The following article, authored by Sam Bakken, a Senior Product Marketing Manager with OneSpan, first appeared 8/14/18 on App Developer Magazine with the original title “Fortnite for Android Is a Trailblazing Risk for Mobile Banking”.
CEO Tim Sweeny of Epic Games, the publisher of the wildly popular Fortnite game, is on a mission to “advance the openness of all platforms” – not to mention side-step Google’s 30% take of developer proceeds – by distributing Fortnite for the Android platform via their website rather than the Google Play store. I applaud a maverick challenging the status quo, but this move could smash what’s typically thought of as good mobile security hygiene and make it more difficult for banks to protect themselves and their users against attacks targeting mobile financial services.
Is Playing Fortnite for Android Worth Compromising Mobile Security?
Just months ago, imposter Android apps posing as the Fortnite game ran rampant outside of the Google Play Store ranging from the annoying to the seriously malicious. In some cases, YouTube videos directed people to a website to download Fortnite for Android, but what they got instead was an app that continually presented screens requiring them to download other apps before they could download the real thing. But, the real thing never came, and all the while the developers of phony apps racked up affiliate revenue for every app download. On the more serious side of the spectrum, one phony Fortnite for Android app available on third-party stores actually began logging calls and keystrokes upon install, as well as, prompted the user to grant it additional privileges.
As mentioned in App Developer Magazine, Android tries to combat the dangers of users installing apps from sources other than the official store with a setting called “Allow unknown sources”. In order to download apps from a source other than the Google Play Store, users need to enable the setting on their device. With Epic Games’ distribution plan, they will be asking Android users to do the same thing — essentially requiring users to compromise the security of their Android device.
Android 8.0 and above allows more granular enablement of the setting, on an app-by-app basis (i.e., only for certain trusted sources such as Epic Games for example) rather than a blanket permission for any and all unknown sources. Unfortunately, as of July 23, 2018, only 12 percent of Android users are on version 8.0 or above. It’s possible the majority of Android users (88 percent) that want to download Fortnite to their device will make themselves more vulnerable to phishing, SMShing, and other schemes that depend on tricking users into downloading malicious Android apps from sources other than the Google Play store.
Sweeney has said that users of Android versions older than 8.0 can just disable “Allow unknown sources” after they’ve downloaded Fortnite. As I explained on App Developer Magazine, I don’t think it’s realistic that users will do so. They need to click and scroll through a number of screens, and it’s possible some users wouldn’t find the setting again if they wanted to. Maybe Epic Games will add an in-app notification reminding users how to do so in the Android release, but we shouldn’t hold our breath. And even then, what about updates to the Fortnite app and at what point will toggling the setting on-and-off become a nuisance and result in users simply leaving it on?
The Impact on Banks and Mobile Financial Services
For one thing, it’s possible that a significant amount of mobile banking users will lower the security level of their Android device in order to download and play the Fortnite app. This increases the risk on those devices, potentially exposing mobile banking apps to malware. Just this week, anti-virus vendor Kaspersky reported that they’d identified an all-time high of more than 61,000 mobile banking Trojan installation packages in the second quarter of 2018 (a 209% increase over the first quarter of 2018). Granted, mobile banking Trojans can slip by Google Play security too – but mobile banking threats are on the rise, and Epic Games isn’t doing financial institutions any favors.
Secondly, banks need all the help they can get to educate their customers about only downloading official mobile financial services apps from the Apple App Store or Google Play store. In what’s called app repackaging attacks, malicious developers will take an app from an official channel, insert malicious code, redistribute it via official or unofficial channels and convince users to download and use what they think is a legitimate app. The repackaged apps’ real purpose, however, is to steal a user’s banking credentials. If more users become comfortable with downloading mobile apps from unofficial channels, it’s possible that more will fall victim to these sophisticated attacks.
What Can Mobile Banking Apps Do in Light of Increasing Mobile Threats and the Risks of App Sideloading?
A bank’s mobile app is deployed in untrusted environments over which they don’t have control. Therefore, they need to secure their users’ accounts with strong authentication and protect the app itself and its runtime in these potentially hazardous environments.
App shielding technology makes it easy to incorporate advanced mobile app security into an app without much development effort. A shielded mobile app will automatically detect and respond to dangerous conditions (for example those resulting from sideloaded apps) including but not limited to:
- Compromised devices
- Repackaging of apps
- Code injection
- Keyloggers and screen readers
- Overlay attacks and more
It’s possible that in 5 or 10 years, Epic Games will be considered a trailblazer. And maybe Android will respond to this development with improvements that make the Android platform more secure than it is today. However, with the release of Fortnite for Android coming any day now, I don’t expect that Google has enough time to make adjustments to secure users against such a potentially dangerous mobile security gap.