Fortnite's Creator, Epic Games, Puts Profit Over Good Security Practices
Contrary to what Gordon Gecko espouses in the 1987 cult classic "Wall Street," Greed is not always good. What is the price of encouraging good security practices? What is the corporate responsibility to improve the public’s security awareness? How liable would you be held if your application caused a company to be breached? The answers to these questions are immeasurable or too complex to solve in a simple blog post. However, one thing is clear: the "corporate greed" of Epic Games, the creator of the popular Fortnite game, put a price on corporate responsibility to the public; 30% of the Android Total Addressable Market (TAM). For some context of where I arrived at this figure, let’s take a step back at how Apple and Google monetize their respective app stores.
Apple launched the iOS App Store in 2008 with the intention to bring together a community of developers in a mutually beneficial and symbiotic relationship. Apple would provide a platform, promotion, and market for application developers to sell their apps, keeping 30% of the revenue from each sale and in-app purchase. Developers would create and sell their apps, keeping 70% of the revenue while making iOS “stickier” and attractive to its users, building brand loyalty. In response, Google launched the Google Play store in 2012 with a strikingly similar monetization model. At the June 2018 Apple WorldWide Developer’s Conference (WWDC), Apple CEO Tim Cook reported that over $100 billion USD has been paid out to developers since 2008. While this figure is astounding, in that Apple has given back more money to its developers than the GDP of Bangkok, Thailand, this amount was simply not enough for Epic Games.
Boasting a reported 125 million daily active users, Fortnite launched patch v5.0 kicking off a new season of gaming, Season 5 on July 12, 2018. During the first five days of Season 5 on iOS alone, Fortnite brought in $10 million USD or $2 million USD per day. That meant Epic took home $1.4 million USD (70%) and Apple got $600,000 USD (30%) over the five day period. Since Apple’s iOS has no other supported methods to load applications other than the official App Store, Epic had no other choice but to give Apple their pound of flesh.
On the other hand, Android is less secure and allows for the side loading of applications without the need to go through the official Google Play Store, effectively cutting Google out of their 30% cut. Epic Games decided to take advantage of this and not only made Fortnite available as a standalone APK installer, it removed the official Fortnite app from the Google Play Store and actively encourages users to side load Fortnite. This is very worrisome for a number of reasons.
- Side loading requires instructing people to disable all of the built-in Android protections against unknown, unverified, or unsigned code.
- This will normalize this process and behavior, making users believe this is a typical way to install applications.
- Unsuspecting players looking for the official application in the Google Play Store will be met with numerous malicious and fake versions of the applications.
While the Google Play Store is far from perfect when detecting and blocking malicious apps, it is still better than the Wild West that is "side loading”, the act of installing an application outside of the Official Play Store. Google Play Protect scans over 50 million applications daily and removes malicious apps.
Teaching users that side loading applications is an acceptable way to install is akin to the US Internal Revenue Service announcing that they will begin accepting tax payments in the form of Google Play credit or Green Dot Moneypak cards and that they will regularly contact taxpayers by phone that they owe a tax obligation. The damage to the public trust would be immense.
Worse yet, side loading causes Fortnite to be vulnerable to man-in-the-disk (MitD) attacks; a new attack vector discovered by Check Point Securities in early August. An application becomes vulnerable to a MitD attack when it writes data outside the protected on-board memory, often on an external SD card. That SD card lacks the protections of on-board memory and allows low-level processes already running on the phone to hijack the memory and installation process of legitimate applications such as Fortnite. A very poor installation process made Fortnite especially vulnerable to attack.
To install Fortnite on an Android phone, users would be instructed to download an installer APK file from Epic’s website. Users would necessarily have to disable all side loading protections in order to continue with the install process. The installer would verify the phone is capable of playing the game (OS/hardware checks) and then download a larger installation file to the SD card or other external storage. The original installer would look for a file with a specific filename in a specific folder and run that installer. The file location and filename were the only verification that took place before the installer would be allowed to run. The verification lacked any integrity checks such as MD5 hash or cryptographic code signing, which allowed any process with that filename to be run. Any application with permission to write to the SD card could easily replace the legitimate installer with any installer of their choice and run. The fake APK installer would also be granted any rights (up to and including full administrator rights) it requested without explicit user approval, normally required when a user installs an app through the Google Play Store. Epic Games quickly patched this vulnerability after being notified by Google researchers.
The security vulnerabilities and egg on the face to Epic Games was due to their desire to circumvent the 30% cut they would have to pay to Google for all in-app purchases. Of note here is that Fortnite itself is free to download and play and is only monetized through in-app purchases of purely cosmetic items. The damage they are doing to the public by normalizing poor security practices and opening up their player base to fraudulent app downloads is a serious breach of corporate responsibility.
iOS and Android have always had their own pros and cons of each. iOS has stricter security protocols in place and makes it a very closed ecosystem. Android is very user-friendly with many convenient features not available on iOS, but that freedom comes with risk and leaves it vulnerable to more attacks. Since Epic Games will not take responsibility to protect its users, organizations can take a step to help secure them by inspecting mobile phone traffic for malware. Android APK files can be sent to a cloud sandbox for analysis if they are not known to be benign or malicious. Since BYO devices are now becoming normalized in the modern workplace, it is now more important than ever to secure these devices with the same level of security as corporate devices.