google Chrome is used as an example here, but the same goes for any app you are using to install other apps, like a file manager or third-party app store such as F-Droid.

That means it is important to disable the permission once you're done installing your app unless you want to trust it forever. You can do this by looking in the settings under Apps & notifications, then choosing Advanced and Permission Manager and revoke the permission. I recommend revoking the permission after you're done, each and every time. There is no need to keep the setting enabled, and the app you installed will still work normally.

Old versions of Android

Prior to Android 8.0, Unknown Sources was a system setting. If you have an Android that's running an older version here's what you'll need to do:

  1. Open the device settings. Look for a gear icon in the notification shade near the top left corner and tap on it.
  2. Scroll down to the Security section and tap to open it.
  3. Scroll down to the entry labeled Unknown sources and read the subtext because you should always read any and all subtext in a "security" section of settings.
  4. Read the pop-up box that tells you Google isn't responsible if you install apps from places they do not explicitly trust and click OK to enable the setting.

It's even more important that you disable this setting once you're done using it because it gives blanket permission that covers everything and not a per-app setting. To turn it off, simply toggle the setting to off.

Wrapping it up

This is a simple breakdown to make sure everyone can understand what's going on when asked to enable the Unknown Sources setting or when you see people warning against it. There are other more nerdy things like signing keys and heuristic scanning that could be talked about, but we feel that will muddy the water a little. If you're the type of person interested in the minutiae, the Android Developers site has plenty of information about how Google Play works and what else Google does to make it safe. It's great reading if you're inclined.

For everyone else, just know that the Unknown Sources setting isn't really a mystery or anything to be afraid of if you need it. And when you don't make sure it's turned off.

Stay safe!

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.