Fortnite is setting a dangerous security trend

The issue with attempts to bypass official stores is that they contradict recommended security best practice. Engaging with these stores is highly endorsed because of the added protection they offer. Apple, for instance, has a set of detailed guidelines that app submissions are checked against. Similarly, Google has a series of automated and manual techniques to vet apps.

Directing users away from these stores means less protection. And even worse, it stands to encourage a wider behavior change. It sends the message to users that official app stores are no longer the primary trusted way to engage with apps.

Industry research has validated the importance of this advice time and time again, by revealing that third-party app sources – particularly on the Android platform – are often plagued with malware and can expose users and their data to a variety of security and privacy risks. According to the 2018 Symantec Threat Report, the vast majority (99.9%) of discovered mobile malware was found in third-party app stores. This doesn’t mean that official stores are free from malware but they do have the advantage of another set of specialists checking apps for potential problems.

As such, direct downloads create a substantially greater security risk. A perfect example of this was revealed recently when Google discovered a severe security vulnerability in the Fortnite installation process. This essentially made it possible for malicious apps to download and install anything on a user’s device without their permission – a cyber-security nightmare. Although Epic Games has since released a fix, it is very likely that many users have yet to install it, which means they may still be vulnerable.

Eroding good habits

A more long-term impact of the shift to direct downloads and engagement is the potential erosion of best security practice. For years, security awareness campaigns and guidance have emphasized the importance of sourcing apps only from official stores. This has been a difficult (yet crucial) task as security awareness campaigns are hard to get right, actually changing people’s behavior is even harder, and attackers are constantly updating their tricks.

Encouraging or redirecting users away from traditional channels may well undo some of these ingrained secure habits. For example, the Fortnite installation process requires gamers to enable installations from unknown apps. But doing so puts users at higher risk. A user would need to navigate to this setting later to disable third-party installations as it does not reset automatically.

If more large app developers bypass the official stores in this way, it will almost certainly have an impact on people’s broader behaviors. This could result in the belief that trusted sources of apps are no longer necessary and that disabling protective security measures isn’t a problem. What’s more, it could create a higher temptation to look to third-party app stores for new apps or better deals – app channels that are, as mentioned, unfortunately infested with malware.

The ultimate result of these actions will be further malware infections and a higher compromise in privacy and security. Ordinary users will pay the costs of app developers’ desire to avoid the regulations and fees of the official stores.

Jason Nurse is Assistant Professor in Cyber Security, University of Kent. This article is published courtesy of The Conversation.