Skip to main content

Fortnite on mobile is a hit - but is it safe on Android?

Fortnite LTM: Blitz

Like fidget spinners and Snapchat before it, Fortnite is not only the world’s most popular game, it’s also the faddiest. Millions of teenagers have leaped onto the free, accessible and fun shooter, thanks in turn to its launch on almost every single modern game playing device on the planet. That was, of course, omitting Android, with its 2 billion users and arguably the largest install base. Unlike its quick launches onto similar ARM-based mobile platforms, the Nintendo Switch and iOS, Android was instead the wallflower at the dance, gazing longingly at its happy peers as they built walls and rode in shopping trollies.

Epic Games, the self-publishing developers of Fortnite, were quiet about the release, releasing no information until rumours began swelling it would be a Samsung exclusive. It wasn’t long after this rumour that other, much more egregious, rumours would circulate about Epic’s plan to circumvent the Google Play store to avoid the 30% cut that Google takes from developers to reach users, provide bandwidth and security checks. This was confirmed a couple of weeks later after a user found media embedded in an Epic site that alerted users that they would have to make security modifications to their devices.So, after Tim Sweeney, the CEO of Epic Games, argued on Twitter in favour of his decision, I asked a question of my own. 

The preceding thread detailed a discussion regarding my concerns about user security within an increasingly murky environment where access to user accounts, their data and their financial details are readily and easily phished and sold. Tim’s argument largely centred around the fundamental freedoms of open platforms, such as Windows, where Epic have largely built their reputation, and to pioneer a breakaway from the confines of monopoly app stores, such as those on the other platforms that Fortnite can, arguably, credit as part of the reason for its phenomenal success.

It must be noted that Tim has a strong point here – open platforms offer consumers more options thanks to competitive marketplaces. Windows is largely the dominant platform for applications and games thanks to its legacy ease in development, lack of restrictions on default third party application installs and so on. But at the same time, Windows’ had paid a heavy price for that same freedom, with thousands of holes allowing millions of exploits, malware, viruses, worms and so on. It wasn’t until the most recent versions that the culmination of over 20-plus years of incremental, increasingly mandatory security changes has stemmed the flow of attacks.

Android, in many ways, is even “freer” than Windows, thanks to its open source base providing easy access to exploit farming, plus Google’s laisse faire attitude to forking, skinning, and mandatory security updates. This means that users are spread widely across 10 different versions of Android, with a whopping 50% still using software between 2 and 5 years old. The only defence against this security nightmare is Google’s increasing power over the Google Play Services API, which is required to load the Google Play store alongside a host of other Google services.

But before you all gather your pitchforks to hound me on Twitter, let me make a note that I agree, wholeheartedly, that Google’s cut is arguably far too high for what they are providing developers in return. The same case applies with almost every other store – from Steam to Origin, GOG to Playstation – the owner controls the platform. But at the same time, there isn’t anything intrinsically wrong with this, as those owners have spent money to build vast audiences and boost visibility to titles that would have normally not been visible at all. It feels like in this case that Epic, happy to have used the boosting of other platforms where app stores are monopolies, were keen to utilise their vast popularity to bypass Google.

Once again, there is nothing wrong with this on the surface. Android is designed to allow the sideloading of apps by design. But the problem here is that on the clear majority of devices older than about 10 months, “sideloading” (downloading directly from the open web onto the phone) apps requires disabling Android’s single biggest security function – which in the hands of an experienced user is already risky – but when millions of users are simply clambering to get their hands on the hottest game around, security is always a massive afterthought.

Sideloading is one of the easiest ways to attack an Android device opening it up to the world. Where this function once prevented *any* non-Google Play Store app from running on the devices, now anything packaged in the .apk format is ripe. Any existing app, including web browsers or other existing applications, are then given permission to extract and run .apk packages – it’s basically like logging into Windows as an admin and turning off that install prompt. Epic’s decision will simply push phishers and the like to advertise and push software at Fortnite users that offer freebies, cheats, and so forth to infect devices.

To combat these concerns, the Fortnite Installer .apk sends up a notification that, once tapped, pushes users back to the tab where they enabled sideloading to turn it back on. But it’s likely by this point most users will be updating the game or playing it and will just swipe it away to do it later or because they simply don’t care. There is no mandatory guideline that this option is activated for the game to run. Tim mentions that Google Play Store is “security theatre”, and in some cases, he’s right. Google’s own store has been caught hosting dodgy apps dozens of times, and as a result, it now more heavily screens new apps and runs constant checks to ensure updates don’t sneak in rogue code.

But Epic simply shifting the blame to Google for its early security faults and praising its more recent efforts is beside the point. Many pre-Oreo phones will run this software without turning safeguards back on, as will users with Oreo and Pie simply leave Chrome open to loading apps. Sure, this isn’t system wide, but it also opens a huge exploitable hole that wasn’t there before. Google can’t rewrite the past and fix security problems on a billion phones with a single action, but Epic sure can avoid being the bad guy for millions of users by playing by the same rules as everyone else.