Android 15 cracks down on sideloaded apps even harder to protect users

For
power
users,
there’s
no
question
that
being
able
to
install
apps
from
outside
the
Google
Play
Store,
i.e.,

sideloading,
is
one
of
the
biggest
advantages
of

Android
compared
to
iOS.
Sideloading
gives
users
the
freedom
to
install
any
application
they
want,
even
if
it’s
not
approved
by
Google
or,
more
importantly,
the
authorities.
Because
distributing
apps
directly
to
users
is
easier
than
publishing
them
on
app
stores
like
Google
Play,
many
hackers
rely
on
sideloading
to
infect
users’
devices
with
malware.
To
combat
this,
Google
is
introducing
new
restrictions
in

Android
15
that
make
it
harder
for
sideloaded
apps
to
obtain
sensitive
permissions.

Before
I
go
any
further,
I
need
to
address
Google’s
intentions
with
this
change.
Is
Google
restricting
what
permissions
sideloaded
apps
can
obtain
because
they
actually
want
to
protect
users,
or
are
they
doing
it
to
keep
people
on
the

Google
Play
Store?
Given
the
many
court
cases
and
legal
battles
that
Google
has
been
caught
up
with
in
recent
years,
it’s
easy
to
be
skeptical
that
Google
has
good
intentions
with
this
change.
However,
it’s
important
to
consider
two
facts.

First,
sideloading
is
a
common
vector
for

malware
due
to
the
lower
barrier
of
entry
for
distribution.
Second,
these
restrictions
don’t
apply
to
any

third-party
app
stores
for
Android
that
utilize
the
operating
system’s
purpose-built
API
for
installing
apps.
In
fact,
Android
15’s
restrictions
on
sideloaded
apps
are
merely
an
expansion
of
a
security
change
introduced
in
a
previous
version,
a
change
that
has
not
materially
impacted
third-party
app
stores
and
can
still
be
manually
disabled
by
the
user.

The
change
I’m
referring
to
is
called
restricted
settings,
a
feature
introduced
in
Android
13
that
makes
it
harder
for
sideloaded
apps
to
obtain
certain
sensitive
permissions.

For
the
purpose
of
the
restricted
settings
feature,
Android
considers
apps
to
be
“sideloaded”
if
they
were
installed
from
an
app
that
didn’t
use
the
purpose-built
installation
API
designed
for
app
stores.
Typically,
this
includes
installations
from
apps
like
web
browsers,
messaging
apps,
or
file
managers.
If
this
occurs,
then
the
sideloaded
app
is
denied
access
to
permissions
that
grant
the
use
of
Android’s
accessibility
and
notification
listener
APIs,
which
are
two
of
the
most
powerful
APIs
the
platform
offers.

These
two
APIs
are
commonly
abused
by
malicious
apps
looking
to
control
the
user’s
device
or
steal
sensitive
information,
which
is
why
Google
sought
to
restrict
sideloaded
apps
from
using
them.

However,
apps
installed
using
the
session-based
installation
API
are
not
restricted
from
requesting
permissions
to
use
the
accessibility
or
notification
listener
APIs.
This
is
because
the
session-based
installation
API
is
typically
used
by
third-party
app
stores.
Google
designed
these
restrictions
to
not
impede
third-party
app
stores,
and
they
also
designed
them
so
users
who
know
what
they’re
doing
can
still
get
around
them.

The
permissions
to
use
the
accessibility
and
notification
listener
APIs
aren’t
the
only
sensitive
permissions
that
Android
has
to
offer,
though.
The
SMS
runtime
permission
lets
apps
read
the
user’s
entire
SMS
database.
The
device
admin
permission
lets
apps
lock
or
wipe
the
device
at
will.
The
overlay
permission
lets
apps
draw
on
top
of
other
apps.
The
usage
access
permission
lets
apps
track
what
apps
you’re
using
and
how
often
you’re
using
them.
These
permissions
are
all
incredibly
powerful,
which
is
why
the
user
has
to
manually
grant
them
to
apps.

Starting
in
Android
15,
though,
these
permissions
can’t
be
easily
granted
to
sideloaded
apps.
Google
is
expanding
the
restricted
settings
feature
to
cover
all
the
permissions
I
just
mentioned
as
well
as
the
default
dialer
and
SMS
roles.
Google
alluded
to
this
expansion
in
a
May
blog
post,
but
they
only
recently
shared
what
the
restrictions
are
in
full
when
they
published
the
Android
15
Compatibility
Definition
Document
(CDD)
last
week.

The
section
on
restricted
settings
in
the
Android
15
CDD
is

quite
long,
but
in
short,
Google
is
requiring
that
the
following
permissions
and
roles
must
have
the
“restricted
settings”
feature
applied
to
them:

• Special
  permissions
  • Accessibility
  • Notification
    listener
  • Device
    admin
  • Display
    over
    other
    apps
  • Usage
    access
• Roles
  (Default
  apps)
  • Dialer
  • SMS
• Runtime
  permissions

The
restricted
settings
feature
must
be
applied
when
an
app
is
installed
“after
being
downloaded
through
an
application
…
other
than
an
‘app
store’
application
identified
by

PackageManager
as

PACKAGE_DOWNLOADED_FILE”
or
when
the
app
is
installed
“from
a
local
file
…
identified
by

PackageManager
as

PACKAGE_SOURCE_LOCAL_FILE.”

The
CDD
mandates
that
all
devices
running
Android
15
enable
restricted
settings
by
default,
but
it
only
strongly
recommends
that
OEMs
don’t
provide
an
option
to
disable
restricted
settings
for
all
apps.
It
does,
however,
state
that
OEMs
have
to
provide
a
mechanism
to
allow
users
to
enable
a
restricted
setting
through
the
app
info
page,
which
has
already
been
the
case
since
Android
13.

Although
the
above
list
represents
the
permissions
and
roles
that
Google
requires
the
restricted
settings
to
apply
to
in
Android
15,
the
door
is
left
open
for
the
restrictions
to
apply
to
more
permissions
in
the
future.
In
fact,
Google
wants
OEMs
to
use
the

EnhancedConfirmationManager
API
to
dynamically
determine
if
other
special
permissions
should
be
restricted.
We
talked
about

Android
15’s
enhanced
confirmation
mode
feature
before,
but
it
seems
Google
hasn’t
deployed
it
just
yet.

Google
is
likely
to
continue
expanding
restricted
settings
in
future
releases
of
Android,
though
we
don’t
know
which
additional
permissions
the
feature
will
cover
when
it
does.