“Sideloading” is like downloading or uploading — only different. Sideloading entails moving files between two devices, usually next to one another, and was originally only done with a USB connection or by inserting a memory card. It’s an old technique that gained widespread use when MP3 players became popular and people sideloaded music from a PC after downloading it from the internet.
When it comes to Android mobile devices, sideloading has a more specific meaning. The origin is the same; you’re moving an Android Package (APK) file containing an app to an Android phone so it can be manually installed. But sideloading has taken on a broader definition: Installing any app outside the normal app store infrastructure is considered sideloading, even if you still download it. If you’re getting an app from Google Play, Amazon Apps or Samsung Galaxy Store, that’s normal; if you’re grabbing an APK file anywhere else on the internet, that’s sideloading.
How do sideloading and security interact?
Sideloading is considered a security risk. Out of the box, Android phones don’t allow it; Android blocks apps from unknown sources. “Unknown” is a vague term, but for most users it means any app store not preloaded as trusted by their phone manufacturer — which is usually a very small set. Even cross-vendor trust isn’t built in. A Samsung phone protected by Samsung Knox, for example, won’t load apps from other phone manufacturers, as they constitute an “unknown source.”
If you want to sideload apps, either by installing them manually or from another Android app store, you have to turn on that feature. With older versions of Android (7 and below), there’s a single check box in the Settings menu, under Lock Screen and Security (“Unknown Sources”). If you turn on that setting, you can load any app you want.
Starting with Android 8 (“Oreo”), things get much more serious and secure: You give each app individual permission to sideload, rather than setting up sideloading as a global option. Look for this well-hidden option in Settings > Apps and Notifications > Advanced > Special App Access > Install unknown apps. If you give sideloading permission to Amazon Underground, for example, which includes Amazon’s app store, you don’t have to worry about Chrome accidentally sideloading an app you didn’t ask for.
Obviously, sideloading apps comes with a huge security risk, and an even bigger risk for Android 7 and earlier. Google’s Play Protect can’t keep all malware off of Android phones, but the risk is much higher when users install apps from the internet or hacker-specific app stores. For this reason, most Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) policies prohibit sideloading.
What if you need to sideload?
Sideloading isn’t always a risk. In fact, it may be necessary if you’re developing in-house apps, not just for testing but even for app deployment. If you need sideloading for your infrastructure, you have a couple of options for managing it.
One of the best methods is to continue to go through Google’s Play Store. Apps that aren’t publicly available can still be managed with Google’s infrastructure, so you don’t need to develop your own app store or worry about how your apps will be installed and potentially give inappropriate permissions. These “private apps,” as Google calls them, can either be hosted on a managed Google Play store or stored on your organization’s own servers.
If the app is stored on Play Store servers, you can simply link it to a managed Google Play that’s private to your organization and uses Google’s app store infrastructure. As an alternative, you can store the app on your own servers and simply load the pointer to the information (the APK definition file) on the Google Play Store. In either case, users who are part of your organization will see the app in their normal Play Store and be able to download it easily. You can even manage these apps within the Play Store using your mobile device management (MDM) or enterprise mobility management (EMM) solution, if it supports the Google Play Custom App Publishing application programming interface (API) — which most do.
If you only want a few users, such as developers, to install a few specific apps, then you can quickly distribute the APK file through a private web server and tell users to enable “Install Unknown Apps” for their web browser — and tell them to disable that feature after installation. You can also (usually) push the app directly from your MDM/EMM to individual users’ phones.
Securing the app supply chain
IT managers should start out with sideloading disabled and then use their MDM/EMM consoles to ensure users can’t override that setting. For most organizations, most users have no real need to sideload unapproved apps. If you’re getting requests to enable sideloading (or complaints that you’ve blocked it), educating users on the risks involved may help.
Mobile device management for beginners
White Paper
Get started with MDM so your organization can spend less and do more — securely and efficiently. Download Now
Asking users to balance their need for that “special” app with the organization’s need to avoid a costly data breach may help put things into perspective — especially if you point out the consequences and potential occupational repercussions if a user’s phone is the source of the malware.
When there’s a legitimate need, the sideloading feature should be enabled in the MDM/EMM console on a user-by-user basis. But be aware: MDM/EMM products usually don’t support selecting specific Android 8 (Oreo) per-app installation permissions. This means if you give a user or group permission to install apps, they won’t have the safety rails to protect them from tricky malware.
If you can’t beat ’em, secure ’em
If you’d like to accommodate users who want to sideload on their corporate smartphone, a more secure option is to use work/home profile features within Android. This option requires more resources and support than simply granting permission, but it may be an acceptable compromise where other options — such as simply buying an additional smartphone — won’t work. With Android Enterprise’s work profile feature or Samsung’s Knox Platform for Enterprise (KPE), IT managers can partition an Android device so that sideloaded apps can be contained in the non-work part of the phone, minimizing their potential damage.
Sideloading from completely unknown and unverified sources represents a considerable risk compared to corporate app stores and the Google Play Store. Whether you’re running a small business or a large enterprise, you should avoid allowing sideloading — and control it carefully if you can’t.
Samsung’s Knox Manage makes it easy to manage a fleet of devices and and ensure company data is protected. And find out why you need an incident response plan to ensure your company data remains safe with this free guide.
