Fortnite and the Dangers of Sideloading. Unlike apps from the Apple App Store (unless jailbroken), Android apps can be installed by other means aside from Google Play. They can be installed from other ‘app stores’ or can be directly installed on Android devices through the process of sideloading where the apps can be downloaded directly from the developers’ websites and saved on the devices or onto MicroSD cards and loaded from there.
This is the route that the developers of the highly popular game Fortnite, Epic Games, took and didn’t release their game via Google Play. Because of the popularity of Fortnite and the innate dangers of sideloading, Google warns that there could be disastrous effects for doing this.
Earlier, Epic Games announced that they won’t be distributing the Android version of their game at the Google Play Store which has been considered an unwise move. Ditching the walled garden approach and going back to the old way of installing things like in Windows forgoes the additional layer of walled garden security.
Though it can be debated that neither Apple or Google actively curate the millions of apps on their respective app stores and have time for the hundreds more that come in every day.
Epic’s motivations to not release Fortnite on Google Play include a more direct relationship with their customers and not to pay Google their 30 percent. They don’t have much of a choice with iOS but given Google’s more open nature, they decided to skip the latter. Kind of greedy on Epic’s part but…
Epic wants to have a direct relationship with our customers on all platforms where that’s possible… The great thing about the Internet and the digital revolution is that this is possible, now that physical storefronts and middlemen distributors are no longer required… 30 percent is disproportionate to the cost of the services these stores perform, such as payment processing, download bandwidth, and customer service…
–Tim Sweeney, CEO, Epic Games, Email to The Verge
Now Google might have sour grapes on this but the company continues on its job at monitoring security threats from its own products or otherwise. For one thing, Google warns players that it indeed doesn’t have Fortnite: Battle Royale in Google Play. Players should be careful not to download fake Fortnite apps that are actually malware.
So much for walled garden curating as there are thousands of fake and low quality apps within Google Play that include fake battery monitors and me-too apps that coast on the popularity of the mainstream; much like putting a dash (-) between Spider and Man to escape copyright problems.
Another seemingly sour grape reaction, and one that everyone interested in Fortnite needs to take seriously, is that Google’s security researchers evaluated Epic’s Android Fortnite Installer and found a serious security flaw, and much to Epic Games’ dismay disclosed it publicly.
So instead of the Fortnite APK, attackers could punch through the security hole to manipulate the installation process and install something else. Fornite’s popularity makes it an attractive candidate to become a vector for malicious attacks. Installers in the wild, not directly downloaded from Epic’s site can also be manipulated much like any other pirated app installer.
So there are no hard feelings, Google demonstrated a proof-of-concept that the installer is indeed vulnerable via the man-in-the-disk method that allow malicious apps to manipulate the data of other apps held in the unprotected external storage before the data is read, allowing for the installation of malicious apps instead of the real app or its updates.
Google doesn’t recommend sideloading since any app on a device with the WRITE_EXTERNAL_STORAGE permission could intercept the installation and replace installation file with another malicious APK, possibly including full permissions to SMS, call history, GPS, and others.
Epic Games acknowledged the problem, fixed it and thanked Google for their efforts but criticized the company at the same time via Twitter.
We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points… But why the rapid public release of technical details? That does nothing but give hackers a chance to target unpatched users
–Tim Sweeney, Twitter
Fortnite players need to update their Android installers to the new version or they’ll have more than zombies to worry about.