Skip to main content

Here's why sideloading apps is safer with Android Oreo

Android has always had a default restriction on installing apps that didn't come from a first party app store. Apps from Google Play or a manufacturer's store like Samsung Apps are deemed to be more trustworthy and safe, so they are considered first party app stores, but apps you downloaded from the internet or from another marketplace are not. While the setting was easily disabled, this was the first line of defense to make sure you weren't installing apps that had malware embedded in them.

By default. only Google Play or other first party app stores have permission to install an app.

Android Oreo brings a much smarter system with a new runtime permission (that means a thing that you will need to approve when you install an app) called Install Unknown apps. With Android Oreo, the first time you attempt to install an app from any third-party method, like a web browser or a messaging app, you have to give permission. This sounds a lot like the previous method, but there is one big change: this is now a per-app setting.

Let's say you downloaded the latest update for an app instead of waiting for it to roll out to you. You might have used Chrome to visit APKmirror, and when the download is finished Chrome knows to start the package installer (a system tool that only installs apps). If this is the first time you have tried this with Chrome, you'll be asked if you're sure you want it to be installed. On the screen that explains this to you, there's an option to always allow apps downloaded through Chrome to be installed. You can choose to allow that and never be asked again or decline and be asked every time.

The one size fits all approach has been replaced with fine-grained permissions.

You could have also installed an app you downloaded through a Reddit app, and you'll go through the same exact procedure. Chrome and Reddit, as well as every other app that knows what to do with an APK file, each has their own setting.

This is a huge improvement over the previous "all or nothing" setting for both users and developers alike. It makes our phone more secure because we can pick and choose what apps have our permission, which means more people can safely enable the setting. Having the Amazon App Store program to be able to install other apps but not allow Chrome to install them without asking is just better for everyone.

When you grant permission for an app to do this every time, it goes on a separate list in the settings where you can remove the permission any time you like. You'll find it here:

  • Open your Settings.
  • Navigate to Apps & notifications.
  • Tap the Advanced section.
  • At the bottom, tap Special app access.

You'll see Install unknown apps at the bottom of the page, and tapping on it brings up a list of apps and their setting as far as the Install Unknown apps permission is concerned.

This is a big change in how your privacy and security is managed and makes it easy for trustworthy developers to make installing other apps as seamless as possible.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

4 Comments
  • I prefer Samsung's "allow this one time only" approach.
  • Yup. Simple and effective. No need for 5 levels of complicated menus and settings to delve into.
  • I've got a few apps from outside the Play Store, it was never so inconvenient to go into Settings and quickly flip the switch... Heck, if I didn't remember to flip the protection back on afterwards, my MalwareBytes and McAfee protection apps would remind me... Now what might, maybe, perhaps be helpful would be to have a trusted source for an app from outside the Play Store. So that when said app was updated you didn't have to go through the process, you just downloaded and installed the update for that particular app. A new app you would go through the process.
  • I see this as slightly more complicated. But I get why they're doing it I guess. This way you can whitelist FDroid and AmazonMarketplace, but leave others blacklisted. When I saw the title, I was concerned it would make it harder to sideload certain apps that Google doesn't think people should install. Like what they do when I sideload adnauseum in to Chrome.