Android Oreo: Google has just made app installs from unknown sources a lot safer
On the left is the pre-Android O install screen for a potentially harmful app masquerading as a system update. With Android O, right, the user must first grant permission to the app that triggers the install.
Android 8.0 has introduced a new way to protect devices from malicious Android apps installed from the web or third-party app stores.
Featured
Until now, Android users could install apps from places other than Google's Play Store by enabling 'Install from unknown sources' in Android Settings. Though it is a convenient option, users are generally not recommended to enable this feature because it can lead to malicious apps being downloaded to their phone.
Moreover, users who enabled 'Allow unknown sources' were still exposed to a benign app offering a bogus security update that in fact installs a malicious app. Google calls these "hostile downloaders" and, according to its 2016 Android security report, they're the second most prevalent threat on the Play Store following Trojans.
In Android Oreo, Google eschewed the setting for a new 'Install unknown apps' permission that's tied to each app.
Android Oreo users will need to grant permission to each app to allow it to download apps from untrusted sources. So, the user could enable Drive and a third-party store app to download apps outside the Play Store, but block Chrome and Gmail from downloading unknown apps.
This new per-app opt-in model should go some way to preventing hostile downloaders, given that now the user would need to give the app permission to install another app before a hostile downloader can install software with standard trickery.
The Settings app now lists which apps have been approved for installing unknown apps. Users can also revoke the permission in Settings.
Older versions of Android will continue to use the Settings page to either allow or disallow installs from outside of the Play Store.
Google has outlined changes that app developers need to make to use this new behavior. Essentially they'll need to declare upfront that they could request permission to be able to install apps from Android's Package Installer.
Apps that haven't declared this permission are automatically banned from installing other apps.
Previous coverage
Android 8.0 Oreo: Rollout begins for Pixel, Nexus in Android beta
The long road to rolling out Android 8.0 to handsets has started.
Google reveals official name of Android O
Months of sweet suspense have come to an end. Android O has a name.
What you can expect from Android O
Android O is almost ready to go, and thanks to Project Treble, more users than ever will get the newest version of Android.
Read more on Android security
- Google Play Protect rolling out to Android devices for better security
- Google names 42 Android devices with users running security updates from last two months
- Android security report: Google aims to clean up 'unwanted software' in 2017
- This Android Trojan pretends to be Flash security update but downloads additional malware
- Easy ways to make your Android device more secure (TechRepublic)
- Google says it's stopped a ton of 'dangerous' Android apps (CNET)