Android - Why would I enable "Install Unknown Apps?"

Starting Android Oreo, sideloading (installing an app from a source other than Play Store) has actually became more secure.

Previously (Naugat or below), when you used to tick "Unknown Sources" option, it actually universally allowed all apk sources (Chrome, Amazon Appstore etc). Means, the system didn't care about the source of the apk file.

Now, you need to allow individual apps which can be set as source. And, don't worry: That allowed app won't be able to install apps in background. You will still need to hit Install button to install an app. So, no security compromises here. You'll just have peace of mind while hitting Install button. If you've allowed Amazon Appstore only, then you can be sure that you won't be installing a malicious apk which was downloaded in background by an advertiser app.

Android from early on represented an "open platform", and it helps to get a bit of context.

At time of its release the mobile platform was relatively unique with a developer toolchain that worked on Windows, Mac, and Linux. Every device could be put into 'developer mode' without the need to register the device with a central authorization server (see Apple's iOS and later Microsoft's Windows Phone).

Distribution of apps on non-smartphones was normally done on a per carrier basis and some of that behavior persisted through 2011 with AT&T removing "unknown sources" from their phones:

https://forums.att.com/t5/Android/quot-Unknown-Sources-quot/td-p/2814557

and carriers continue to bundle their own apps on devices sold on their network, i.e. bloatware.

Official developer documentation makes mention of alternative distribution:

https://developer.android.com/distribute/marketing-tools/alternative-distribution

As an open platform, Android offers choice. You can distribute your Android apps to users in any way you want, using any distribution approach or combination of approaches that meets your needs. From publishing in an app marketplace to serving your apps from a website or emailing them directly users, you’re never locked into any particular distribution platform.

So if you are a app developer, once you can afford the devices, you could in theory download the free developer tools, write the apps, test them, and deploy (corporate environment or a region unsupported by Google) without ever having to interact with Google in a official capacity.

Third party distribution apps include Amazon's App Store, Epic Games' Fortnite, and F-Droid (Open source apps).

With Android 8.0 fine grain install permissions were added so the end user now has the capability of blocking prior authorized apps without blocking others:

https://developer.android.com/studio/publish/#publishing-unknown

Android has been providing this feature for quite some time. They do not enable the feature by default because it bypasses some of the security principles of the operating system.

When you are installing from the Google Play Store you do not need this feature enabled. The Google Play Store will do various other security checks over the apps APK and make sure there are no blatant security holes.

One case for this is when you are backing up applications on your device. You can create backups of your apps for offline storage. Then you can install directly from that .apk file that you saved off later with this enabled. Or if you are a developer you can keep different versions available for easy installation later or to keep other versions of that software around.

Typically it is not advised to just turn some of this feature on and just go downloading .apk files found out on the web as they might not be kind. But there are hosting sites for apps out there. Turning this feature on, lets you download from those sources.

FortNite was a recent example of a game that was released outside the Google Play Store and you needed to turn this feature on and bypass security. The main reason is sound; Google takes 30% of the profits when you use their services. Due to the popularity of the game, Google decided to do a security audit of the servers for the game when it launched and brought to light several critical security loopholes in their system that would allow for silent installs of terrible apps as well as some other features that it was bypassing. Which I think was smart on Googles part because even though it wouldn't have been in their court to resolve the issue, fingers would have been pointing their way.