After Fortnite launched on the Android mobile operating system, users were made aware that the installation process was somewhat unusual.
Rather than visiting the Google Play Store and downloading the software directly, Epic Games employed a different installation technique known as sideloading, which requires the app to be downloaded from another source; in this case, Epic Games’ website.
Adding additional purchase or installation barriers to consumers in a market where easily-accessible and streamlined processes have become a priority is generally frowned upon and is not considered best business practice. In this case, however, the Fortnite developer wanted to avoid Google’s requirements when it comes to in-app billing.
As of this year, Epic Games says there are roughly 250 million active Fortnite players, and when you combine this with the app’s virtual currency V-Bucks — used to purchase everything from outfits to weapons in-game — you can see the potential profit margins.
Market tracker Edison Trends estimates that Fornite in-app revenues dropped by 52 percent between Q2 2018 and Q2 2019, but the game is still a cash cow that outstrips everything else on the market with billions of dollars already banked.
Currently, developers must adhere to terms of service which include the implementation of Google Play In-app Billing to make in-app purchases, rather than their own payment methods. So when you consider a commission rate of roughly 30 percent levied on in-app purchases made by apps hosted on Google Play, you can see why the developer may wish to protect this revenue stream.
A 9to5 Google report emerged over the past week which suggested Epic Games had submitted Fortnite to Google Play in the hopes of a special exception to the 30 percent rule.
Google said no.
See also: Fortnite is being used by criminals to launder cash through V-Bucks
In a statement, the tech giant told the publication:
“Android enables multiple app stores and choices for developers to distribute apps. Google Play has a business model and billing policy that allow us to invest in our platform and tools to help developers build successful businesses while keeping users safe. We welcome any developer that recognizes the value of Google Play and expect them to participate under the same terms as other developers.”
This is no surprise in itself as if Google made one exception — especially to a massively popular app — more developers would come knocking at the door asking for special treatment.
Epic Games CEO Tim Sweeney has previously described Google and Apple’s ‘tax’ as “a high cost in a world where game developers’ 70 percent must cover all the cost of developing, operating, and supporting their games.”
Sweeney also cited “economic efficiency” as a reason for maintaining sideloading rather than pay the commission, but the decision has been met with criticism by the security community.
CNET: IoT devices need built-in security standards, UL says
Google Play is not an untouchable gold standard in security as, on occasion, malicious apps do circumvent existing security controls and become hosted in the official Android app repository.
However, it is generally considered wise to download apps from sources such as Google Play and the Apple App Store as these companies are constantly improving their security measures and there is less of a chance that the software you are downloading is malicious as external researchers, too, are monitoring the stores.
Downloading an app from a third-party website requires high levels of trust in these sources as they are not checked for malware, and they also require users to enable the “allow unknown apps to be installed” setting to be enabled on handsets.
It is this avenue that can be exploited by attackers to perform phishing, Man-in-The-Middle (MiTM) attacks and to download malicious payloads on to devices.
TechRepublic: Analysts worry about tech security threats ahead of 2020 elections
Shortly after the launch of the Android version of Fortnite, Google disclosed a vulnerability in the Fortnite installer APK which could be exploited to allow attackers to hijack the app through a Man-in-The-Disk (MiTD) attack, leading to the substitution of packages for malicious code, high privileges and permission levels to be granted, and device hijacking.
At the time, Sweeney branded the disclosure, made a week after a patch had been developed, as a way to “score cheap PR points.”
Check Point, too, found a bug in Fortnite’s infrastructure which gave attackers access to user accounts with very little effort. Over nine million Fortnite accounts were reportedly hacked last year.
It does not, and should not, just come down to money. We’ve seen in the past that it can take no more than one overlooked security issue to bring a company’s reputation crashing down, landing them a hefty bill to repair the damage and for compensation, and while a 30 percent rate may be high, users do benefit from an improved app security posture.
As Fortnite does handle payment data, the need to maintain adequate security is even more important considering its massive customer base.
The company has launched schemes to try and boost app security, including rewards for users that enable two-factor authentication (2FA). However, given that the app does tend to have a younger audience that may be more susceptible to phishing, downloading installers from untrusted sources, and giving away the keys to their accounts unwittingly, choosing to stay with sideloading could end up costing the company — and its customers — far more in the long run than Google’s commission.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0