Will Android 15 restrict sideloading apps?

Android 15 sideloading

The release of Android 15 — Vanilla Ice Cream — is expected for September/October 2024. The upcoming Android version will introduce a range of new features, with some eagerly anticipated and others rather sparking concerns.

One of those controversially discussed changes is the restriction of permissions for sideloaded Android apps.

What is Android sideloading?

Android sideloading is the process of installing apps on an Android device from non-Google Play Store sources. It typically involves downloading a third-party APK file and enabling "Unknown Sources" in Android settings to install it.

What is the sideloading restriction about?

Mishaal Rahman has published an article on Android Authority which quickly made its rounds within the Android community. Within the article, he takes a closer look at Android 15’s new Enhanced Confirmation Mode, which he discovered while analyzing Android 15 Beta 1.1 update.

Enhanced Confirmation Mode is not yet enabled within the Beta.

Although not currently enabled, it appears that the new OS version will come with the Enhanced Confirmation Mode on board. This mode aims at enhancing the device security by building upon the foundation laid by Android 13's Restricted Settings feature. This is necessary because Restricted Setting came with a severe security loophole.

A brief reminder about Restricted Settings feature

Restricted Settings were developed to limit the functionalities of apps that users download from sources outside the Google Play Store. The assumption: sideloaded apps from unofficial sources might contain malware or other harmful software, since it's easier to distribute harmful apps while bypassing Google Play's security measures.

Restricted Settings prevent apps with questionable origin from enabling Accessibility or Notification Listener services. If the user tries to activate these services, the following notification is displayed: 

"For your security, this setting is currently unavailable.”

Accessibility or Notification Listener APIs are prone to exploits since they are especially powerful. Once users accept requested permission to use those APIs, apps are able to read the content of the device screen, can perform inputs, and can take action on any notification without further user interaction.

It's not hard to imagine the damage granted permissions like this can cause when exploited by malicious apps. The responsible parties are able to:

  • commit ad fraud,
  • steal one-time passwords (OTPs),
  • install additional payloads,
  • remote-control the device,
  • and much more ...

What's the loophole in Restricted Settings?

The loophole that is used is tied to how Android OS identifies where apps have been downloaded. The following APIs are used for identification:

    • Android's session-based installation APIs: indicate installation from an app store and are considered safe, no restrictions are enabled.
    • Android's non-session-based installation APIs: used for manual APK installations from other external sources which are considered at risk for exploitation.
However, Android apps with a non-session-based installation API can also sideload other apps via session-based installation, thereby bypassing Restricted Settings. This way, malicious apps can gain access to powerful permissions.
 
Android 15 vanilla ice cream-1
 Source: HubSpot AI

What's the new Enhanced Confirmation Mode doing?

Enhanced Confirmation Mode is an extension that should close the loophole within the Restricted Settings feature. Instead of using session-based installation APIs Enhanced Confirmation Mode checks the system settings for an allowlist. The XML file, containing the list, is part of the factory Android image. It must contain a full catalog of packages and installation programs that are granted immunity from any Enhanced Confirmation Mode restrictions.

All other apps installed without being listed, have to display an Enhanced Confirmation Mode dialog when trying to gain access to Accessibility or Notification Listener APIs. The dialog shows the same message to the user as in Restricted Settings:

"For your security, this setting is currently unavailable.”

Can Enhanced Cofirmation Mode be disabled?

It is not yet known whether Enhanced Confirmation Mode, just like Restricted Settings, can be disabled. This might not be recommended for sideloaded apps from questionable origins, but necessary when running your own or other legitimate sideloaded apps.

It is not yet clear which packages and installation programs will make it onto the allowlist and how Google will handle the expansion and maintenance of this list for GMS certified OS images.

In general, since the allowlist is delivered together with the OS image, the list can be adapted if custom OS images are build.

Need help?

emteria specializes in tailoring the Android OS to unique products, offering assistance to companies looking to enhance the allowlist for trusted sources when creating custom Android 15 OS images in the future.

Till then, we remain curious to see whether the new feature will make its debut with Android 15 and whether we might find out more in the next Beta release or Mishaal's next article on Android Authority. We'll keep you posted!

 


Sources:

Build unique Android products, based on your BSP

See why emteria is the chosen Android™ customization & management platform for product builders — build Android products based on your requirements.

Book live demo
Group 272-1

Table of contents

emteria Demo
See emteria in action