{"id":1667,"date":"2018-08-30T16:28:54","date_gmt":"2018-08-30T15:28:54","guid":{"rendered":"http:\/\/blogs.kent.ac.uk\/unikentcomp-news\/?p=1667"},"modified":"2018-08-30T16:28:54","modified_gmt":"2018-08-30T15:28:54","slug":"fortnite-is-setting-a-dangerous-security-trend","status":"publish","type":"post","link":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/2018\/08\/30\/fortnite-is-setting-a-dangerous-security-trend\/","title":{"rendered":"Fortnite is setting a dangerous security trend"},"content":{"rendered":"
Shutterstock<\/a><\/span><\/p>\n<\/figcaption><\/figure>\n

Jason Nurse<\/a>, University of Kent<\/a><\/em><\/p>\n

Cybercriminals have just been given yet another route to get malicious software (malware) onto your personal mobile devices. The hugely popular video game Fortnite has become one of the first major apps to bypass official app stores and encourage users to download its software directly.<\/p>\n

In doing so, it\u2019s also bypassing the security protections of the app stores and chipping away at a system that has worked reasonably well at keeping malware off people\u2019s phones and tablets. And we\u2019re already starting to see the dangerous results of this, as Fortnite\u2019s installation method created a security vulnerability<\/a> that may have opened up some users\u2019 devices to hacking.<\/p>\n

Fortnite\u2019s maker, Epic Games, shocked the industry when it announced at the start of August that it would release the app directly to consumers<\/a> instead of through the official Google Play store (although it\u2019s still available through Apple\u2019s App Store). The firm said this was to create a direct relationship with customers instead of depending on middlemen distributors. Google takes 30%<\/a> of the money paid for any app or in-app purchase in the Play store.<\/p>\n

This goes even further than the likes of Netflix, which recently confirmed it was testing a bypass of Apple\u2019s iTunes billing<\/a> system in 33 markets worldwide. This meant that some subscribers would be unable to pay using iTunes and instead would have to complete payments via Netflix\u2019s website, reducing their engagement with the official Apple store.<\/p>\n

Current estimates<\/a> suggest that in the first half of 2018, users of the Apple App Store and the Google Play Store spent a combined US$34.4 billion on mobile apps and games. These official stores still represent the first port-of-call for millions of mobile users, and in return they have come to expect<\/a> trustworthy, vetted, malware-free, high-quality apps.<\/p>\n

The issue with attempts to bypass official stores is that they contradict recommended security best practice<\/a>. Engaging with these stores is highly endorsed because of the added protection they offer. Apple, for instance, has a set of detailed guidelines<\/a> that app submissions are checked against. Similarly, Google has a series of automated and manual techniques<\/a> to vet apps.<\/p>\n

Directing users away from these stores means less protection. And even worse, it stands to encourage a wider behaviour change. It sends the message to users that official app stores are no longer the primary trusted way to engage with apps.<\/p>\n

\"\"
Bypassing official app stores is a risky game.<\/span>
\nShutterstock<\/a><\/span><\/figcaption><\/figure>\n

Industry research<\/a> has validated the importance of this advice time and time again, by revealing that third-party app sources \u2013 particularly on the Android platform \u2013 are often plagued with malware and can expose users and their data to a variety of security and privacy risks<\/a>. According to the 2018 Symantec Threat Report<\/a>, the vast majority (99.9%) of discovered mobile malware was found in third-party app stores. This doesn\u2019t mean<\/a> that official stores are free from malware but they do have the advantage of another set of specialists checking apps for potential problems.<\/p>\n

As such, direct downloads create a substantially greater security risk. A perfect example of this was revealed recently when Google discovered<\/a> a severe security vulnerability<\/a> in the Fortnite installation process. This essentially made it possible for malicious apps to download and install anything on a user\u2019s device without their permission \u2013 a cyber-security nightmare. Although Epic Games has since released a fix, it is very likely that many users have yet to install it<\/a>, which means they may still be vulnerable.<\/p>\n

Eroding good habits<\/h2>\n

A more long-term impact of the shift to direct downloads and engagement is the potential erosion of best security practice. For years, security awareness campaigns<\/a> and guidance<\/a> have emphasised the importance of sourcing apps only from official stores. This has been a difficult (yet crucial) task as security awareness campaigns are hard to get right<\/a>, actually changing people\u2019s behaviour is even harder<\/a>, and attackers are constantly updating their tricks<\/a>.<\/p>\n

Encouraging or redirecting users away from traditional channels may well undo some of these ingrained secure habits. For example, the Fortnite installation process requires gamers to enable installations<\/a> from unknown apps<\/a>. But doing so puts users at higher risk. A user would need to navigate to this setting later to disable third-party installations as it does not reset automatically.<\/p>\n

If more large app developers bypass the official stores in this way, it will almost certainly have an impact on people\u2019s broader behaviours. This could result in the belief that trusted sources of apps are no longer necessary and that disabling protective security measures isn\u2019t a problem. What\u2019s more, it could create a higher temptation to look to third-party app stores for new apps or better deals \u2013 app channels that are, as mentioned, unfortunately infested with malware<\/a>.<\/p>\n

The ultimate result of these actions will be further malware infections and a higher compromise in privacy and security. Ordinary users will pay the costs of app developers\u2019 desire to avoid the regulations and fees of the official stores.\"The<\/p>\n

Jason Nurse<\/a>, Assistant Professor in Cyber Security, University of Kent<\/a><\/em><\/p>\n

This article was originally published on The Conversation<\/a>. Read the original article<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Shutterstock Jason Nurse, University of Kent Cybercriminals have just been given yet another route to get malicious software (malware) onto your personal mobile devices. The … Read more<\/a><\/p>\n","protected":false},"author":5321,"featured_media":1668,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[124,122],"tags":[37339,178049,178050],"_links":{"self":[{"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/posts\/1667"}],"collection":[{"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/users\/5321"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/comments?post=1667"}],"version-history":[{"count":1,"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/posts\/1667\/revisions"}],"predecessor-version":[{"id":1669,"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/posts\/1667\/revisions\/1669"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/media\/1668"}],"wp:attachment":[{"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/media?parent=1667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/categories?post=1667"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/tags?post=1667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}