Jack Wallen explains why installing Android apps outside of the Google Play Store puts your device and data at risk.
A reader asked if I would write a piece on how to bypass the Google Play Store and install apps only from third-party sources. I decided to immediately respond to this question with a reminder to the TechRepublic readership that this is not a good idea and with a walk-through on sideloading apps.
Google's security scans of apps in Play
Unlike apps in the Apple App Store, Google does not do a manual approval of every app; instead, Google does a constant scan of all apps on its Play Store for anything that could be malicious. Some apps do get by the scans, but they are eventually found and removed. In this sense, installing from the Google Play Store is about as safe as you can get.
Many people believe Google should follow in Apple's footsteps and do an app-by-app scan. That may be, but I don't suspect that is going to be implemented anytime soon.
To that end, part of the Android platform's security is on the shoulders of end users. That means using your device wisely, which, in turn, means not installing apps from unknown, untrusted sources.
Why is this a bad idea?
When you install an app from an untrusted source, you have no way of knowing if the app has been vetted. That app could contain malware; it might also make use of an ad system that serves as malware.
To make matters worse, you have no idea of knowing if that sideloaded app makes proper use of the Android app permissions system. This means the app you just installed from outside of the Google Play Store could gain access to your contacts, your call logs, and your data. That should be enough to scare you away from installing apps outside of the Google Play Store.
You still want to install an app outside of Google Play?
Some users insist on installing apps from outside the Google Play Store. For instance, let's say your company develops an in-house app that it does not plan on pushing to Google Play. If that happens, you can most likely trust your company developers, and you'll need to know how to sideload those apps.
If you must install an app outside of the Google Play Store, go through this listing carefully and check to see if the app is listed as malicious. The list was last updated January 2, 2016, so it is a couple of months out of date. In fact, if you don't find the app on this list, do yourself a favor and google the title like so: APP TITLE Android malware (where APP TITLE is the actual title of the app).
If you see anything listing the app as suspicious, do not install it. Period. End of story.
If the app isn't listed as malicious, and you still want to install it, here's what you need to do.
- Open Settings on your Android device.
- Go to Security.
- Locate Unknown Sources and tap to enable (Figure A).
- Install the app.
Enabling third-party installation on a Verizon-branded Nexus 6.
When installing these untrusted apps, it is absolutely crucial that you check the permissions listing during installation. If anything looks out of place (such as a game wanting access to your contacts), do not install the app.
A final warning
I cannot stress enough how important it is to only install trusted apps. This is a mobile platform, where a lot of sensitive data is transmitted back and forth; the last thing you need is to hand over that data to an untrusted app.
So for those still wanting to install apps from outside the boundaries of the Google Play Store, consider yourself warned, warned a second time, and warned again.
- How to find out your Android Marshmallow Security Patch level (TechRepublic)
- Android Security Update March 2016: What you need to know (TechRepublic)
- 10 do's and don'ts for securing your Android device (TechRepublic)
- Advice for mobile users who choose simplicity over security (TechRepublic)