Enable Unknown Sources for APK
Leaving "unknown sources" enabled for all apps exposes your device to drive-by malware installs. The safe approach: enable it only for the specific app you're using to install, then disable it immediately after.
Last updated: January 19, 2026
What does "unknown sources" actually control?
Android blocks APK installations from outside the Play Store by default. This setting — called "sideloading" — lets you bypass that block. How it works depends on your Android version:
| Android version | Permission type | Security implication |
|---|---|---|
| Android 8.0+ (Oreo) | Per-app permission | Only the allowed app can install APKs |
| Android 7.x and older | Global toggle | Any app can install APKs — higher risk |
Per-app permission is safer — even if you forget to disable it, only Chrome (or whichever app you allowed) can install APKs. On older Android, any app can trigger installs.
How do I enable unknown sources on my phone?
Paths differ by manufacturer. Find your brand below:
| Brand | Path (Android 8+) |
|---|---|
| Stock Android / Pixel | Settings → Apps → Special app access → Install unknown apps → [Browser] |
| Samsung (One UI) | Settings → Biometrics and security → Install unknown apps → [Browser] |
| Xiaomi (MIUI) | Settings → Privacy protection → Special permissions → Install unknown apps |
| Huawei (EMUI) | Settings → Security → More settings → Install apps from external sources |
| OnePlus (OxygenOS) | Settings → Apps → Special app access → Install unknown apps |
| Oppo / Realme | Settings → Privacy → Install unknown apps |
Tip: If you can't find it, open Settings and search for "install unknown" — the search will show the exact location on your device.
What are the risks of leaving it enabled?
Leaving unknown sources on creates attack vectors:
| Risk | How it happens | Prevention |
|---|---|---|
| Drive-by download | Malicious site auto-downloads APK, you tap it accidentally | Disable permission after install |
| Fake update prompt | Popup claims "update required" and installs malware | Only update from official source |
| Compromised app | Another app on your phone triggers APK install | Use per-app permission (Android 8+) |
Play Protect still scans sideloaded APKs, but it's not foolproof. Disabling unknown sources is your first line of defense.
How do I disable it after installing?
Go back to the same location and turn off the toggle. On Android 8+ you're disabling permission for a specific app, not a global setting.
Quick steps:
- Open Settings → search "install unknown"
- Find the browser you used (Chrome, Firefox, etc.)
- Toggle off "Allow from this source"
- Verify by trying to install any APK — it should be blocked
You'll need to re-enable this when updating the app manually. The toggle only affects new installs, not apps already on your device.
What about Android 7 and older?
Older Android uses a global toggle — once enabled, any app can install APKs. This is riskier, so extra caution is needed:
- Path: Settings → Security → Unknown sources
- Enable only during install — tap the APK, wait for install to complete, then immediately disable.
- Consider upgrading — Android 7 no longer receives security updates, making it vulnerable regardless.
Quick reference: enable → install → disable
Follow this sequence every time you sideload an APK.
| # | Step | Verify |
|---|---|---|
| 1 | Download APK from official source | Check URL is correct before downloading |
| 2 | Tap APK → Android prompts to enable setting | Follow the prompt to Settings |
| 3 | Enable "Allow from this source" for browser only | Don't enable for other apps |
| 4 | Return to APK → tap Install | Wait for "App installed" confirmation |
| 5 | Go back to Settings → disable the permission | Try installing another APK — should be blocked |