Fortnite, Security, and Monopoly

Epic Games appears to be planning on distributing Fortnite for Android outside of the Play Store.

Frankly, I’m surprised that it took this long for somebody to do this. For a firm with their own payments and software distribution infrastructure, Google’s 30% cut is going to seem awfully steep. For strong brands, the lost sales from people unwilling to go through the alternative installation process may be lower than the 30% losses incurred through Google Play distribution. The only reason why Google can continue to charge 30% is due to the near-monopoly status of the Play Store on many Android devices.

The primary counterpoint to Epic’s decision is security. While one can obtain APKs from places other than the Play Store, conventional wisdom is that this is less secure. In particular, unwitting people might be tricked into installing malware that is disguised as Fortnite (or some other app of relevance).

Today, that conventional wisdom is likely to be true. And yet:

  • Malware can be found on the Play Store. Google is not infallible.

  • China lacks the Play Store. I had the opportunity to discuss app distribution with a manager from a large Chinese Android device manufacturer, and he expressed incredulity when I explained that Western developers often only ship their apps through the Play Store. In China, there are dozens, if not hundreds, of app stores, all competing for attention. Developers there are used to distributing their apps through many different channels. I have no evidence that users are routinely pwned as a result. Perhaps we can learn a bit from how they are handling this situation.

  • Play Protect and third-party security products can analyze APKs installed from elsewhere. The Play Store’s internal analyzers are not our sole line of defense, even today, nor should they be.

  • We are headed towards a world where a significant percentage of Android developers delegate app signing to Google. This allows Google to do whatever it wants with the contents of APKs… and it allows others to direct Google to do whatever they want with the contents of APKs. Quis custodiet ipsos custodes? We assume that Google is always a good actor with respect to app distribution – will that assumption hold up?

We definitely need more robust options for helping users identify what sources of APKs are safe. We definitely need more robust options for helping users safely install such APKs. We definitely need more ways to help users and developers ensure that the APKs that users install really are the APKs that the developers distribute. Perhaps Epic could contribute some towards such efforts, as they would gain PR benefits against those who accuse them of actively harming the Android ecosystem.

But, in general and IMHO, those who endorse monopoly in exchange for a little security are causing strategic harm to user security, as much as Epic is causing tactical harm to user security.