OPPO Store Help

Unknown sources permission guide on Android

Since Android 8.0, "unknown sources" is no longer a single system-wide switch. Install permission is granted individually to each app that can trigger the package installer. This guide explains what that means, how to manage it, and what to watch out for across different device brands.

Updated
Applies to
Android 8.0+ (ColorOS, One UI, HyperOS/MIUI, stock Android)
Reading time
About 6 min

What "unknown sources" means on modern Android

Any app that was not installed through a trusted store (Google Play, the Galaxy Store, the manufacturer's own store) is considered to come from an "unknown source." The Android package installer refuses to process an APK unless the app delivering it—your browser, a file manager, a messaging app—has been explicitly granted the Install unknown apps permission.

On Android 7.1 and earlier, a single toggle in Settings > Security allowed all apps to install APKs. This was a broad permission with significant security implications: any app on the device could silently trigger an install prompt. Android 8.0 (Oreo) replaced this with a per-app model, giving you granular control over which apps can request installations.

How per-app install permission works

Each app that can deliver an APK file to the package installer has its own independent toggle. When you tap an APK file downloaded through Chrome, the system checks whether Chrome has the Install unknown apps permission. If it does not, Android either blocks the install or redirects you to the Settings page for that specific app so you can enable it.

Key points about this model:

  • Permission is checked at the moment the APK is handed to the package installer, not at download time.
  • Granting permission to Chrome does not affect your file manager, and vice versa. Each app must be authorised separately.
  • The permission persists until you manually revoke it. It is not reset by rebooting or updating the source app (though some manufacturer skins behave differently—see below).
  • Apps themselves cannot grant this permission to themselves. Only the user can enable it through Settings.

Step-by-step: enabling the permission

  1. Download or receive the APK file through any app (browser, file manager, messaging app).
  2. Tap the APK file. If the source app lacks install permission, Android displays a prompt: "For your security, your phone is not allowed to install unknown apps from this source."
  3. Tap Settings on the prompt. This takes you directly to the permission page for that app.
  4. Toggle Allow from this source on.
  5. Press Back. The install prompt reappears. Review the app name and permissions summary, then tap Install.

If you need to find the setting without going through the install flow, navigate manually:

  • Stock Android: Settings > Apps > Special app access > Install unknown apps.
  • ColorOS (OPPO): Settings > Password & security > System security > Install unknown apps. On some ColorOS versions, also accessible via Settings > Apps > Special app access.
  • One UI (Samsung): Settings > Apps > Menu (⋮) > Special access > Install unknown apps.
  • HyperOS / MIUI (Xiaomi): Settings > Privacy protection > Special permissions > Install unknown apps. Older MIUI versions may use Settings > Additional settings > Privacy > Unknown sources (the legacy single toggle may still appear on MIUI builds based on Android 7).

Tip: If you cannot find the menu, open the search bar at the top of Settings and type "install unknown" or "install other apps." Every manufacturer skin indexes this setting under at least one of those phrases.

Security considerations before enabling

Granting install permission to an app means that app can present an install prompt to you at any time, without further authorisation. This matters because:

  • Browsers are the highest-risk source. A malicious or compromised website can trigger an APK download. If your browser already has install permission, the system will present the install prompt immediately. Without the permission, the download completes but the install is blocked—adding a friction step that prevents accidental installs.
  • Messaging apps can deliver APKs. If you grant Telegram, WhatsApp, or a similar app install permission, any APK received as a file attachment can trigger an install prompt when tapped. This is useful for legitimate beta distribution but risky if contacts send unsolicited files.
  • File managers affect all local APKs. Granting a file manager install permission means tapping any APK on the device—regardless of origin—will trigger an install. This is the broadest exposure.

The core principle: grant the permission only to the specific app you are using right now, and revoke it as soon as you finish.

Revoking the permission after install

Navigate back to the install-permission list (using the paths in the step-by-step section above) and toggle Allow from this source off for each app you previously enabled.

If you sideload apps regularly, consider enabling the permission only for a single dedicated file manager that you trust, and leave all other apps (browsers, messaging apps) permanently set to "Not allowed." This limits the number of entry points.

Differences between device brands

The core permission model is the same on all devices running Android 8.0 or later, but manufacturer skins add their own layers:

  • OPPO (ColorOS): May show an additional confirmation dialog or a brief security scan before allowing the install to proceed. Some ColorOS versions offer an "Allow once" option that automatically revokes the permission after the current install completes—use it when available. If the toggle appears greyed out, check whether a device-management profile or the OPPO Kids Space feature is restricting it.
  • Samsung (One UI): Integrates with Samsung's security policies. On devices managed by Knox, the IT administrator can block unknown-source installs entirely, and no user-side setting can override it. Unmanaged devices behave like stock Android.
  • Xiaomi (HyperOS / MIUI): Older MIUI builds based on Android 7 retain the legacy single toggle. After upgrading to a MIUI version based on Android 8 or later, the per-app model takes over, but the old Settings path may still appear and redirect to the new interface. MIUI also runs APKs through its own virus scan during install—this scan can be slow on older hardware and is not the same as Google Play Protect.
  • Stock Android and Pixel: Follows the standard path without additional prompts or scans. The permission list is at Settings > Apps > Special app access > Install unknown apps.

Common mistakes

  • Leaving the permission enabled permanently. This is the most frequent mistake. Users enable the toggle for Chrome to install one APK and never revoke it. Months later, a malicious ad or compromised page triggers an APK download and the install prompt appears with no additional friction. Revoke after every sideloading session.
  • Granting permission to the wrong app. If you downloaded the APK through Chrome but opened it from the Files app, you need to grant permission to Files—not Chrome. The permission check applies to the app that hands the APK to the installer, which is the app you tap the file in.
  • Confusing "Install unknown apps" with "App install" restrictions. Parental controls and enterprise profiles can impose a blanket block on all installs, including from the Play Store. If every install is blocked—not just sideloaded APKs—check Settings > Digital Wellbeing & parental controls or ask your device administrator.
  • Assuming the permission makes APKs safe. The permission only removes the install gate. It does not verify the APK's origin, scan for malware, or confirm the developer's identity. You must still validate the source and integrity of every APK you install. See How to install APK files safely for a full checklist.

Edge cases and confusion points

  • ADB installs bypass this permission entirely. When you install via adb install over USB, the package installer uses the ADB trust path (USB debugging authorisation), not the per-app unknown-sources permission. The toggle in Settings has no effect on ADB installs.
  • Work profiles have separate permission lists. On devices with Android Enterprise work profiles, the personal profile and work profile each maintain independent install-permission settings. An app allowed to install in your personal profile cannot trigger installs inside the work profile.
  • The permission does not survive app uninstall/reinstall. If you uninstall Chrome and reinstall it, the install-unknown-apps permission is reset to "Not allowed." You must re-grant it if needed.
  • Some apps never appear in the list. Only apps that declare the REQUEST_INSTALL_PACKAGES permission in their manifest appear in the install-permission list. If an app is missing from the list, it cannot trigger the package installer regardless of your settings.
  • Blocked by Google Play Protect at a different stage. Even with install permission enabled, Play Protect may separately block or warn about the APK after you tap Install. This is a distinct check—Play Protect evaluates the APK content, while the unknown-sources permission controls whether the source app can initiate the install process at all.

Note: Menu paths and feature names shift between OS updates. If a path listed in this guide does not match your device, use the Settings search bar. The underlying permission model is consistent across all Android 8.0+ devices.

Frequently asked questions

I allowed Chrome but the install still fails — do I also need to allow my file manager?

It depends on which app you tap the APK in. If Chrome completes the download and you open the file from Chrome's download bar, Chrome is the source app. If you navigate to the Downloads folder in a file-manager app and tap the APK there, the file manager is the source app and needs its own permission. Only the app that invokes the package installer needs the toggle enabled.

Why does the toggle keep resetting to off?

Enterprise device-management policies, parental controls, and some security apps can automatically revoke install permissions after an OS update or policy sync. Check Settings > Security > Device admin apps and Digital Wellbeing & parental controls for active restrictions. On OPPO devices, OPPO Kids Space also resets this toggle.

Is installing via ADB the same as "unknown sources"?

No. ADB installs use the USB debugging trust path. When you authorise a computer for USB debugging, that computer can push APKs to the device without the per-app unknown-sources permission being involved. The two mechanisms are independent.

Does enabling this permission make my phone less secure?

It removes one layer of protection: the gate that prevents a specific app from presenting install prompts. Your phone is not immediately compromised, but the risk of accidental or social-engineered installs increases. Minimise exposure by revoking the permission as soon as you finish installing, and by granting it to as few apps as possible.

My phone is on Android 7 and I only see a single toggle — is that normal?

Yes. Android 7.1 and earlier use a global "Unknown sources" switch under Settings > Security. The per-app model was introduced in Android 8.0 (Oreo). If your device has not received an update to Android 8 or later, the single toggle is expected. Be especially careful with it, since enabling it allows every app on the device to trigger installs.