> For the complete documentation index, see [llms.txt](https://docs.talsec.app/appsec-articles/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.talsec.app/appsec-articles/glossary/sideloading/installation-sources-cookbook.md). # Installation Sources Cookbook This section provides a categorized reference of Android package names that the operating system may report as an installation source. You can use these reference tables to copy and paste exact package identifiers when configuring your RASP or Malware Detection trusted sources. {% hint style="info" %} **Android Configurations Only** * The following trusted source configurations apply exclusively to Android applications. * This topic is not relevant on iOS. {% endhint %} *** ## Configuring Trusted Sources The tables in the Cookbook below tell you which packages to trust. Where you register them depends on the product and tier:

Product	Free tier	Premium tier
RASP	`supportedAlternativeStores` in `TalsecConfig` (`supportedStores` on Flutter).	In the Supported Alternative Stores section in the Talsec Portal.
Malware Detection	`trustedInstallSources` in `SuspiciousAppDetectionConfig`.	`trustedInstallationSources` in the JSON payload for Malware Configuration API.

*** ## Official & OEM Stores These represent legitimate distribution channels. Add the stores relevant to your application's distribution strategy and target market to your trusted sources to prevent false positives.

Package Name	Store / Channel Name	Add to RASP?	Add to Malware Detection?	Notes
`com.android.vending`	Google Play	No, it's included	✅ Yes	Official Google app store for Android.
`com.huawei.appmarket`	Huawei AppGallery	No, it's included	✅ Yes	Official store for Huawei devices.
`com.sec.android.app.samsungapps`	Samsung Galaxy Store	✅ If targeting	✅ Yes	Official store for Samsung devices.
`com.xiaomi.mipicks`	Xiaomi GetApps	✅ If targeting	✅ Yes	Official store for Xiaomi / Redmi / POCO.
`com.xiaomi.market`	Xiaomi Market	✅ If targeting	✅ Yes	Official store for older/Chinese Xiaomi devices.
`com.oppo.market`	Oppo App Market	✅ If targeting	✅ Yes	Official store for Oppo devices.
`com.heytap.market`	HeyTap App Market	✅ If targeting	✅ Yes	Official store for Realme and newer Oppo.
`com.vivo.appstore`	Vivo App Store	✅ If targeting	✅ Yes	Official store for Vivo devices.
`com.bbk.appstore`	BBK / iQOO App Store	✅ If targeting	✅ Yes	Official store for Vivo / iQOO devices.
`com.meizu.mstore`	Meizu App Store	✅ If targeting	✅ Yes	Official store for Meizu devices.
`com.lenovo.leos.appstore`	Lenovo App Store	✅ If targeting	✅ Yes	Official store for Lenovo / Motorola devices.
`com.transsnet.store`	Transsion App Store	✅ If targeting	✅ Yes	Transsion ecosystem store, common on TECNO, Infinix, and itel devices.
`com.amazon.venezia`	Amazon Appstore	✅ If targeting	✅ Yes	Alternative store on standard Android.
`dev.firebase.appdistribution`	Firebase App Distribution	⚠️ Dev Only	⚠️ Dev Only	Trust only during internal testing phases. Strip from production builds.

*** ## System Package Installers These system components execute user-driven sideloads. {% hint style="danger" %} **Critical Security Risk** Adding any of the system installers below to your trusted sources effectively permits all manual sideloading (e.g., users tapping on an APK in their file manager). Doing so bypasses core security evaluations and is strongly discouraged in production environments. {% endhint %} | Package Name | Platform Context | Add to RASP? | Add to Malware? | | ------------------------------------- | ----------------------------------- | ------------ | --------------- | | `com.google.android.packageinstaller` | Default package installer. | ❌ No | ❌ No | | `com.android.packageinstaller` | Legacy alias for default installer. | ❌ No | ❌ No | | `com.sec.android.preloadinstaller` | Samsung's proprietary installer. | ❌ No | ❌ No | | `com.miui.packageinstaller` | MIUI / Xiaomi package installer. | ❌ No | ❌ No | | `com.android.shell` | Shell-initiated install (ADB). | ❌ No | ❌ No | *** ## Common Sideload Installers When a user manually installs an APK via another application on Android 11 or newer, the Talsec SDK reports that specific app as the installer. Adding these to your trusted sources would permit all apps installed via these specific channels.

Package Name	App / Service	Add to RASP?	Add to Malware?
`com.android.chrome`	Google Chrome	❌ No	❌ No
`org.telegram.messenger`	Telegram	❌ No	❌ No
`com.whatsapp`	WhatsApp	❌ No	❌ No
`com.dropbox.android`	Dropbox	❌ No	❌ No
`com.google.android.apps.nbu.files`	Files by Google	❌ No	❌ No
`com.apkpure.aegon`	APKPure (Unofficial store)	❌ No	❌ No
`cn.xender`	Xender — file sharing / transfer app.	❌ No	❌ No
`com.aurora.store`	Aurora Store — unofficial third-party Google Play client.	❌ No	❌ No
`com.gbox.android`	GBox — app virtualization environment that runs apps in an isolated container.	❌ No	❌ No

*** ## Cloners & Movers When apps are transferred to a new device using a cloner or migration tool, Talsec does not recognize the cloner as an official installation source. Apps that arrived this way are therefore evaluated as having an untrusted origin. {% hint style="warning" %} **Configuration Strategy for Migration Tools** By default, Talsec SDK treats cloner-installed apps as untrusted for both checks. Migration tools are a known vector for malware delivery — an attacker can inject modified apps into the migration payload, and the cloner becomes their attributed installer. Adding cloners to your trusted sources is only recommended if your specific threat model explicitly tolerates post-migration apps running without re-verification from an official store. For security-sensitive applications (banking, healthcare, enterprise), keep cloners out of both configurations. {% endhint %}

Package Name	App / Service	Add to RASP?	Add to Malware?
`com.miui.huanji`	Mi Mover (Xiaomi)	⚠️ Evaluate	⚠️ Evaluate
`com.xiaomi.midrop`	ShareMe (Xiaomi)	⚠️ Evaluate	⚠️ Evaluate
`com.miui.backup`	MIUI Backup (Xiaomi)	⚠️ Evaluate	⚠️ Evaluate
`com.hicloud.android.clone`	Phone Clone (Huawei)	⚠️ Evaluate	⚠️ Evaluate
`com.hihonor.android.clone`	Phone Clone (Honor)	⚠️ Evaluate	⚠️ Evaluate
`com.sec.android.easyMover`	Smart Switch (Samsung)	⚠️ Evaluate	⚠️ Evaluate
`com.coloros.backuprestore`	Clone Phone (Oppo)	⚠️ Evaluate	⚠️ Evaluate
`com.vivo.easyshare`	EasyShare (Vivo)	⚠️ Evaluate	⚠️ Evaluate
`com.oneplus.backuprestore`	Clone Phone (OnePlus)	⚠️ Evaluate	⚠️ Evaluate
`com.lenovo.anyshare.gps`	SHAREit (Lenovo)	⚠️ Evaluate	⚠️ Evaluate
`shareit.lite`	SHAREit Lite (Lenovo)	⚠️ Evaluate	⚠️ Evaluate

*** ## Talsec-Defined Markers for ADB and Unknown Sources When the Android OS cannot provide a valid installer package name, the Talsec SDK normalizes missing values into specific string markers. These are not actual Android package names, but you can include the exact strings below in your trusted installation sources just like standard package identifiers. {% hint style="warning" %} **Development Use Only** **Most integrations do not need this section.** Markers are intended for development, QA, and CI builds. They should never appear in your production trusted sources, as they would silently permit any app installed via ADB or from an undetermined source — including attacker-initiated sideloads. {% endhint %}

Marker String	Context	Add to RASP?	Add to Malware?	Notes
`adb`	Application installed via Android Debug Bridge (`adb install`).	⚠️ Dev Only	⚠️ Dev Only	Use only in development and CI builds. Never whitelist in production.
`unknown`	The OS could not determine the source.	⚠️ Dev Only	⚠️ Dev Only	Use only in development and CI builds. Never whitelist in production.

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.talsec.app/appsec-articles/glossary/sideloading/installation-sources-cookbook.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.