Fortnite is putting users at risk, to prove a point about Google’s Android monopoly – CNET

Epic Games

Fortnite is a global phenomenon. It's the biggest thing in video games, in no small part because kids are obsessed with the part-Minecraft, part-PUBG shooter they can play on an iPhone for absolutely zero money (as long as you disable in-app purchases).

Now, the game is coming to Android too, meaning the other 85 percent of the world's smartphone audience may soon find out what all the fuss is about.

But Fortnite for Android will put some of those users at risk of hacks and malware — all because its creator, Epic Games, is tired of the raw deal it claims that Google is giving developers and users.

Honestly, Epic may have something of a point.

But it's you — not Epic — that's on the hook if things go sideways.

What's going on?

It's pretty simple, really: Fortnite for Android will not be available on the Google Play Store. You'll have to "sideload" it by installing it direct from Epic, either by waiving a variety of Google security prompts (if your phone is running the latest Android 8.0 Oreo) or by manually toggling the "Unknown Sources" option in the Android settings menu to waive even more protections.

Let me make it clear: Unknown Sources can be dangerous. Sure, it's one of the reasons why Google can call Android an open platform, because you can use it to install all kinds of apps that weren't approved (or security checked) by Google.


One iteration of "Unknown Sources."

Jason Cipriani/CNET

But once you toggle Unknown Sources, your phone is vulnerable to all sorts of malware. That's why CNET doesn't link to leaked APKs of hot new Android apps as a general rule — all it takes is one quick swap or URL redirect, and the hot new game you think you were downloading might actually install a piece of spyware on your phone. Or a copy of the game that actually works — but spies on you in the background.

And once you turn on "Unknown Sources," you've gotta remember to turn it off again so future apps don't take advantage.

That's one of the reasons Android app developers generally don't fight the Google Play Store and the 30 percent fee that Google charges developers. That, and publicity — Google can give premium apps a big boost.

But Fortnite doesn't need Google's publicity. Epic wants all the money. And honestly, Epic isn't entirely to blame if there are consequences.


In a tweet today, Epic Games CEO Tim Sweeney told CNET that the "Unknown Sources" button isn't required if your phone is running the latest version of Android — Android 8.0 "Oreo."

A "download" button is coming to On the latest Android Oreo devices, this goes directly to a download link which installs the game following user acceptance of several security prompts – no "unknown sources" involved.

— Tim Sweeney (@TimSweeneyEpic) August 3, 2018

That's good if true — for those users on Oreo, specifically, that sounds like a pretty reasonable ask.

But by Google's last count, only 12.1 percent of Android users are on Oreo or above. 87 percent are not.

That disparity is known as Android's fragmentation issue, and it's dogged the mobile operating system pretty much since the get-go — no matter how much power you might think Google has over device partners and cellular carriers, it's never been able to convince or force them to update phones in a timely fashion.

(Things have gotten a little better with security updates, and Google says it'll soon make OEMs sign those into their contracts, but one study found that manufacturers have lied about security updates, too.)

To be clear, this isn't just Google's fault — OEMs and carriers share responsibility for updates in Google's scheme — and if Epic thinks Oreo is safer, why not limit the game to Oreo phones?

Because of fragmentation, up to 87 percent of Fortnite players on Android will have to do something slightly risky to download the game. Perhaps more of us will have Oreo by the time the game ships, though?

An effective monopoly

The other good point Epic's Tim Sweeney raised: If companies like Epic can't release apps outside the official Google Play Store without users raising a stink about security, then Google effectively has a monopoly on the platform.

If you think about it, there's not a lot of incentive for Google to improve device security for apps that come from outside the store. Why would they, when they stand to profit by getting their 30-percent cut? (Particularly since Apple charges the same.)

Epic doesn't want Google to have a monopoly, so it's betting (with your security at stake!) it can challenge the stigma of releasing apps outside the Play Store.

But Epic also argues that the price Google's monopoly charges is too high: "30% is disproportionate to the cost of the services these stores perform, such as payment processing, download bandwidth, and customer service," Sweeney told TouchArcade.

Mind you, Epic doesn't seem to be protesting Apple's monopoly and its identical 30-percent cut — but Epic argues that there, it didn't have a choice. "If the question is 'Would you have done this on iOS if you could have?' the answer would be 'Yes,'" the company told CNET.

Google declined to comment.

Where Epic's arguments don't hold up

If you believe that Google backed Epic into this corner, then it makes sense that Google might share some small blame if users get hacked. But I don't think all of Sweeney's arguments make sense.

For instance, this one I tweeted about earlier:

Open platforms are an expression of freedom: the freedom of users to install the software they choose, and the freedom of developers to release software as they wish. With that freedom comes responsibility. You should look carefully at the source of software you're installing, and only install software from sources you trust.

Kids play Fortnite. Kids aren't responsible, even if they're often more tech-savvy than adults. Kids nowadays seem to trust things they see on YouTube (yes I'm overgeneralizing), and YouTube has already pointed people to fake, malicious copies of Fortnite.

That's also why I'm not convinced by arguments that other third-party app stores have done the same thing — kids aren't champing at the bit to go download Amazon's Appstore. (I'd forgotten Amazon's Appstore still existed until I started writing this editorial.)

Here's another:

Most importantly, mobile operating systems increasingly provide robust, permissions-based security, enabling users to choose what each app is allowed to do: save files; access the microphone; access your contacts. In our view, this is the way all computer and smartphone platforms should provide security, rather than entrusting one monopoly app store as the arbiter of what software users are allowed to obtain.

When was the last time you seriously looked at the permissions an app asks for? Much less a kid eager to score a copy of Fortnite to play with friends at school? Yes they play it at school. Particularly if they're already jumping through hoops like Unknown Sources.

Besides, how do you know that fake copy of Fortnite doesn't just want to use your microphone for the game's built-in voice chat, or your contacts for a matchmaking system? Google is indeed planning to keep apps from sneakily using your camera and mic — but not till Android P. For now, app permissions are not sufficient security.

I also had this conversation with Sweeney on Twitter, but I wasn't quite convinced:

Everyone active in the Android ecosystem, including Google, manufacturers, carriers, and now Epic Games, will need to work together to maximize the security of Android as an open platform. We recognize we're taking on a big responsibility here and take it seriously.

— Tim Sweeney (@TimSweeneyEpic) August 3, 2018

1. Ongoing technical conversations with engineers and business folks at key companies about platform features and security model.

2. Ongoing anti-cheat/anti-hack efforts on Fortnite for Android to ensure that gamers have a good experience.

— Tim Sweeney (@TimSweeneyEpic) August 3, 2018

Thats Googles domain, which theyre doing a great job of though the permissions-based security model. Keep in mind that an APK installed from the web has exactly the same degree of OS access as one installed from Google Play.

— Tim Sweeney (@TimSweeneyEpic) August 3, 2018

While I'm happy he took the time to reply, it doesn't sound to me like Epic will necessarily take "responsibility" if anything happens with a bad sideloaded app, or that it's working with partners on any specific ways to keep that from happening.

I think it'd be all too easy for them to pin any problems on user error — if users even discover that they've contracted a malicious app at all. (Google's Play Protect may help with this, though.)

Which is a shame, because I agree with Sweeney that Android could be a more open platform, and I'm curious to see if Fortnite batters down the door. I'm just worried that it's wishful thinking — and that he's betting with chips he doesn't own.

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button