bloomua - Fotolia


Why sideloading Android apps is risky business

Android users seeking an app outside of their device's official app store can circumvent the system through sideloading. But the process puts enterprise devices and data at risk.

When it comes to installing apps, IT admins know their users have options, but not every available method is safe.

Android users probably know the Google Play Store almost as well as they know the likes of their company VPN or intranet. They know it's safe to purchase and install applications from that Google haven. They may also know that the Google Play Store isn't the only game in town.

That's right -- users can install apps from numerous locations. Third parties such as Amazon, Getjar, Mobogenie, Slideme and Appbrain offer Android apps users might not find on the official Google Play Store. Or, they could search for Android .apk files and find a legion of available offerings.

Users can enable the installation of third-party apps within the Android security settings. This is disabled by default, but once enabled, users can install any valid application -- even if it contains malicious code. This process, called sideloading, may be convenient, but it comes with security risks. It opens the door to malicious software and compromising sensitive corporate data.

Trust in the Play Store

Sideloading opens the door to malicious software and compromising sensitive corporate data.

So should organizations allow employees to sideload Android apps? The short answer is no.

When users install apps from the Google Play Store, they can, with rare exceptions, trust what they're installing, and at least know that Google has vetted the app. A third-party app store, on the other hand, might not adhere to any sort of security policy, and apps could contain malicious code. Chances are, IT admins don't have time to go through the policies and end-user license agreements for each of these third-party stores to ensure that users are protected. What is the policy on removing malicious apps? Are they as vigilant as Google about removing suspect apps? Because of the sensitivity that goes along with corporate data, the last thing IT wants to do is put corporate information at risk by allowing sideloading Android apps.

Beware of malware

Since third-party apps aren't screened for malware the way commercial apps are, IT must beware of sideloading. One of the biggest issues facing mobile apps is malicious code making its way onto a device directly or indirectly. Most often, it's the indirect malware that can do the most harm.

Some mobile applications depend on ad networks, which allow advertisers to buy digital ads on apps. In 2013, 32 apps on the Google Play Store used a rogue ad network dubbed BadNews, which pushed malicious software onto users' devices. That can also happen on third-party app stores that are less likely to take steps to suspend the attack and prevent future ones, as Google did. In addition, root malware in third-party app stores can spoof actual apps, containing a bit of malicious code. Should a device become unknowingly rooted, there's no limit to what the code could do. This kind of code isn't found on any apps within the Google Play Store.

Mobile apps open up a bevy of new security holes. How well do you know the tools -- such as containerization -- for protecting mobile data?

Considering the nature of data enterprise users transmit -- such as company secrets and IP -- it would be foolhardy to entrust that data with a sideloaded app. Imagine the ramifications of a malicious ad network gaining access to company data. Or worse: What if by installing an app from an untrusted app store, an employee's device is rooted and company data exposed?

If admins want employees and their devices to be safe, they should implore users to refrain from sideloading apps. The risks are too great, and the recovery not always guaranteed.

Next Steps

Why sideloading is among the top mobile security risks

Malicious apps and more threaten mobile devices

How to make the most of third-party apps

Dig Deeper on Enterprise mobile app strategy