Skip to content
All articles

Sideloading safely on modern Android

The unknown-sources toggle is long gone and the platform has quietly grown a lot of defences. A practical routine for installing an APK by hand without regretting it.

Guides9 min read

Installing an APK by hand puts you, rather than a store, in charge of deciding whether a file deserves to run. That is a real responsibility, but it is not an exotic one, and modern Android does considerably more to help than its reputation suggests. Here is what the platform gives you and what you still have to do yourself.

What has already changed

The single global “unknown sources” switch is gone. Since Android 8.0, the permission to install apps is granted per source: you allow your browser, or your file manager, or a specific app to install packages, and that grant applies only to it. A malicious app cannot inherit an install permission you gave to something else.

Android 13 added restricted settings. An app installed outside a store cannot be granted the Accessibility or Notification Listener permissions through the ordinary prompt — the toggle is greyed out until you deliberately unlock it in App info. This exists because those two permissions are what banking trojans want most, and because the old flow made granting them a matter of tapping through a dialog someone else designed.

Android 14 added a floor on how old an app may be: packages targeting very old API levels cannot be installed at all, which retires a long tail of malware that relied on pre-Marshmallow permission behaviour.

And Play Protect scans sideloaded files on most devices with Google services, warns on ones it recognises as harmful, and can block them. Google has also signalled that it intends to require developer verification for apps installed outside its store on certified devices; the specifics have been moving, so check the current state before you plan around it.

None of that makes sideloading safe. It makes it survivable, which is different.

Before you download

Check the package name, not the app name. Anyone can call their app Signal. Only one developer can publish org.thoughtcrime.securesms. The name at the top of a listing is marketing; the package name is identity, and it is the thing to match against what the developer publishes.

Then answer, honestly, why you are sideloading at all. Wanting a version your device no longer receives, a build that is not offered in your region, or an older release after an update broke something are good reasons. Wanting a paid app for free is not a reason, it is the reason — the overwhelming majority of Android malware is delivered inside cracked and modded builds of apps people did not want to pay for. That is not a moral argument. It is where the files are.

Before you install

Two checks, under a minute together. Compute the SHA-256 of the file and compare it with the hash the publisher listed. Print the signing certificate with apksigner and compare its fingerprint with the copy you already have, or with what the developer publishes.

The hash tells you the file did not change on the way to you. The certificate tells you the author has not changed. Neither tells you the app is safe, and it is worth holding both of those thoughts at once rather than collapsing them into a general sense of having done your homework.

After you install

Go back and revoke the install permission from whatever you used to install — the browser, the file manager. You needed it for one file. Leaving it on means the next thing that talks that app into fetching a package does not have to ask you again.

Then open App info and read the permissions the app actually holds, not the ones it asked for at install time. And treat any later request for Accessibility as a full stop unless the app's entire purpose is assistive. That prompt is the one that turns a nuisance into a compromise.

Permissions that deserve a second look

Permissions only mean anything in context — a camera app should want the camera. What should give you pause is a permission with no plausible relationship to what the app claims to do.

Accessibility Service is the most powerful thing on the platform: it can read everything on screen and act on your behalf. Device admin can lock or wipe the device and can make an app difficult to remove. SMS and call log access is the standard route to intercepting one-time passcodes. Install unknown apps lets an app install further packages, which is how a dropper gets its payload past the initial look. Display over other apps enables overlays that sit invisibly on top of other apps and collect taps meant for them.

A wallpaper app asking for any of these is not a borderline call.

The part nobody mentions

A sideloaded app does not receive store updates unless the build you installed carries the same signing certificate as the store's build. Cross a channel — install a developer's own build when the Play version is signed by Google's key — and Play cannot update it. Ever. The app sits at the version you installed until you update it by hand.

That means security fixes are now your job. Not the interesting kind of job: the kind where you have to remember, months from now, that this one app on your phone does not update itself. If you cannot commit to that, the honest conclusion is to use the store version and skip the APK. That is not a failure of nerve; it is the correct trade for almost every app on almost every phone.

What we do and do not check

APKBrowse records the SHA-256 and the signing certificate for every build we host, and links the official store first whenever one exists. We do not run malware scans. Provenance is a genuinely useful thing to establish and it is not the same thing as safety — nothing on this site should be read as a verdict on what an app does once it is running.

Worth saying plainly: this is a demonstration catalogue and every app listed here is fictional. The guidance is not.