Cybercriminals have just been given yet another route to get malicious software (malware) onto your personal mobile devices. The hugely popular video game Fortnite has become one of the first major apps to bypass official app stores and encourage users to download its software directly.
In doing so, it’s also bypassing the security protections of the app stores and chipping away at a system that has worked reasonably well at keeping malware off people’s phones and tablets. And we’re already starting to see the dangerous results of this, as Fortnite’s installation method created a security vulnerability that may have opened up some users’ devices to hacking.
Fortnite’s maker, Epic Games, shocked the industry when it announced at the start of August that it would release the app directly to consumers instead of through the official Google Play store (although it’s still available through Apple’s App Store). The firm said this was to create a direct relationship with customers instead of depending on middlemen distributors. Google takes 30% of the money paid for any app or in-app purchase in the Play store.
This goes even further than the likes of Netflix, which recently confirmed it was testing a bypass of Apple’s iTunes billing system in 33 markets worldwide. This meant that some subscribers would be unable to pay using iTunes and instead would have to complete payments via Netflix’s website, reducing their engagement with the official Apple store.
Current estimates suggest that in the first half of 2018, users of the Apple App Store and the Google Play Store spent a combined US$34.4 billion on mobile apps and games. These official stores still represent the first port-of-call for millions of mobile users, and in return they have come to expect trustworthy, vetted, malware-free, high-quality apps.
The issue with attempts to bypass official stores is that they contradict recommended security best practice. Engaging with these stores is highly endorsed because of the added protection they offer. Apple, for instance, has a set of detailed guidelines that app submissions are checked against. Similarly, Google has a series of automated and manual techniques to vet apps.
Directing users away from these stores means less protection. And even worse, it stands to encourage a wider behaviour change. It sends the message to users that official app stores are no longer the primary trusted way to engage with apps.
Industry research has validated the importance of this advice time and time again, by revealing that third-party app sources – particularly on the Android platform – are often plagued with malware and can expose users and their data to a variety of security and privacy risks. According to the 2018 Symantec Threat Report, the vast majority (99.9%) of discovered mobile malware was found in third-party app stores. This doesn’t mean that official stores are free from malware but they do have the advantage of another set of specialists checking apps for potential problems.
As such, direct downloads create a substantially greater security risk. A perfect example of this was revealed recently when Google discovered a severe security vulnerability in the Fortnite installation process. This essentially made it possible for malicious apps to download and install anything on a user’s device without their permission – a cyber-security nightmare. Although Epic Games has since released a fix, it is very likely that many users have yet to install it, which means they may still be vulnerable.
Eroding good habits
A more long-term impact of the shift to direct downloads and engagement is the potential erosion of best security practice. For years, security awareness campaigns and guidance have emphasised the importance of sourcing apps only from official stores. This has been a difficult (yet crucial) task as security awareness campaigns are hard to get right, actually changing people’s behaviour is even harder, and attackers are constantly updating their tricks.
Encouraging or redirecting users away from traditional channels may well undo some of these ingrained secure habits. For example, the Fortnite installation process requires gamers to enable installations from unknown apps. But doing so puts users at higher risk. A user would need to navigate to this setting later to disable third-party installations as it does not reset automatically.
If more large app developers bypass the official stores in this way, it will almost certainly have an impact on people’s broader behaviours. This could result in the belief that trusted sources of apps are no longer necessary and that disabling protective security measures isn’t a problem. What’s more, it could create a higher temptation to look to third-party app stores for new apps or better deals – app channels that are, as mentioned, unfortunately infested with malware.
The ultimate result of these actions will be further malware infections and a higher compromise in privacy and security. Ordinary users will pay the costs of app developers’ desire to avoid the regulations and fees of the official stores.
Jason Nurse does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.