App sideloading and cyber risk

December 2018

Girl gamerRobert Brady MBCS, senior consultant at Capgemini, considers the cyber risks posed by sideloading in a popular mobile video game.

Fortnite is a multi-player survival game in which 100 players compete online, guns blazing, in a last-man-standing arena battle. The game is available to play for free, and has proven particularly popular with older children around the ages of 12 to 16.

Epic Games, the developer and publisher of Fortnite, recently announced that its upcoming Android port will be distributed not through the Google Play Store, as is typical for Android apps, but via an installer available as a direct download from their website.

Epic’s decision to distribute the game deviates from the platform norm of delivering applications through the official app store and comes with a significant risk of exposing its players to a multitude of cyber threats, while also shining light on a wider possibility of normalising what can be seen as a dangerous trend.

Benefits of app stores

Traditionally on mobile platforms, software and updates are made available through a distribution platform specific to the device - for Apple Devices it is the ‘App Store’, ‘Microsoft Store’ for Windows and ‘Google Play’ on Android. The platform owner, be it Apple, Google or Microsoft, provides a marketplace and distributes the software, eliminating the need for the publisher to build and manage their own distribution platform.

In addition to the benefits for developers, app stores provide user benefits too, ranking apps by popularity, allowing users to publish and share reviews and ensuring apps are automatically updated with the most recent patches. In return, the owner of the app store takes a cut from every transaction, 30 per cent on Apple and Google’s stores, the two most popular.

This is not an insignificant amount and, while a desire to establish a ‘direct relationship’ with the game’s players was Epic’s stated reason for distributing their code themselves, it is reasonable to suspect that the true reason behind the move might be Google’s high fees, something that Epic acknowledged was a concern.

Aside from the usability benefits, this established app store distribution model also benefits the cyber security of users and their mobile devices. While the level of vetting is variable between stores, all applications are curated to some extent before being uploaded, which broadly prevents fake applications or malicious code from appearing on the store.

Applications are also ranked according to the number of downloads and user ratings, which means that malicious applications with a low reputation, or those that masquerade as another, popular, application are inherently tuned and filtered out from general visibility.

As users can be confident that software on the store is unlikely to be malicious, will be automatically updated, and that undesirable applications are low on the rankings, app stores are a mostly safe space from cyber threat.

Sideloading and cyber risk

It is, of course, also possible to install code outside the app store. It is possible to download and run this code directly. In Android’s terminology this is called sideloading.

In principle, sideloading is no less legitimate than running an installer on a PC. However, this is disabled by default on Android devices to protect users from malicious code, and a user must deliberately disable security settings on the device to enable it. As Fortnite’s Android version will be distributed directly, it will require its users to disable these settings, sacrificing the safety net of the controlled app store and exposing the user to the risks of uncontrolled and untrusted code.

Most power users of technology will be able to manage the risks they are exposed to by this, and will likely be very deliberate in how they use their technology. Today’s teenagers, on the other hand, have typically grown up with technology and mobile devices being a part of their lives since birth. As a result, while extremely comfortable in their use, they can often be confident to the point of complacency and are generally far more trusting and less sceptical of technology than those who are a little older and probably a little wiser.

It is not unreasonable to expect that many of Fortnite’s younger players, potentially the majority, will either forget or will not see the value in re-enabling their security settings, or may grow tired of needing to tweak them every time the game requires a major update or reinstall. Additionally, as it becomes expected to install the game in this way, players may be far more susceptible to being tricked into installing a fake or malicious imitator of the game - disabling the settings to do so will result in no suspicion in and of itself and already there are reports of malicious applications imitating the legitimate Fortnite app (which was perhaps inevitable anyway).

There is also a real possibility that requiring sideloading for what is sure to be a popular app will result in normalising what has to-date been a discouraged approach to installing software. This may result in further dangerous and risky use of technology by users or developers; if Epic’s decision to bypass Play Store proves to be a success, it will surely encourage other publishers to follow in their shoes.

Google’s researchers have already disclosed that the first version of Fortnite’s Android installer is susceptible to a ‘man-in-the-disk’ attack, a newly discovered form of vulnerability that can be used to escape the Android sandbox and access apps and data that should remain private. This could have been used to trick the Fortnite installer into downloading malicious code with full access to the mobile device. The installer is now patched, and some of Google’s own applications are also vulnerable, but it is a timely warning and an embarrassment for Epic that has resulted in a spat with Google over their full disclosure of the vulnerability.

Looking forward

There are suggestions in the wider industry that the firm control over the mobile platform, that key players like Google enjoy, may be due to change. Google recently received an astounding €4.3bn antitrust fine for illegally abusing its position as the developer of Android and, in particular, by essentially locking out competitors by leveraging the necessity of Play Store. Apple faces a similar case in the US courts. Regardless of the merits, this sort of legislative challenge will further threaten the established models for mobile computing and the safeties they currently offer users.

IT practitioners should consider the implications of this, and be mindful of the possible future outlook. To draw a contrast with PC software, it is generally considered normal to run or install code from uncontrolled or untrusted locations, but the risk of malware and cyber-attack is omnipresent compared to the mobile landscape. As the use and sophistication of mobile computing advances, it may come to resemble the PC landscape in this respect, which is fundamentally different to the tightly controlled platform it is today.

This is a somewhat bleak perspective, and hopefully a worst-case scenario. While Epic Games will probably reap success in distributing Fortnite directly, encouraging other developers to do similarly, it could also result in Android adapting to accommodate the behaviour safely, and an increase in freedoms on mobile devices is not necessarily a bad thing.

However, macrotrends in computing such as increased use of mobile devices, and the freedoms and power of the platform, result in increased risk to the user. This necessitates a mindfulness of the dangers and constant presence of Cyber Threat in all its forms. The obligation of IT professionals to encourage safe behaviours by users is something, however, that Epic has perhaps in this case worked against.

Image: getty/shulgenko