Sideloading General

Hellwalker

Hellwalker

Intolerance for life
True & Honest Fan
kiwifarms.net
Joined
Nov 17, 2024
This thread is for general purpose sideloading for both IOS and Android and discussion of tools used to sideload and apps.

I use AltStore for sideloading IPA's on my iPhone. It's pretty much the only sideloading tool I use and need. I use Linux, however, and there isn't any official support for Linux so AltServer-Linux is the only way to have it on Linux. I did find the installation confusing though so I used AltServer-Linux-PyScript for an easier installation. I also don't use Wifi refresh for refreshing my apps so I didn't bother with Netmuxd. I find using a lightning cable for consistent.

The only app I needed for sideloading is YTLitePlus. This has been the best tweaked YouTube app I have used. The only other has been uYouPlus. YTLitePlus has a shit ton of features as shown on their Github page.

Banner.png

You will have to build it manually though because Google DMCA'd most modified YouTube apps.
 
I've said this a million times before but I hate how they've retroactively coined the term "sideloading".
"Side" implying some fringe usecase instead of how applications have been loaded since the dawn of computing.
 
Google is limiting sideloading of unverified apps in Android, starting next year:
https://arstechnica.com/gadgets/202...f-unverified-android-apps-starting-next-year/ (A)

Google will block sideloading of unverified Android apps starting next year​

Android's open nature set it apart from the iPhone as the era of touchscreen smartphones began nearly two decades ago. Little by little, Google has traded some of that openness for security, and its next security initiative could make the biggest concessions yet in the name of blocking bad apps. Google has announced plans to begin verifying the identities of all Android app developers, and not just those publishing on the Play Store. Google intends to verify developer identities no matter where they offer their content, and apps without verification won't work on most Android devices in the coming years.

Google used to do very little curation of the Play Store (or Android Market, if you go back far enough), but it has long sought to improve the platform's reputation as being less secure than the Apple App Store. Years ago, you could publish actual exploits in the official store to gain root access on phones, but now there are multiple reviews and detection mechanisms to reduce the prevalence of malware and banned content. While the Play Store is still not perfect, Google claims apps sideloaded from outside its store are 50 times more likely to contain malware.

This, we are led to believe, is the impetus for Google's new developer verification system. The company describes it like an "ID check at the airport." Since requiring all Google Play app developers to verify their identities in 2023, it has seen a precipitous drop in malware and fraud. Bad actors in Google Play leveraged anonymity to distribute malicious apps, so it stands to reason that verifying app developers outside of Google Play could also enhance security.

However, making that happen outside of its app store will require Google to take a page from Apple's playbook and flex its muscle in a way many Android users and developers could find intrusive. Google plans to create a streamlined Android Developer Console, which devs will use if they plan to distribute apps outside of the Play Store. After verifying their identities, developers will have to register the package name and signing keys of their apps. Google won't check the content or functionality of the apps, though.

Google says that only apps with verified identities will be installable on certified Android devices, which is virtually every Android-based device—if it has Google services on it, it's a certified device. If you have a non-Google build of Android on your phone, none of this applies. However, that's a vanishingly small fraction of the Android ecosystem outside of China.

Google plans to begin testing this system with early access in October of this year. In March 2026, all developers will have access to the new console to get verified. In September 2026, Google plans to launch this feature in Brazil, Indonesia, Singapore, and Thailand. The next step is still hazy, but Google is targeting 2027 to expand the verification requirements globally.

A seismic shift​

This plan comes at a major crossroads for Android. The ongoing Google Play antitrust case brought by Epic Games may finally force changes to Google Play in the coming months. Google lost its appeal of the verdict several weeks ago, and while it plans to appeal the case to the US Supreme Court, the company will have to begin altering its app distribution scheme, barring further legal maneuvering.

Among other things, the court has ordered that Google must distribute third-party app stores and allow Play Store content to be rehosted in other storefronts. Giving people more ways to get apps could increase choice, which is what Epic and other developers wanted. However, third-party sources won't have the deep system integration of the Play Store, which means users will be sideloading these apps without Google's layers of security.

It's hard to say how much of a genuine security problem this is. On one hand, it makes sense Google would be concerned—most of the major malware threats to Android devices spread via third-party app repositories. However, enforcing an installation whitelist across almost all Android devices is heavy handed. This requires everyone making Android apps to satisfy Google's requirements before virtually anyone will be able to install their apps, which could help Google retain control as the app market opens up. While the requirements may be minimal right now, there's no guarantee they will stay that way.

The documentation currently available doesn't explain what will happen if you try to install a non-verified app, nor how phones will check for verification status. Presumably, Google will distribute this whitelist in Play Services as the implementation date approaches. We've reached out for details on that front and will report if we hear anything.
https://www.androidauthority.com/android-developer-verification-requirements-3590911/ (A)

Google wants to make sideloading Android apps safer by verifying developers’ identities​

Google wants to verify the identity of all developers who distribute apps on Android, even if it’s outside the Play Store

TL;DR
  • Google will soon verify the identities of developers who distribute Android apps outside the Play Store.
  • Developers must submit their information to a new Android Developer Console, increasing their accountability for their apps.
  • Rolling out in phases from September 2026, these new verification requirements are aimed at protecting users from malware by making it harder for malicious developers to remain anonymous.

Most Android users acquire apps from the Google Play Store, but a small number of users download apps from outside of it, a process known as sideloading. There are some nifty tools that aren’t available on the Play Store because their developers don’t want to deal with Google’s approval or verification requirements. This is understandable for hobbyist developers who simply want to share something cool or useful without the burden of shedding their anonymity or committing to user support. Unfortunately, malicious developers take advantage of this openness and hide behind a curtain of anonymity when distributing malware. To combat this, Google is introducing a major change that pulls back that curtain, making it harder for malicious actors to distribute harmful apps.

What’s changing for apps distributed outside the Play Store?​

Today, Google announced it is introducing a new “developer verification requirement” for all apps installed on Android devices, regardless of source. The company wants to verify the identity of all developers who distribute apps on Android, even if those apps aren’t on the Play Store. According to Google, this adds a “crucial layer of accountability to the ecosystem” and is designed to “protect users from malware and financial fraud.” Only users with “certified” Android devices — meaning those that ship with the Play Store, Play Services, and other Google Mobile Services (GMS) apps — will block apps from unverified developers from being installed.
Google says it will only verify the identity of developers, not check the contents of their apps or their origin. However, it’s worth noting that Google Play Protect, the malware scanning service integrated into the Play Store, already scans all installed apps regardless of where they came from. Thus, the new requirement doesn’t prevent malicious apps from reaching users, but it does make it harder for their developers to remain anonymous. Google likens this new requirement to ID checks at the airport, which verify the identity of travelers but not whether they’re carrying anything dangerous.

What information will developers need to submit to Google, and how?​

Developers who distribute apps outside the Play Store will need to verify their identity through the new Android Developer Console that Google is currently building. This is equivalent to the Google Play Console that Play Store developers currently use, but Google says it will provide a simpler, more streamlined verification process.

Like the Google Play Console, the Android Developer Console will ask developers to provide their legal name, address, email, and phone number. (Organizations will additionally need to provide their website and a D-U-N-S number.) On Google Play, this information is shown to users on Play Store listings, but Google told Android Authority that the information developers provide to Google through the Android Developer Console “will not be surfaced to users.”

Many hobbyist and student developers already complain about this requirement on Google Play, as it essentially forces them to reveal their personal information unless they set up a business address, so it’s good to see that Android won’t dox them. Google says it understands the needs of hobbyist and student developers are “different from commercial developers” and is therefore creating a “separate type of Android Developer Console account” for them. This separate account type will have “fewer verification requirements” and won’t require the $25 USD registration fee that is otherwise required.

Speaking of which, developers only need to create a separate Android Developer Console account if they don’t plan on distributing any of their apps on Google Play. Developers with existing Google Play Console accounts can use them to register their non-Play apps and signing keys.

When will Google’s new developer verification requirements go into effect?​

This new requirement won’t go into effect immediately but will be implemented in phases. An early access program will open in October 2025, allowing developers to participate in discussions, receive priority support, and offer feedback. The program will then open to all developers in March 2026, a full six months before the requirements begin.
The requirements will first go into effect in September 2026 for users in Brazil, Indonesia, Singapore, and Thailand. At that point, any app a user in those countries installs must come from a verified developer. Google is targeting these regions for the initial rollout as they’re “specifically impacted” by fraudulent app scams often committed by “repeat perpetrators.” A global rollout is planned to continue through 2027.

Once the requirement is active, developers can still distribute their apps outside the Google Play Store, but they’ll be held more accountable. This will certainly upset some privacy-conscious developers who don’t want to submit their personal information to Google, and it will also alarm some users who worry that Google is locking down Android too much. Still, with Google’s own analysis finding 50 times more malware from internet-sideloaded sources than from the Play Store, it’s hard to argue this change won’t do some good. However, the true effectiveness of the new requirements won’t be known until they are fully implemented.

Google’s new requirement is similar to Apple’s Developer ID and Gatekeeper model on macOS, which has successfully stopped less sophisticated attacks. Even a small reduction in malware on Android would be a positive outcome, but whether it’s worth the loss of developer anonymity is up for debate.
 
YoRHa No. 2 Type B said:
If you have a non-Google build of Android on your phone, none of this applies.
Click to expand...
MicroGdeities WON! LineageOSG-Ds WON!
For now at least.
But Google has been slowly locking down android more and more throughout the past few years. If Android continues to go in this direction, I will stick with an old version of Android or try to find an alternative OS, as opposed to install any new version of Android.
Also, has anyone actually installed one of the malware apps that Google is reasoning this change with? I know some pretty stupid people that use Android, and even they have never installed anything like that on their phones.
 
⚞⛇⚟ said:
MicroGdeities WON! LineageOSG-Ds WON!
For now at least.
But Google has been slowly locking down android more and more throughout the past few years. If Android continues to go in this direction, I will stick with an old version of Android or try to find an alternative OS, as opposed to install any new version of Android.
Also, has anyone actually installed one of the malware apps that Google is reasoning this change with? I know some pretty stupid people that use Android, and even they have never installed anything like that on their phones.
Click to expand...
We're getting squeezed from both sides. The Integrity API makes running corporate apps like banking apps more difficult on alternative OSes like Graphene and Lineage and Developer Verification makes running sideloaded apps impossible or more difficult depending on the implementation.

The malware apps are mostly a third world thing. That's why Google is piloting this in Brazil and Indonesia among some other countries.
 
So if I understand this sideloading thing correctly this is just third party apps not through the gaynigger app store?

And yeah google has never been a fan of not getting the protection money to display apps on the app store with the 50 warnings that always appear when you install an apk you downloaded.
 
If anyone has a vulnerable phone/iPad/whatever, install this right now. It allows you to sideload anything with no restrictions. However, it does mean that you should be careful with the IPAs you install as they can contain malware.
 
sky switch krank sauce! said:
If anyone has a vulnerable phone/iPad/whatever, install this right now. It allows you to sideload anything with no restrictions. However, it does mean that you should be careful with the IPAs you install as they can contain malware.
Click to expand...

"Supported versions: 14.0 beta 2 - 16.6.1, 16.7 RC (20H18.), 17.0"

You'd have to be intentionally not updating to have a device capable of Trollstore (2) at this point, 17.0 was released in 2023 I believe. iOS has no way to revert updates nor update to a specific version that's not the latest.

I use it and it's really convenient but I'm already feeling the poor app capability of an old OS version. There's workarounds for some apps.

https://t.me/ipaomtk this is the telegram group I follow that hustles shared signing certificates for whenever I end up updating. Their website is ad infested garbage that I had to turn the adblock filters on Orion to max to be able to navigate but the TG group seems legit. There was just an event(?)that disabled tons of certs and they went through and made good on their replacement warranty. It's between $5-$15 a year depending on how fast you want it.

If you want a sure thing there's always getting your very own dev cert from Apple for 99$/year (~8$/month)
 
I heard there is an iOS software to run Android apk files
What about NewPipe btw? The only issue is that it doesn't load videos with age restrictions and do things that need being logged in the YouTube in general
 
Marcuseh said:
Don't you have to dox yourself to get a dev account?
Click to expand...
Yes, but... If you're using it for your everyday cell phone then you're already doxed to Apple.

Generally it makes more sense to buy into a shared cert though and there are more payment options for those.
 
You must log in or register to reply here.
Back
Top Bottom