The Ultimate Guide To Sideloading Apps On Android
We have the European Union to thank for some of the most user-friendly legislation in the tech industry as of late. It made websites adopt GDPR data privacy laws, and it's forcing Apple to switch to universal USB-C by the end of 2024. The recent enactment of the Digital Markets Act (DMA) proves the EU is on a mission and taking no prisoners. The DMA forces tech giant "gatekeeper" platforms to open up for third parties and competitors. Apple was affected by these pro-consumer laws, and it released a 32-page white paper with concerns about how the DMA would affect security and privacy. Whether or not those concerns prove true, the white paper and other DMA-related news introduced many people to what may be a new concept — sideloading.
To the uninitiated, sideloading might sound like fancy nerd hacker lingo, but it's not. All you're doing is installing apps from outside your device's official app store. Android users have been able to do it for years, and it's part and parcel of using a desktop computer. So why all the hubbub about the smartphone equivalent of downloading and installing a .exe file? Today, we'll talk about what sideloading is, why you may want to do it, what risks it carries, and — if you dare — how to pull it off.
Sideloading in a nutshell
Smartphones are meant to be easy to use and virtually never require their users to "pop the hood" to fix things and grease gears. Notice how you don't need to you don't need to close apps to conserve system resources or shut your phone down very often (even though you should). Your Android device performs aggressive resource management and automatically handles background tasks so you never have to think about system maintenance at all — not even about viruses.
One of the ways your phone keeps out the worms and trojans is by having you install apps via the official Google Play Store (or Samsung Galaxy Store, among others), which uses a combination of app review, machine learning, on-device app scanning, and in some cases, steps in to remove or deactivate harmful apps to keep your phone malware-free. Carefully limiting what you can download is a form of protection. Sideloading — installing outside the Play Store — is still possible, but it's disabled by default. Simply put, sideloaded apps are beyond the Play Store's control, and thus present a security risk. For most people, there's no reason to leave the Play Store's safe haven. You get all your apps and updates in one place.
Still, there are good reasons to sideload apps. Some app developers don't necessarily avoid Play Store for nefarious purposes. Some do so for reasons of accessibility or personal philosophy. Sideloading doesn't put you entirely beyond Google's protection either, because Play Store Protect still scans sideloaded apps.
Reasons to install sideloaded apps
Sideloading gives you access to apps that aren't available on the Play Store, apps only available in certain countries, free versions of paid apps, or apps with better support on third-party app stores. Many developers simply don't have the time or interest to clear the hurdles to get their app into the Play Store, so uploading it elsewhere is just easier. Whatever the reason, sideloading expands the functionality and customizability of your phone, and it can be safe and easy if you know what you're doing.
We could give countless specific examples of sideload-only apps worth getting. Take NewPipe, an unofficial YouTube app that allows you to block ads and download videos for free. Or Fennec Browser, a custom Firefox build with extra privacy and tracking protection. Some people rely on smaller, less-known apps such as Canta to remove bloatware, or the unofficial Telegram client Cherrygram to get extra features. In some cases, you may want an app that got banned; India famously banned TikTok and other Chinese apps, leaving sideloading as the only avenue to obtain it — a decision the U.S. may soon mimic.
Some reasons for sideloading are not commendable. Piracy is a problem on mobile devices, allowing people to get paid-only apps for free. At SlashGear, we do not condone this practice. Sideload to your heart's content, but do so responsibly and without breaking the law.
A word of caution
Apple's whinging about the EU's DMA decision isn't baseless. Letting iPhone users sideload apps does put them at potential risk even if they're careful. Android users who intend to sideload should take note. Your phone has access to your passwords, your bank, and loads of other sensitive info, so you have to be absolutely, 110% sure you trust an app's developer. App permissions could give unprecedented control and access to your phone even without malware. Sometimes you can't even trust the Play Store; malicious apps make it onto Google's platform and then get booted for ad fraud — and much worse — all the time.
Make sure you only sideload from well-known sources that include a thorough vetting process. Check the reviews of the app, if there are any, as users may mention security risks. Avoid apps with few or no reviews. Google an app's name and add keywords like "malware" and "scam," and the results should warn you if there's a problem. Learn how to verify download integrity where possible. Checking the download hash against the official one to reveal if a bad actor tampered with it only takes a few seconds, but effectively prevents hacker-injected viruses. Last but not least, use common sense. Don't download from websites that look sketchy or click on suspicious or unknown links, and be wary of torrenting.
Sideloading apps: allow unknown sources
With all the caveats out of the way, let's get down to brass tacks and show you how to sideload apps. By default — for the security reasons we mentioned earlier – Android blocks installations from outside the Play Store. The setting that lets you get around this is called "Install from unknown sources." Enable it in your Settings app. It will be in a different location depending on which version or manufacturer flavor of Android you're using. In some, you'll find it in the "Apps" section, and in others, "Security." If you can't seem to locate it, use the settings Search bar to look up "install from unknown sources" or "install unknown apps."
Once you do this, Android will serve you a confirmation message warning you against sideloading apps for the reasons we've already mentioned. If you're sure you want to proceed, hit the "Allow" or "OK" button, depending on how the message appears on your phone. You'll likely be asked to choose which sources you want to allow, such as your phone's web browser or file manager. Only choose a browser if you plan to download an app directly from your phone and install it upon opening. If you downloaded the app before enabling this setting, no sweat. We'll discuss later how you can go straight to this setting after opening an APK and enable the pertinent source.
Download an app
Once you've enabled "Install from unknown sources," you're ready to rock and roll. We highly recommend sourcing apps from a respected, trusted third-party app store such as APKPure, Amazon Appstore, F-Droid, Humble Bundle, and others. These app stores will all have a familiar user interface reminiscent of the Play Store. They let you search for apps by category, check screenshots and reviews, and verify the version history. You'll need to download your third-party app store of choice from the official website and install the APK file via your authorized source (i.e. the browser or file manager).
For example, let's suppose you installed F-Droid as your new app store. You will need to allow it as a source through the settings, just like you did for your browser or file manager. Otherwise, you won't be able to install any apps you download through it. This can be done when you download an app for the first time since Android will give you a warning and a direct link to the setting.
If your app isn't on a third-party store, you'll have to download and install it from GitHub or another hosting site. We don't recommend this unless you trust the developer and the app receives regular updates. If you end up with an AAB file (Android App Bundles, a new Google format replacing APKs), you'll require a special app to install it — more on that later.
Other ways to transfer apps
Of course, there are other options to get APK/AAB files on your phone and install them. The easiest way is to download the file on your computer, plug in your phone, and transfer the file via USB. Copy the file to a folder you can easily find such as Downloads or Documents. If you've ever rooted your phone or installed an open-source distro like Lineage OS, then you likely have ADB (Android Debug Bridge) and fastboot on your computer. This lets you bypass Android's pesky notifications and install an app with a handful of CLI commands — though fair warning, this is an advanced user method, one you should use with extra caution.
Beyond that, the sky's the limit on ways to transfer an APK/AAB file from your computer to your Android device. Windows has built-in support for file transfer over Bluetooth, and its Phone Link app allows for the same. Another easy way is to just upload the APK/AAB file to your preferred cloud file backup service (such as the OneDrive folder) and then open it on your phone via the Android version of the app. Just keep in mind that with this option you'll have to authorize your cloud drive app as a source, like we discussed before.
Install APK files
Once you've got your app in APK format, it's time to install it. If you downloaded it from a third-party app store, downloading should automatically initiate the install process. If you downloaded it some other way, you can open it from your browser's downloads tabs, or your file manager. Just tap the file like you would open anything else.
Despite having enabled "Install from unknown sources," you will always get a prompt asking you to confirm whether or not you want to install a non-Play Store app. The only way to enable one-tap installations (like with the Play Store) without a prompt is to root your device, which is beyond the scope of this article. Once you do hit "Install," though, that's it. Give your phone a few seconds and the app should appear in the app drawer, the same as when you install an app the normal way.
Check to make sure the app works. Once you're satisfied, remember to delete the leftover APK file; it's no longer necessary to run the app, and deleting it would be as harmless as deleting an already-used .exe or .dmg file on your desktop computer. You'll be updating this app with a brand-new APK file in the future, so the old ones are just going to fill up your phone's free storage space.
Install AAB files
In some cases, you may end up with Google's new AAB format. You cannot install AAB simply by authorizing a download source and hitting "Install." You'll need a specialized installer, such as Split APKs Installer or App Bundle Installer. Luckily, both of these apps — and many alternatives — are available directly from the Play Store. This makes it a lot safer and more convenient than trusting a random app off the internet, but do still take the time to vet the installer; free apps often make their money either with invasive ads, or by selling your data. Once installed, locate your downloaded AAB file and go through the installer app's installation process. You'll have to authorize your AAB installer as an unknown source, too. Seeing a common theme yet?
Advanced users who prefer the ADB route will be happy to know that you can install AAB apps from the command line, too. There's a bit more work involved here. You'll need to convert and unpack the AAB file and select the correct APKs for your device using tools like Droid Hardware Info and DevCheck Hardware and System Info. Then it's just a matter of copying those APKs to your ADB directory (or changing directory in the terminal) and running a command to install (via XDA Developers). This is definitely not the most beginner-friendly option, of course, and third-party apps fortunately do all of this automatically. Don't forget to delete that leftover AAB file when you're done.
Be cautious with permissions
Viruses are the biggest concern when circumventing the Play Store, but an app can still cause trouble if you give it too many permissions. Upon opening the app, it'll likely bombard you with permission requests: camera access, microphone access, files, location — you get the idea. Again, you're putting a lot of trust in an app that has not gone through Google's review process, so it's imperative that you carefully evaluate each permission and whether or not the app actually needs it. A calculator app should never have microphone or camera access, to give a common example.
You can always learn how to change app permissions later if necessary. Google automatically revokes permissions from unused apps, so if there's an old sideloaded app left untouched for weeks, it won't be able to do anything nefarious in the background. We recommend giving apps minimal permissions where possible: For example, only allow them photo access rather than full file access. Android also supports only allowing access to certain permissions (such as location, camera, or microphone) when the app is open — a great way to keep it from doing whatever it wants when you're not actively using it.
Updating your sideloaded apps
Aside from trust issues, the next major downside to sideloaded apps is updating them. Google's Play Store isn't just safer, it automatically updates all your apps in the background without any effort on your part. App updates patch known vulnerabilities that could compromise your phone, in addition to squashing bugs and adding new features. Even if the developer behind a sideloaded app pushes out regular updates, most apps don't have the ability to self-update. So what's the solution?
If you downloaded a third-party app store, update functionality comes built-in. Apps like APKPure notify you when updates are available. Do keep in mind that automatic updates from anything but the Play Store (like installations) are not possible without rooting your phone. You will have to manually update any sideloaded apps for as long as you plan on using them. Make sure to check that third-party app store regularly to refresh just in case you missed an update.
There are also apps that find APK updates online and download them for you, such as APK Updater. You'll need to authorize it as an installation source, but it's easier than remembering to check the dev's site or GitHub page by yourself. And, of course, you can just download the APKs manually and install them by hand. Provided the dev signatures and package names match, this will update the app and preserve your user data. With luck, Google may someday soon support updating sideloaded apps.
Delete unused apps or those lacking updates
When using popular apps on the Play Store like Gmail or Chrome, you grow accustomed to getting years of frequent updates. You almost never have to worry about an app's potential security vulnerabilities because you know there's a well-funded team of IT professionals maintaining it. The same cannot be said for sideloaded apps. Those of us in the open-source community know small apps die off all the time.
It's sometimes impossible to determine when or why a sideloaded app died. Many only have a single developer with a handful of volunteer contributors. Perhaps the dev lost interest in making it or just got so busy with life that they had to abandon it. That's to be expected when most of these devs maintain these apps in their free time, provide them free of charge, and recoup development costs with donations. There's a good chance any app you sideload will be deprecated and prone to security vulnerabilities a year from now.
Check when a sideloaded app received its latest update. There's no hard rule on how long is too long for an app to go without updates, but generally speaking, it's a bad sign when more than a year has transpired with nary a hotfix. Consider deleting the app until a new update arrives. In the same vein, delete any unused sideloaded apps (known as "zombie apps"), as these present potential security risks.