Android 15 may make it even harder for sideloaded apps to get sensitive permissions

Although most Android users download apps from preloaded app stores like Google Play, some users get their apps from alternative online sources, a practice called sideloading. This is possible because Android lets users install third-party apps without the Google Play Store so long as they get their hands on the necessary app installation files. The ability to freely sideload apps is a big part of what makes Android a more open platform than iOS. Unfortunately, it’s also the reason why people erroneously believe that Android is less secure than iOS.

That’s because regardless of where you source apps from, Android’s built-in privacy and security features ensure they can’t access sensitive permissions without your consent. However, it’s true that sideloading apps from alternative online sources carries a bit more risk for the average user when compared to sticking with Google Play. This is because it’s simply easier for malicious developers to distribute apps outside of Google Play since they don’t need to deal with the regulations, bureaucracy, and scrutiny that Google Play app distribution entails.

Malicious Android apps, no matter where they’re sourced from, commonly try to trick users into granting them access to the Accessibility and Notification Listener APIs because of their power. The Accessibility API lets apps read the content of the screen and also perform inputs on behalf of the user, while the Notification Listener API lets apps read or take action on any notification. These APIs can be used to commit ad fraud, steal one-time passwords (OTPs), install additional payloads, and do much, much more.

While Google Play has some (mostly bureaucratic) measures to ensure these APIs are used for their intended purposes, Android itself relies mostly on the…