Skip to main content

How to install Unknown Sources applications in Android?

Sideloading APKs in an enterprise fleet? The unknown sources toggle is the legacy path. Here's the modern way to distribute private Android apps safely.

Julien Ott Julien Ott
7 min read
android unknown sources

To install apps from unknown sources on Android 14 or 13, open Settings > Apps > Special app access > Install unknown apps, then toggle on the source you want (your browser, file manager, or a specific app). On Android 12 and earlier, the setting is at Settings > Security > Unknown sources, as a single global toggle.

That's the quick answer for a single device. But if you're an IT admin reading this because you need to distribute a private internal app to a fleet of phones, stop. The unknown sources toggle is the wrong tool for that job. Google has been pushing it toward end-of-life for years, and flipping it on across every device in your company creates a security hole you don't want to explain to your CISO.

Below: what the unknown sources setting actually does, why it's a dead end for enterprise distribution, and how Appaloosa handles private Android apps the right way.

What "unknown sources" means, exactly

Android trusts the Play Store by default. Any APK that arrives from anywhere else (a browser download, a file manager, a Slack attachment, a USB transfer) is flagged as coming from an unknown source. To install it, the user has to grant permission to the specific app doing the install.

Since Android 8 (Oreo), the permission is granular: you authorize Chrome to install APKs, or your file manager, not the whole system. Before Android 8, it was a single global switch under Settings > Security. Both work, but the older model is the one that gives security teams nightmares because one toggle opens the device to every install vector at once.

Why this is the wrong path for enterprise fleets

If you manage 50, 500, or 5,000 Android devices and you're thinking about turning on unknown sources to push your internal sales app, here's what you're actually proposing:

  • Every device on your fleet can install APKs from any source the user chooses, not just yours.
  • Play Protect still scans, but you've removed the strongest signal Google uses to flag a bad install.
  • Updates don't happen automatically. Each new version means another manual download and tap-through.
  • You have no central inventory of who installed which version, when, or whether they removed it.
  • Compliance auditors will ask why your security baseline allows arbitrary app installs. You won't have a good answer.

This is why Google has spent the last five years building a different path for enterprise apps. The unknown sources toggle still exists for backward compatibility and for power users, but it's not where Android wants enterprise distribution to live.

The modern way: managed Play and private app channels

Android's enterprise platform gives you two clean ways to distribute internal apps without touching unknown sources:

1. Private apps in managed Google Play

You upload your APK to the Play Console as a private app, restricted to your organization. Devices enrolled in Android Enterprise see it in their managed Play Store next to public apps, install it with one tap, and receive updates automatically through Play. No unknown sources toggle. No sideloading. Google handles signing checks, malware scanning, and rollout.

This is the path Appaloosa recommends and configures for most customers. It's the closest thing to "your internal app, but published like a regular Play Store app".

2. Web-hosted private APKs, pushed via MDM

Some apps can't go through Play. Maybe the APK is signed by a third party, or it's a build that changes too often for Play's review cycle, or it depends on architecture that Play rejects. For these, an enterprise app store like Appaloosa hosts the APK and pushes it to managed devices through the MDM channel.

The device receives the install as a managed app install, not as a sideload. Unknown sources stays off. The user doesn't see a security warning. You see the install status in the dashboard, you push updates the same way, and you remove the app remotely when an employee leaves.

Both methods solve the actual enterprise problem: distribute private apps at scale, safely, with an audit trail. Neither requires touching the setting this article is named after.

When the unknown sources setting still matters

Two cases where you still care about the toggle:

Developers on company-owned test devices. If your dev team installs ad-hoc builds from a build server or a USB transfer, they'll need unknown sources enabled for whichever app they're installing from. This is a deliberate, scoped exception, not a fleet-wide policy. Document it.

One-off personal installs. An employee wants to install a niche app from F-Droid on their personal phone. That's their call on their device. On a corporate-owned device, your MDM policy should override it.

How to lock unknown sources down across a fleet

If you're enrolling devices through Android Enterprise (work profile or fully managed), you can prevent users from enabling unknown sources at all. The policy is part of the device admin restrictions Appaloosa sets at enrollment:

  • Block install_unknown_sources at the device or work profile level
  • Allow only managed Play and MDM-pushed installs as app sources
  • Keep Play Protect on for an extra scanning layer

The user can still see the setting in the OS, but the toggle is grayed out and any attempt to install an APK from a non-managed source fails silently. That's the security posture most enterprise compliance frameworks expect.

Step-by-step: enabling unknown sources on a single Android device

Here for completeness. Use this only on a personal device or a scoped test device.

Android 8 (Oreo) and later

  1. Open Settings, then Apps (or Apps & Notifications).
  2. Tap the three-dot menu, choose Special access (or Advanced > Special app access).
  3. Choose Install unknown apps.
  4. Pick the app you want to use as the install source (Chrome, your file manager, etc.).
  5. Toggle "Allow from this source" on.

Repeat per app. Each install source needs its own permission.

Android 7 (Nougat) and earlier

  1. Open Settings > Security (or Lock screen and security).
  2. Find Unknown sources and toggle it on.
  3. Accept the security warning.

This is a global switch, so anything on the device can install an APK once it's on. Turn it back off when you're done.

Troubleshooting

"App not installed". Usually a signature conflict with an older version already installed, or insufficient storage. Uninstall the old version first, then retry.

"Parse error". The APK is corrupted, incomplete, or built for an architecture your device doesn't support. Re-download, or check that the APK matches your CPU (armeabi-v7a, arm64-v8a, x86_64).

Play Protect blocks the install. Play Protect runs independently of the unknown sources toggle. If it flags the app, either trust the developer and override, or stop and figure out why a signed enterprise APK is being flagged (often a stale signing certificate).

The takeaway for IT admins

The unknown sources setting is a per-device escape hatch designed for individual users with a specific install in mind. It's not a distribution mechanism. If you're shipping an internal app to a fleet, use managed Play for the standard case and an enterprise app store like Appaloosa for the edge cases. Both keep unknown sources off, both give you visibility, and both survive a security audit.

Want to see how private app distribution works without touching unknown sources? Take a tour of Appaloosa's MAM or book a demo with the team.
Julien Ott
December 17, 2021

Ready to deploy MDM?

Get started today with unrestricted access to our platform and help from our product experts.

Get Started

Alternatively, contact sales.

Free 14-day trial
Cancel anytime, no questions asked.
Expert Support
Get customized and expert onboarding to get started.