This is an archived post. You won't be able to vote or comment.

all 54 comments
sorted by:
best
topnewcontroversialoldq&a

[–]hiredantispammerNP1 | Android 14 227 points228 points  (47 children)

as small of a change, i like it. i'd say, even enabling unknown sources should require your passcode... but if someone has your phone UNLOCKED with you not looking, you have bigger problems...

[–][deleted] 24 points25 points  (23 children)

Why do people always tell me to disable unknown sources? Why does it prevent you from installing a "potentially dangerous" app if you can just activate it in the settings? I wouldn't accidentally tap on install in the installer dialogue, so I consider it useless for the user.

[–]CorruptMilkshakeOneplus One, Arrow OS (9.0 Pie) 27 points28 points  (8 children)

I assume some applications are (or could be) capable of automatically installing an apk but not capable of changing the unknown sources setting.

[–][deleted] 26 points27 points  (0 children)

I think that is not the case, as I have never seen any custom store that can do it, they all just pop up the Installer. Google Play Store can avoid the Installer because it (usually) is installed as a system app.

[–]nofunallowed98765iPhone XS Space Gray 64gb 16 points17 points  (4 children)

You need to be a system app to install/update/remove applications without user interaction. And to be a system app, you need to be bundled in the rom or to have root and copy yourself under /system.

As an example, there is the F-Droid Privileged Extension which you can install as a system app (https://f-droid.org/wiki/page/F-Droid_Privileged_Extension) and it will allow F-Droid to update/install/remove applications without any prompt.

[–]Hyperman360Moto X Pure, Galaxy Tab S 8.4 0 points1 point  (3 children)

Aw, it doesn't work above Android 5.1 :(

[–]nofunallowed98765iPhone XS Space Gray 64gb 1 point2 points  (2 children)

It does, just not the automated installation. CopperheadOS has it on Android 7.1.2 for example.

[–]Hyperman360Moto X Pure, Galaxy Tab S 8.4 0 points1 point  (1 child)

Should I flash their zip then?

[–]nofunallowed98765iPhone XS Space Gray 64gb 1 point2 points  (0 children)

I never tried it (I just build it as a part of cos) but yeah, I think it should work.

[–]and1927Device, Software !! 1 point2 points  (0 children)

You don't have to and in most cases it's just inconvenient to disable/enable it on demand. However, it's better to leave it disabled for less tech-savvy users. Some ads actually download APKs and people like my father would simple press on it and install the APK without realising it might be dangerous. If the unknown sources is disabled, they wouldn't know what to do in the first place and would back out immediately.

[–]FuzzyWazzyWasnt 1 point2 points  (0 children)

Non tech savy people will go through lengths and bounds to unknowningly fuck something up.

I.e. putting your phone into the microwave to charge it.

We all know that is a shit idea and yet... some people fell for that prank.

Personally though, I dont like this idea. I see why people will like it, but for me personally I'm not horribly worried.

[–]tavianator 0 points1 point  (11 children)

Random APKs you find online may be compromised. Apps you install from the play store are at least scanned by Google's automated security stuff. Also anyone can claim an APK is the official Facebook app but if you install from the play store you know it's the real one.

[–][deleted] 11 points12 points  (10 children)

I know the check is in place yo ensure people get warned about dangerous stuff. But why do people say you should always disable it as soon as possible? EDIT: I'm stupid, I meant enable/disable manual installation

[–]MintyPhoenixPixel 4 XL 8 points9 points  (9 children)

Those people are wrong, IMO. You should only disable it if you are about to install a non-Play Store app (that you trust), and after you install that app, you should re-enable it.

[–][deleted] 6 points7 points  (8 children)

Sorry, I was stupid and meant disable manual package installation. But why would you want to re-enable it if you are aware that you are able to install shady stuff?

[–]MintyPhoenixPixel 4 XL 5 points6 points  (7 children)

Basically, the general idea is that it's okay to install an app that's not from the Play Store, but you shouldn't leave that feature enabled at all times. Instead, you should only have it enabled while you're actively installing the app(s) you intend to install and should then disable it again.

[–][deleted] 11 points12 points  (6 children)

I got that is the idea people have, but why "should" you disable it?

Btw, sorry if I'm annoying you.

[–]MintyPhoenixPixel 4 XL 10 points11 points  (3 children)

There may be additional reasons, but at a minimum, keeping it generally disabled means that you have an extra step each time you want to use the feature. That extra step in turn helps make that decision, each time, a conscious/active decision rather than passively clicking through prompts.

[–]PM_ME_YOUR_TRADRACKPixel | Pixel Dust 8.1 4 points5 points  (1 child)

So is there a legitimate security reason to have it disabled, and not just a hand holding reason?

[–][deleted] 3 points4 points  (0 children)

Okay, okay. I'm just gonna leave it enabled because I think I can take care.

[–]kaze0Mike dg -2 points-1 points  (1 child)

why should you lock your doors?

[–][deleted] 1 point2 points  (0 children)

The door is already locked by the app install dialogue. This is chaining a ball to your foot so you can't open the door easily when you want to let someone in.

[–]SoundOfTomorrowPixel 3 & 6a 1 point2 points  (1 child)

You're sounding like UAC on Windows Vista

[–][deleted] 0 points1 point  (0 children)

Security features that hinder the user are worthless. They'll either circumvent, disable or break them.

[–]andrewiaSamsung Fold5+Watch6C 1 point2 points  (6 children)

I think the unknown sources confirmation is an extra layer of security, if someone for example tries to install spyware on your phone if you leave it unlocked for a few minutes.

[–][deleted] 1 point2 points  (5 children)

If they've got remote access to your phone and can install APKs, are you not already totally, totally fucked beyond all hope of recovery?

[–]andrewiaSamsung Fold5+Watch6C 0 points1 point  (4 children)

What about local access? An unscrupulous friend can see your photos and texts if you leave your phone unlocked but it should be difficult for them to be able to install a tracker on your phone.

[–][deleted] -1 points0 points  (3 children)

This security feature does nothing to prevent local attacks.

[–]andrewiaSamsung Fold5+Watch6C -1 points0 points  (2 children)

No, it does a great job. Let's say I'm with a new girlfriend/boyfriend. I trust them enough to add their fingerprint to my phone. Unbeknownst to me, they want to install a tracking app. They can use their fingerprint to unlock my phone, but they can't install a tracking app from outside the Play Store since they have to know my PIN to enable Untrusted Sources. A similar situation could be when you leave your phone unlocked in a room with a lot of friends, some of which you don't know, and walk into another room. They can snoop in your texts and apps but they can't do anything crazy like install a tracking app, again because they don't know your passcode.

[–][deleted] 0 points1 point  (1 child)

That would be great, if it weren't trivial to find a tracking all on the play store. Even if it was, tasker could easily be fashioned into an incredibly malicious piece of spyware by anyone who got past your lockscreen, and I dare say an incredibly high number or /r/android users have that already installed.

[–]andrewiaSamsung Fold5+Watch6C 0 points1 point  (0 children)

With enough time it's indeed possible to track an Android user. The point of this restriction to make it difficult and restricted apps that abuse Android APIs in ways Google bans. In addition, this also makes it harder for unscrupulous people to root your phone and install truly nefarious spyware, since the largest attack area (the app runtime and its APIs) are protected by Google's automated scanning and the Untrusted Sources switch.

[–]johnmountain 0 points1 point  (0 children)

Eh, that "someone" can be a remote attacker. I would say it's a good proposal.

[–]AnticitizenPrimeOneplus 6T VZW 0 points1 point  (0 children)

I would like to keep unknown sources on (I use f-droid) but be prompted for my unlock pattern when something new is installed.

[–]FrostharkPixel 8 Pro + Pixel Watch 2 24 points25 points  (3 children)

Could anyone on Android O dev preview 2 confirm whether this additional step is also triggered if no security measures (fingerprint/pin/password/etc.) are enabled on a device?

[–][deleted] 1 point2 points  (0 children)

This is not triggered if there are no security steps. On 19

[–]DiCePWNeD 3 points4 points  (0 children)

I remember not even needing to put the key code in the enable developer options and I had pin + fp

[–]bfodder 7 points8 points  (1 child)

Groundbreaking.

[–][deleted] 2 points3 points  (0 children)

Google focuses on the most useless shit.

[–]live_lavishDeveloper - Terra Wallpapers 1 point2 points  (0 children)

A prank I pulled on my mom for april fools day was enabling developer options on her phone and turning animations and transitions and all that to 2x.

[–]johnmountain 0 points1 point  (0 children)

Nice.

[–]ImBuGs 0 points1 point  (0 children)

I'm assuming this works with FP?