Fortnite’s Accidental Revelation of Android’s Security Weakness
Fornite singlehandedly exposed Android’s greatest security weakness, a trait which also makes it the most flexible mobile platform in the world today. Unlike the iOS platform and the then former Windows Phone OS, Android is the only mobile platform that allows apps to be installed without using the official Appstore, also known as sideloading.
With profitability in-mind, Epic Games, the publisher, and developer of Fortnite Battle Royale has chosen not to use the Android’s official repository for apps, the Google PlayStore. But instead, instruct users how to download and sideload the Fortnite .apk file from their beta testing email sign-up.
Aside from this, Epic Games has deliberately chosen to develop the Android Fortnite app to target API 21 and 22, also known as Android Lollipop 5.0 to 5.1.1. Android Lollipop is the latest version of Android that does not have permission systems exposed to the end-user. That means upon sideloading of the Fortnite app; it automatically receives all the permissions Epic Games wanted and users grant them all upon installation. It was Marshmallow and later that implemented a strict permission system on Android, that helps keep the devices secure by making sure unneeded permissions are not granted to an app.
“Epic wants to have a direct relationship with our customers on all platforms where that’s possible. The great thing about the Internet and the digital revolution is that this is possible, now that physical storefronts and middlemen distributors are no longer required. The 30 percent store tax is a high cost in a world where game developers’ 70 percent must cover all the cost of developing, operating, and supporting their games. 30 percent is disproportionate to the cost of the services these stores perform, such as payment processing, download bandwidth, and customer service. We’re confident Android will be similarly successful. Most importantly, mobile operating systems increasingly provide robust, permissions-based security, enabling users to choose what each app is allowed to do: save files; access the microphone; access your contacts. In our view, this is the way all computer and smartphone platforms should provide security, rather than entrusting one monopoly app store as the arbiter of what software users are allowed to obtain,” explained Tim Sweeney, CEO of Epic Games.
From Google’s point-of-view, they have to protect their users from downloading fake apps calling themselves Fortnite in the Google Play Store. Hence, in order to mitigate the risks of fake apps causing trouble for their users, they published the warning: “Fortnite Battle Royal by Epic Games, Inc is not available on Google Play” when a user searches Google Play using the keyword Fortnite. Incidents of fake apps were published in Google Play store in the past, as the vouching process is much more lenient than what Apple applies for the iOS App Store.
Aside from the regular vouching process, Google also initiates the Google Play Protect program. Play Protect is Google’s answer to Android malware, as it is an automatically updated antimalware scheme built-in with the Google Play store. It uses compatibility API’s to be compatible even with Ice Cream Sandwich (Android 4.0). It scans apps before it gets installed by Google Play store, something that isn’t actively available when the app is sideloaded.
Kevin Jones743 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.