August 28, 2018 | By Kennon Bittick
Fortnite, the hugely popular multiplayer game from Epic Games, will not be published on the Google Play Store on Android. This move likely comes to avoid the 30% cut taken by Google for hosting the app, but it has raised concerns in the security community about the game bypassing the controls of the Google Play Store.
IISP Analyst Kennon Bittick: "Because of Fornite’s popularity, the Android version will certainly be installed by millions of people, most of whom have no expertise in security. The installation of the app away from the Google Play Store has a few security implications that are worth examining. Unlike Apple’s iOS, Android allows installation of applications away from the official app store. However, even on Android, this is disabled by default before version 8.0 (released August 2017). For example, to enable it on my phone, I had to go to the security settings and toggle 'Unknown sources – allow the installation of apps from unknown sources.' This presented me with the message: 'Your phone and personal data are more vulnerable to attack by apps from unknown sources. You agree that you are solely responsible for any damage to your phone or loss of data that may result from using these apps.' Once this option is toggled, the application can be downloaded and installed. As stated in the warning, however, this option allows malicious applications to be downloaded by a careless user.
On Android 8.0 and later, instead of having a global option to allow untrusted applications, each application can request the 'Install unknown apps' permission. On newer phones, this means that the Fortnite application can be installed without toggling the potentially unsafe global option. However, even this is prone to errors. Google researchers almost immediately discovered a flaw that would allow other applications on the phone to leverage the Fortnite installer application, which was granted the “Install unknown apps” permission, to silently install other apps with arbitrary permissions. Although Epic Games quickly updated Fortnite installer to fix the issue, Google pointed out in the bug report that this issue would not have happened if Epic Games had used the Google Play Store in the first place.
The security versus openness tradeoff is very clear here. Traditionally, desktop operating systems did not manage user applications in any way. However, taking inspiration from the package managers of popular Linux distributions, most modern systems provide an official installation channel: the Microsoft Store of Windows 10, the App Store of Mac OS and iOS, the Google Play Store of Android, and the package managers of Linux. The maintainers of these review the submissions and, at least in theory, block malicious applications. Users downloading applications from the managed stores can have some assurance that the software they are downloading is safe. However, this also limits the applications that users are allowed to download to those curated by the maintainer of the storefront or package manager. Alternative stores like F-Droid on Android and Cydia on iOS speak to the desire of some users to install software from non-curated channels, and certainly those following the hacker ethos prefer an open environment without management by a third party. As mobile computing continues to evolve and replace traditional computing for many users, the trade-off between the security of walled garden platforms and the freedom of open platforms will be a frequent issue."
For further reading
- The Guardian: https://www.theguardian.com/games/2018/aug/06/fortnite-is-coming-to-android-phones-but-not-through-google-play
- The Verge: https://www.theverge.com/2018/8/13/17683646/fortnite-android-how-to-install-epic-games-google-play-store-beta-invite
- ZDNet: https://www.zdnet.com/article/android-oreo-google-has-just-made-app-installs-from-unknown-sources-a-lot-safer/
- CNET: https://www.cnet.com/news/just-as-critics-feared-fortnite-for-android-came-with-an-epic-security-risk/
- Google Issue Tracker: https://issuetracker.google.com/issues/112630336