Fortnite, Security, and Monopoly
Epic Games appears to be planning on distributing Fortnite for Android outside of the Play Store.
Frankly, I’m surprised that it took this long for somebody to do this. For
a firm with their own payments and software distribution infrastructure,
Google’s 30% cut is going to seem awfully steep. For strong brands,
the lost sales from people unwilling to go through the alternative installation
process may be lower than the 30% losses incurred through Google Play distribution.
The only reason why Google can continue to charge 30% is due to the near-monopoly
status of the Play Store on many Android devices.
The primary counterpoint to Epic’s decision is security. While one
can obtain APKs from places other than the Play Store, conventional wisdom
is that this is less secure. In particular, unwitting people might be tricked into
installing malware that is disguised as Fortnite (or some other app of relevance).
Today, that conventional wisdom is likely to be true. And yet:
Malware can be found on the Play Store.
Google is not infallible.
China lacks the Play Store. I had the opportunity to discuss app distribution
with a manager from a large Chinese Android device manufacturer, and he expressed
incredulity when I explained that Western developers often only ship their apps
through the Play Store. In China, there are dozens, if not hundreds, of app stores,
all competing for attention. Developers there are used to distributing their
apps through many different channels. I have no evidence that users are routinely
pwned as a result. Perhaps we can learn a bit from how they
are handling this situation.
Play Protect and third-party security products can analyze APKs installed from
elsewhere. The Play Store’s internal analyzers are not our sole line of defense, even
today, nor should they be.
We are headed towards a world where a significant percentage of Android developers
delegate app signing to Google. This allows Google to do whatever it wants with
the contents of APKs… and it allows others to direct Google to do whatever they
want with the contents of APKs. Quis custodiet ipsos custodes?
We assume that Google is always a good actor with respect to app
distribution – will that assumption hold up?
We definitely need more robust options for helping users identify what sources
of APKs are safe. We definitely need more robust options for helping users safely
install such APKs. We definitely need more ways to help users and developers ensure
that the APKs that users install really are the APKs that the developers distribute.
Perhaps Epic could contribute some towards such efforts, as
they would gain PR benefits against those who accuse them of actively harming
the Android ecosystem.
But, in general and IMHO, those who endorse monopoly in exchange for a little security
are causing strategic harm to user security, as much as Epic is causing tactical
harm to user security.
Need an Android programming guide for your development team? An Enterprise Warescription to The Busy Coder’s Guide to Android Development is available for teams of 10+ members. Contact Mark Murphy for details.
thanks you RSS link