Fortnite Android app sparks security concerns
By Jason Bayton
If you follow Fortnite, a game taking the world by storm at the moment, you may have heard of Epic Games’ decision to bypass the Google Play Store when it launches on Android in the near future in an attempt to save the 30% Google Play takes from all Google Play applications and in-app purchases (as a free app, this is where Fortnite generates all of its money).
There’s a reason this is causing a greater stir across the industry; it encourages the use of unknown sources, a means for installing applications sourced from literally anywhere outside of the official Play Store.
While there are legitimate use-cases for this approach to application installation, it’s also very risky; current statistics suggest you are ~80x more likely to install a Potentially Harmful Application (PHA) from a 3rd party vs going through the Play Store, and with over 100 versions of Fortnite already available on the internet (excluding leaks), it’s not unreasonable to expect people will grab the wrong one.
It only takes one PHA abusing the Android permissions model to gain device administrator privileges on a device, and what the app does from there can extend to anything from collecting data, recording the screen, obtaining confidential information or, as what happened with DoubleLocker not too long ago, lock users out of their devices entirely. These are not scenarios organisations want to manage.
Even Epic Games’ stance on this, which is to shift the responsibility entirely on to users to ensure they’re downloading the raw APK file from the official source, falls flat when you consider how often websites are compromised and downloads are replaced with spiked versions.
Q. “Does Epic’s release strategy put customers at risk, since they might not be able to tell the difference between real and fake?”
A. “You should look carefully at the source of software you’re installing, and only install software from sources you trust.” [Epic Games]
By contrast and due to the way the iOS ecosystem has been built, this flagrant disregard for security and best practices is extremely difficult to replicate with iOS, certainly considered too complex for the average end-user. Epic are therefore not attempting this approach for their iOS release, opting to use the AppStore as normal. It is the openness of the Android platform that’s enabling this ill-advised method of app distribution.
Unfortunately for organisations, Fortnite will find its way onto corporate devices, either the official version or a PHA. There are however steps to take to avoid this becoming a problem that apply to all scenarios where an APK is obtained from the wider internet.
Primarily used with legacy, device administrator-based Android enrolments, unknown sources is far more likely to be permitted due to the requirement of some UEM solutions for leveraging this functionality during and after enrolment. This method of management however is likely to be far more susceptible to PHAs due to the limited (or non-existent) data and app isolation in place, increasing the likelihood of data leakage.
For organisations managing Android devices today, unknown sources should be disabled. How that is implemented will undoubtedly require consideration so as not to disrupt the enrolment and management process for legacy deployments, however this is a consideration that will quickly disappear as organisations migrate to Android Enterprise
For devices already managed using Android Enterprise, those under corporate ownership (COPE, COBO, COSU) will likely have unknown sources disabled by default as it is not normally required.
Devices personally owned (BYOD) currently don’t have a means to disable unknown sources on the personal side, as management is mostly confined to the work profile. This isn’t such a concern however as applications and data in the work profile are entirely isolated from the personal profile, and as of Oreo separately encrypted on disk also.
In any case, ensuring USB debugging is restricted and a device passcode (perhaps even a work profile passcode also) is enforced on BYO devices will go some way towards shoring up device security; these are reasonable tradeoffs for end-users who want to access corporate resources via their own devices.
For corporate devices, even those allowing personal use, the likes of Fortnite and other games may not be considered work-friendly and therefore not allowed. To make this easier to enforce, organisations can add Fortnite to their UEM application blacklists, preventing installation or marking devices as out of compliance if already installed.
Here are the two package names circulating online related to Fortnite:
With the two of these blocked it should help to prevent installation, or depending on how compliance policies are set, prevent access to corporate resources until removed from the device by the user.
Note: This will not have any impact on Android Enterprise BYOD deployments as application lists are not enforced on the personal side, nor are personally installed applications visible to the UEM server. Read on for more options.
Should a PHA find its way onto a corporate device and start doing nefarious things, it’s a good idea to have a means for automated monitoring keeping tabs on device health across the Android estate.
Ensure compliance policies are monitoring things like compromised state (root) and when the devices last checked in, as being able to see when devices aren’t behaving as expected can alert administrators and help in finding the root cause.
Google Play Protect offers real-time and background protection against applications. It actively scans a billion apps per day both on and off the Google Play Store.
That said, MTD solutions can compliment this built in security, such as offering insights into permissions abuse across installed applications and in some cases, visibility of a PHA before Play Protect picks it up.
Furthermore, these solutions monitor network behaviour in addition to applications and device posture, offering a robust solution for organisations which can integrate directly with UEM solutions to offer automated actions should a threat be detected.
As mentioned, Epic Games’ approach to application distribution is flawed, unusual (outside of locations where Google Play is blocked) and carries significant risk for opportunistic bad-actors. End-users should think twice, and then once more, before attempting to install an APK from unknown sources generally, and for business this should be prevented to the extent it can be.
Current PHA install rates sit at 0.79% outside of the Play Store as of Q4 2017, I would not be at all surprised to see Epic Games responsible for that increasing, even slightly, this year.
Managing Android devices? Get in touch to discuss how CWSI can help you secure your estate and protect against threats like those above.