Unknown sources

The Unknown sources security setting enables or disable the ability to install apps from sources other than Google's Play Store (or your device manufacturer's own app store).

A fundamental feature of Android is that it doesn't restrict you from installing apps that you didn't obtain through official Google or manufacturer's channels, allowing you to install any app, including those you have developed yourself. Apps come in the form of ".apk" files, an abbreviation of Android package, and may be developed using the official Android Studio and SDK Tools, or other software.

However, for security reasons most Android devices come with this ability disabled by default. Users wishing to install third party apps must first allow this using the Unknown sources setting in their Security settings.

Enabling this setting allows you to install apps from bare ".apk" files which you have saved or loaded onto your device, but it also allows you to use alternative third party app stores to find and install apps. A few third party app stores can even be found in Google's Play Store.

Security implications

This setting is disabled by default to protect inexperienced users from certain kinds of scams or attacks, so enabling this setting should be done only with a proper understanding of what to look out for.

Installing apps from companies you know and trust

Care should be taken to ensure you only download an app from people or companies you know, and in the case of a company, that you obtain the app from their official website.

Avoid installing an app after receiving it attached to an email you didn't request, or mentioned in an email or any anonymous online forum or comments section.

Understanding the .apk format

Occasionally an attacker may attempt to trick you into installing an app by presenting you with an .apk file when you expected some other kind of file. Open using an .apk file on your Android device, you will be prompted as to whether you wish to install the app. If you did not expect to have to install an app, you should abort immediately and not proceed, as it may be an attempt to trick you into installing malicious software on your Android device.

An .apk file is roughly equivalent to a software installer on a desktop computer, in that it can not only place the software on your device but also set it to run automatically at certain times or appear when you perform certain actions. For the most part, Android's security model does a good job of preventing apps from taking actions you don't want, but if the app developer is malicious there is still a range of things an app with no special permissions can do that would be harmful or unwanted.