, Security, and Monopoly

Epic Games appears to be planning on distributing Fortnite for Android outside of the Play Store.

Frankly, I’m surprised that it took this long for somebody to do this. For
a firm with their own payments and software distribution infrastructure,
Google’s 30% cut is going to seem awfully steep. For strong brands,
the lost sales from people unwilling to go through the alternative installation
process may be lower than the 30% losses incurred through Google Play distribution.
The only reason why Google can continue to charge 30% is due to the near-monopoly
status of the Play Store on many Android .

The primary counterpoint to Epic’s decision is security. While one
can obtain APKs from places other than the Play Store, conventional wisdom
is that this is less secure. In particular, unwitting people might be tricked into
installing malware that is disguised as Fortnite (or some other app of relevance).

Today, that conventional wisdom is likely to be true. And yet:

  • Malware can be found on the Play Store.
    Google is not infallible.

  • China lacks the Play Store. I had the opportunity to discuss app distribution
    with a manager from a large Chinese Android device manufacturer, and he expressed
    incredulity when I explained that Western developers often only ship their apps
    through the Play Store. In China, there are dozens, if not hundreds, of app stores,
    all competing for attention. Developers there are used to distributing their
    apps through many different channels. I have no evidence that users are routinely
    pwned as a result. Perhaps we can a bit from how they
    are handling this situation.

  • Play Protect and third-party security products can analyze APKs installed from
    elsewhere. The Play Store’s internal analyzers are not our sole line of defense, even
    today, nor should they be.

  • We are headed towards a where a significant percentage of Android developers
    delegate app signing to Google. This allows Google to do whatever it wants with
    the contents of APKs… and it allows others to direct Google to do whatever they
    want with the contents of APKs. Quis custodiet ipsos custodes?
    We assume that Google is always a good actor with respect to app
    distribution – will that assumption hold up?

We definitely need more robust options for helping users identify what sources
of APKs are safe. We definitely need more robust options for helping users safely
install such APKs. We definitely need more ways to help users and developers ensure
that the APKs that users install really are the APKs that the developers distribute.
Perhaps Epic could contribute some towards such efforts, as
they would gain PR benefits against those who accuse them of actively harming
the Android ecosystem.

But, in general and IMHO, those who endorse monopoly in exchange for a little security
are causing strategic harm to user security, as much as Epic is causing tactical
harm to user security.


Need an Android programming guide for your development team? An Enterprise Warescription to The Busy Coder’s Guide to Android Development is available for teams of + . Contact Mark Murphy for details.


  





Source link
thanks you RSS link
( http://commonsware.com/blog/2018/08/06/fortnite-security-monopoly.html)

LEAVE A REPLY

Please enter your comment!
Please enter your name here