How to Update Android Apps Safely (Including Sideloaded APKs)

By The ApkcortJuly 12, 202614 min read
How to Update Android Apps Safely (Including Sideloaded APKs) — The Apkcort

If you want to know how to update Android apps without creating problems for yourself, the answer is straightforward: let the Play Store handle everything it can, on Wi-Fi, automatically, and treat sideloaded apps as a manual job you own. Updates are not optional maintenance — they are the main way security holes get closed on a phone, and they matter far more than any antivirus app you could install. The complications only start when an app came from outside the store, because then nothing updates it but you, and a wrong move at that point can replace a good app with a hostile one. It is the Android guide of The Apkcort.

Why updates matter more than security apps

People buy antivirus for their phones and leave forty apps three versions behind. That is precisely the wrong way round.

The realistic threat to an ordinary Android user is not an exotic virus. It is a known vulnerability in a library that a lot of apps happen to bundle — an image parser, a media codec, a networking component — that was disclosed publicly, patched by the maintainer, and then shipped to you in an app update you have not installed. The exploit is documented. The fix exists. The only thing between you and it is a button you have not pressed.

An antivirus app cannot fix a vulnerable library inside another app. It can scan for known malicious packages, which Play Protect already does. An update replaces the vulnerable code with fixed code. That is a categorical difference, and it is why the single most valuable security habit on Android is keeping things current — both the operating system and the apps. If you want the fuller argument, we set it out in the best Android security apps, where the conclusion for most people is that the update mechanism is the security app.

How Play Store updates should be configured

Open the Play Store, tap your profile picture, go to Settings, then Network preferences, then Auto-update apps. You get three choices.

Over any network updates whenever, including on mobile data. If you have unlimited data and a good signal, this is the safest option because it minimises the window in which you are running unpatched code. If you are on a metered plan, it will cost you.

Over Wi-Fi only is the correct setting for almost everyone. Updates arrive when you are at home or at work, cost nothing, and typically install overnight while charging.

Don’t auto-update apps is the wrong answer for the vast majority of people. The usual justification — “I want to control what changes” — is fine in principle and catastrophic in practice, because nobody actually goes and checks manually every week. The people who choose this setting end up with everything out of date. If you genuinely want control, use per-app auto-update instead: in the Play Store, open the app’s listing, tap the three-dot menu, and untick Enable auto-update for just that one app. Now everything else stays current and the one app you care about waits for you.

Check for updates manually now and then

Auto-update is not instant. It runs when conditions suit, and Google rolls updates out in stages, so an app can sit on an old version for days. Once a fortnight, open the Play Store, tap your profile, then Manage apps and device, then Update all. It takes ten seconds. If a serious vulnerability is in the news, do it that day.

Do not forget the system itself

App updates are only half of it. Settings, then System, then System update, gets you the operating system and, crucially, the monthly Android security patch. Also check Settings, Security, then Google Play system update — this is Project Mainline, which lets Google push core system component fixes without a full OS update, and it is one of the more useful things Android has done in the last decade. A phone that no longer receives security patches at all is a phone approaching the end of its safe life, however well it still runs.

What actually happens during an update

Understanding the mechanism makes the sideloading rules obvious rather than arbitrary.

Every Android app is cryptographically signed by its developer with a private key. When Android installs an app, it records that signature. When an update arrives, Android checks that the new package is signed with the same key. If it is, the update proceeds and the app keeps its data, its permissions and its identity. If it is not, the install is refused with a signature mismatch error.

This is a very good security property. It means nobody can push a malicious update to an app you already have unless they hold the developer’s signing key. It is also the reason for two of the most common sideloading headaches, which we will come to.

Modern Play Store updates are usually delivered as compressed deltas rather than the full app, and increasingly as Android App Bundles, where Google generates a package tailored to your specific device and re-signs it with a key Google holds on the developer’s behalf. That last detail matters when comparing store apps to APK files, and we go into it in APK vs Play Store.

Updating sideloaded apps: the part that goes wrong

If you installed an app from an APK file rather than a store, nothing will ever update it. There is no update channel. The app will sit at the version you installed forever, quietly accumulating unpatched vulnerabilities, unless you go and get a new APK and install it over the top.

That is the core problem with sideloading, and it is more serious than most people realise. It is not just that the initial file might be dangerous — it is that even a perfectly clean APK becomes a liability over time. An app you sideloaded three years ago is running three years of unpatched code with all the permissions you granted it.

The safe procedure

If you are going to maintain sideloaded apps, do it properly.

Go back to the same source you originally used, and make sure it is the right one. The correct source is the developer’s own website or their official releases page, or a repository like F-Droid that builds from source, or a reputable mirror that hosts unmodified store packages and publishes signature hashes. Do not search for “app name latest APK” and click the first result. That is exactly how people end up with repackaged malware, as covered in how to spot a fake APK.

Verify the signature before you install, if you can. The point of a signature check is that it proves the new file came from the same developer as the old one. If the source publishes a SHA-256 hash or a signing certificate fingerprint, compare it. On a phone this is fiddly; a few open-source app managers will show you the signing certificate of both the installed app and the APK you are about to install, and that comparison is the single most valuable check you can perform.

Install over the top, do not uninstall first. If you install a legitimate update over the existing app, your data is preserved. If you uninstall first, you lose the app’s data — logins, settings, saved content — and you also lose the signature check, because there is nothing left to compare against. Keeping the old app installed means Android will refuse the new file if it is signed by someone else, which is a free integrity check you should not throw away.

If you get a signature mismatch, stop. The error message will say something like “App not installed” or “package conflicts with an existing package”. People respond to this by uninstalling the original and installing the new file, which “fixes” it. That is the worst possible response. A signature mismatch means the new APK was signed with a different key from the app you have. There are two explanations: either you have downloaded a repackaged, modified build from a different party — the common case — or the developer genuinely rotated their signing key, which is rare and normally announced. Assume the former. Uninstalling to force the install is you manually disabling the exact protection that just caught something.

The version-number trap

Android also refuses to install an APK with a lower version code than the one already installed. This is a downgrade protection, and it exists because old versions have known bugs. If you have a genuine reason to downgrade — an update broke a feature you need — you must uninstall and reinstall, and you will lose the app’s data. Back up first if the app supports export. And be aware that you are deliberately choosing to run known-vulnerable code, which is sometimes a reasonable trade and should always be a conscious one.

Store versus sideloaded: how updating compares

Aspect Play Store app F-Droid or official developer channel Random APK site
Who tells you an update exists The store, automatically The repository client, or the developer’s release notes Nobody. You have to remember
Who installs it The store, silently, in the background The client app, with a prompt You, manually, every time
Signature verification Enforced by the platform and the store Enforced by the platform; repository builds from source Enforced by the platform only if you install over the top
Risk of a repackaged build Low Low High — this is the primary Android malware vector
Typical time running unpatched Hours to days Days Months to years, in practice
Realistic recommendation Default for everything Good for open-source tools and region-locked apps Avoid unless you can verify the signature yourself

The “install unknown apps” permission, and why to turn it off again

To sideload anything, you must grant a specific app — usually your browser or file manager — permission to install packages. Android asks per-app, which is a good design: only the app you granted it to can trigger an install.

The mistake is leaving it on. Once your browser has permanent install permission, any drive-by download that you tap on can start an install flow. Turn the permission on when you deliberately need it, complete the install, then go straight to Settings, Apps, Special app access, Install unknown apps, and turn it back off. It takes fifteen seconds and it closes a door you have no reason to leave open. The mechanics are covered further in what is sideloading and how to install an APK safely.

When an update makes things worse

Updates are not universally good, and pretending otherwise is dishonest. Real things that happen:

The developer removes a feature or adds a subscription. This is increasingly common. An app you have used for years suddenly gates a core function behind a monthly fee. There is nothing to be done about it technically, and refusing to update means running vulnerable code indefinitely, which is a bad trade. The right response is to find a replacement app, not to freeze the old one forever.

The update introduces bugs. Rare but real. If an app updates and breaks, check the Play Store listing for other people reporting the same thing. Often a fix arrives within days.

The app is sold and the new owner changes the business model. This is the quiet one. A well-loved free app gets acquired, and three versions later it has an advertising SDK, an analytics SDK, and a permission request it never had before. Watch for permission changes on update — Android will prompt you for newly requested dangerous permissions, and that prompt is a signal worth reading rather than dismissing. Our guide to Android app permissions explained covers what each request implies.

The update is large and your storage is full. Updates need working space. A phone with under a gigabyte free will start failing installs with unhelpful errors. See how to free up storage on Android if that is happening to you.

Troubleshooting failed updates

“App not installed” on a sideloaded update

Almost always a signature mismatch or a downgrade attempt. Do not uninstall to force it. Verify the source first.

Play Store update stuck as pending

Check that you are not in Data Saver mode, that background data is allowed for the Play Store, and that you have free storage. Force-stopping the Play Store and clearing its cache resolves most stuck queues. Clearing the cache is safe; clearing the data will sign you out and is rarely necessary.

Update downloads then fails to install

Usually storage or a corrupted download. Clear the Play Store cache, free up a couple of gigabytes, and retry. If a specific app persistently fails, uninstalling and reinstalling from the store is safe because your data is usually backed up to your Google account.

An app updates and immediately crashes

Clear that app’s cache first. If it still crashes, clear its data — you will lose local settings but usually not cloud-synced content. If it still crashes, it is the developer’s bug and you should wait for the next release.

Before any risky update: back up

Most updates are uneventful. The ones that are not tend to be the ones where you also lose data — a forced uninstall to break a signature conflict, a corrupted install, an app that migrates its database badly. None of that is a disaster if you have a backup, and all of it is if you do not.

Google’s built-in backup covers app data for apps that opt in, plus contacts, photos if you use cloud backup, and settings. It does not cover everything, and it silently skips apps that have opted out. If you have an app holding data you cannot afford to lose — a password vault, a two-factor authenticator, a notes app, a game with local saves — export it manually and keep a copy off the phone. The full approach is in how to back up an Android phone, and the five minutes it takes is the cheapest insurance available.

Quick Reference: Update Do’s and Don’ts

  • Do set Play Store auto-update to “over Wi-Fi only” and leave it on, then manually tap Update all once a fortnight, because staged rollouts mean auto-update is not instant.
  • Do install sideloaded updates over the top of the existing app rather than uninstalling first, so that Android’s signature check can catch a repackaged build before it replaces the real one.
  • Don’t ever uninstall an app to get past an “App not installed” signature mismatch — that error is the platform telling you the new file was signed by a different party, and forcing it through defeats the whole protection.
  • Don’t leave “install unknown apps” enabled for your browser after you finish sideloading; switch it off immediately so a stray download cannot start an install.
  • Do check the monthly Android security patch level and the Google Play system update, not just app updates, and treat a phone that no longer receives patches as reaching the end of its safe life.

Frequently Asked Questions

Do sideloaded APKs update themselves automatically?

No. An app installed from an APK file has no update channel, so it stays at the version you installed indefinitely unless you manually download and install a newer one. This is the single biggest hidden cost of sideloading: even a clean, legitimate APK becomes a security liability over time as unpatched vulnerabilities accumulate in code that nothing is going to fix for you.

What does “App not installed” mean when I try to update an APK?

Usually one of two things: the new package is signed with a different key from the installed app, or its version code is lower than what you already have. The signature case is the important one, because it normally means the file is a repackaged build from someone other than the original developer. Do not uninstall the existing app to force the install through — find out where the file actually came from instead.

Is it safe to turn off automatic updates so apps do not change on me?

It is safer to disable auto-update for the specific app you are worried about, using the three-dot menu on its Play Store listing, and leave it on for everything else. Turning it off globally sounds like control and in practice means your entire phone drifts out of date, which is exactly the condition attackers rely on. The theoretical benefit of reviewing every update is only real if you actually do it.

Are app updates more important than installing an antivirus app?

Considerably. Antivirus scans for known malicious packages, which Play Protect already does on the device, whereas an update replaces vulnerable code with patched code inside apps you already trust. No scanner can fix a flawed library inside another app; only the developer’s update can. Keeping the OS and apps current is the highest-value security habit available, and it is free.

Can an update itself be malicious?

Through the Play Store, this is rare but not impossible — apps have been sold to new owners who then added tracking or worse in a later release. Through sideloading, it is a genuine and common risk, which is why the signature check matters so much. The practical defence is to watch for new permission requests on update, and to be suspicious of any app that suddenly wants access it never needed before.

Final Thoughts

Updating is the least glamorous part of owning an Android phone and it is the part that does the most for you. The correct configuration takes two minutes: auto-update on Wi-Fi, per-app exceptions where you really need them, a manual sweep every couple of weeks, and an eye on the system security patch level. Everything else in this guide is really about one thing — the moment you step outside the Play Store, you take over a job that was being done for you, and you have to do it properly. That means going back to the same trusted source, installing over the top so the signature check runs, and treating a mismatch error as a warning rather than an obstacle. Get that right and sideloading is a manageable risk. Get it wrong and you will one day install a file that looks exactly like the app you wanted, and behaves nothing like it.

Explore more honest Android guides, APK explainers and app reviews across The Apkcort.

Scroll to Top