Unknown Sources: Everything you need to know!

The Unknown Sources setting isn’t the mystery — or the demon — it’s made out to be if you know a little bit about it.

To install apps that you downloaded from somewhere besides the “official” app store from Google or the company that made your phone, you need to enable the “allow unknown sources” setting. There has always been a bit of confusion about what it is exactly and how things work. We’re going to remedy that and talk through everything you need to know about unknown sources. Don’t worry, it’s gonna be fine.

What are ‘Unknown Sources’?

No, not people who leak government stuff to the press. The Android kind of unknown sources. It’s a scary label for a simple thing: a source for apps you want to install that is not trusted.

Unknown = not vetted directly by Google.

When we see the word “trusted” used this way, it means a little more than it usually would. In this case, trust means the same as it does for a web certificate and everyone involved on all sides will vouch for the source. Google says you can trust Google Play. Samsung goes one more step and says you can trust Samsung Apps or the Amazon App Store (for example). Because these sources are trusted, you don’t have to enable the installation of unknown (not in the circle of trust) sources to install apps from them. Someone who is in charge of making these kids of decisions is vouching for these app sources.

In short, a trusted source is one that the company you gave your money to, the company who built it, and the company who wrote the software all have vouched for.

Why is there even a setting for this?

Half the people reading this will think that no company should allow us to install apps they do not trust. The other half will think that nobody should be telling me what apps I can and can’t install. Having a setting in place is the only real solution.

It’s not really a good idea to just let any app from any place get installed on your phone. When you block app installs from places not in that trusted circle, random drive-by downloads can’t happen. Full stop. It’s insanely difficult to find an exploit that can force you to install an app you don’t want. It should be because that sort of trickery is never done for a good reason. Going one step further and just outright blocking the darn things is the type of over-the-top phone security Google loves.

And Google doesn’t claim that apps from other places are a bad thing. It has a whole page that tells app devs how to go about offering apps without putting them in the Play Store. All Google has to say about the Unknown Sources setting is:

User opt-in for apps from unknown sources

Android protects users from inadvertent download and install of apps from locations other than Google Play (which is trusted). It blocks such installs until the user opts in to Unknown sources in Settings > Security on their device. Users need to make this configuration change before they download your apps to their devices.

Note that some network providers don’t allow users to install applications from unknown sources.

Google is cool with developers doing it and cool with you downloading and installing them. But they make sure you opt-in for it before you do.

Are unknown sources a bad thing?

Nope. But enabling the setting for no good reason or leaving it on all the time is.

The internet is a big place. There are plenty of places to get apps that are as trustworthy as Google or Samsung or LG or any other company with their own on-device app store. You just need to do a tiny bit of poking around to make sure a place is trustworthy before you grab an app from it.

The Unknown Sources setting is like the stove: turn it off when you’re done using it.

Reading this article is a good start. Read other Android websites, too. We’re not afraid to tell you when you can trust something or someplace. Here are two places I trust as much as anything from Google: Amazon and F-Droid. I use them both and am not afraid to tell you to use them if they have something you want. And everyone else here would say the same thing.

In essence, Android Central trusts Amazon and F-Droid and thinks you can, too. But because of Google’s definition of trust, in this case, they can’t. Knowing that both Amazon and the folks running F-Droid scan all their files and are diligent about how they are distributing them isn’t enough for Google because they need to do those things themselves before they trust a source. Google has more at stake because they are Android, for better or for worse.

What is a bad habit is leaving the unknown sources box checked if you don’t need to. If an app you installed will run with the setting disabled, disable it until you need it again. If an app won’t run without it enabled, find out why before you install it.

You’re still protected

Google wants to scan every single app you install right before you install it. It will ask you to let it do so and to let it do it in the future the first time you try. At Google I/O, we were told that Google scans 50 billion apps per day to ferret out any with malware, including the ones you are installing. And this doesn’t depend on having the latest version of Android. Every single phone with access to Google Play running Android 4 or higher has these protections built in through Google’s Play Services feature. While no type of scanning is going to be 100% foolproof, chances are someone else has installed that app before you and Google has looked at it, and they will look harder if it does anything fishy. Or has a hidden ability to do anything fishy.

Fifty. Billion. Every day. That’s a helluva lot of apps.

Google, Apple, Samsung, and every other company takes the integrity of their app store very seriously. Nothing makes them look worse than me telling you about bad apps that slipped through, so they do everything they can to keep it from happening. In this case, that benefit rolls over to apps you installed from elsewhere. Win all around!

Why don’t companies just put their apps in Google’s Play Store?

That’s a question with a big, convoluted answer that no two people will agree on. Let’s just say that Google places some restrictions on ways developers can make money. Not everyone is willing to accept those restrictions.

Of course, test apps and beta apps and project apps are better off being hosted locally and set to whoever needs them. But for big production ready apps, not everyone wants to use Google Play.

Android Oreo changes everything

Google has reworked how apps from places other than trusted stores are installed, and with Oreo, it’s a much better and safer experience.

If you have a phone running Oreo, you won’t see a setting to allow installation of apps from unknown sources. Instead, Google treats this as an app permission and you’re asked each and every time you want to install an app you got elsewhere.

The new permission is tied to the app itself, not any user settings. Because it’s treated the same as every other runtime permission, like access to your camera, an app that would try to get you to install any other app is unable to trick you with a dialog or use false pretenses. You have to say yes each and every time.

You’ll also find a list of apps that use this permission in your settings. That means you can revoke the permission and the app is unable to function. Doing things this way makes it easier for developers to distribuite apps from places other than the Play Store because users won’t get confused by installation instructions or feel that the app isn’t safe because of the language used.

How do I turn Unknown Sources on?

Open the device settings. Look for a gear icon in the notification shade near the top left corner and tap on it.
Scroll down to the Security section and tap to open it.
Scroll down to the entry labeled Unknown sources and read the subtext because you should always read any and all subtext in a “security” section of settings.
Read the pop-up box that tells you Google isn’t responsible if you install apps from places they do not explicitly trust and click OK to enable the setting.

You disable the setting the exact same way. Toggle the switch off and installation is once again blocked for apps downloaded outside of trusted app stores.

So should I enable the setting?

If you want to install an app that you trust — you know the source and are sure they aren’t pulling a fast one and that the app is exactly as the developers have written it, then you can enable it when you need it.

There are a lot of different ways to define trust, but we think that word of mouth is one of the best ones. Your friends, people in forums and comments, and your favorite Android blog can tell you whether or not they think you should trust a thing or place, and whoever is saying it should be willing to tell you why.

Most importantly, you don’t have to worry about temporarily enabling Unknown Sources if you trust a place that has an app you want to install.

I trust Amazon because it vets every app in its store and it is a popular source. That means if an app slips through, it will get caught quickly. I trust F-Droid because every app it offers has the full source code available and provides a checksum to make sure you’re downloading a verified copy that it compiled itself. Not everyone wants the source code. You don’t necessarily have to know either of these things because someone else has looked into it and the information is available. You should still do any personal vetting that you need to feel comfortable, but generally, a site that’s not trustworthy is going to be talked about even more.

Do a little bit of homework and you’re golden. Just be sure to turn the setting back off once you’re done installing your apps.

Wrapping it up

This is a simple breakdown to make sure everyone can understand what’s going on when asked to enable the Unknown Sources setting or when you see people warning against it. There are other more nerdy things like signing keys and heuristic scanning that could be talked about, but we feel that will muddy the water a little. If you’re the type of person interested in the minutiae, the Android Developers site has plenty of information about how Google Play works and what else Google does to make it safe. It’s great reading if you’re inclined.

For everyone else, just know that the Unknown Sources setting isn’t really a mystery or anything to be afraid of if you need it. And when you don’t make sure it’s turned off.

Stay safe!

Updated July 2018: With all the security worries lately, we’ve refreshed this piece to help you protect your devices and data.