Serg Nvns - Fotolia

What are the security risks of third-party app stores?

Unlike most apps developed in app stores, users can download Fortnite from Epic Games' website. Expert Michael Cobb explains the security risks of third-party app stores.

Epic Games Inc. released its popular game Fortnite in app form for Android, but it did not go through the Google Play Store. Security experts have expressed skepticism about the move. What are the security risks of developers using third-party app stores and not the Google Play Store or Apple's App Store?

Google Play is the official app store for the Android operating system, and it enables users to browse and download applications developed with the Android software development kit and published by Google. To prevent malicious programs from being published in the Google Play Store, Google Play Protect regularly scans apps in the store for malware, spyware and other threats.

The App Store is Apple's distribution platform for mobile apps running on iOS, and those apps are manually tested and analyzed by Apple's App Review team before being approved. Although not completely foolproof, these security checks greatly reduce the chances of users downloading malicious apps.

However, app developers pay to have their apps listed in these stores, and Epic Games believes that the 30% Google collects on in-app purchases doesn't reflect its input into the creation and maintenance of the game. As a result, Epic chose not to sell its online video game Fortnite through the Google Play Store.

Apple's ecosystem is fully locked down, so developers have no option but to release their apps through the Apple App Store instead of third-party app stores.

Android users who want to play Fortnite have to go to Epic Games' website and download an app called the Fortnite Installer. This app downloads and installs the actual Fortnite game and keeps it up to date. However, this process exposes users to various security risks because it means turning off security checks to side-load an app from outside of the Google Play Store.

First, users must allow apps from unknown sources to install and run, which puts their device in a more vulnerable state. For example, players must ensure they're actually downloading Fortnite from Epic Games; otherwise, they could install a fake or malicious version of the game. That version could then install other apps, as there isn't a per-publisher whitelist setting in Android.

The Fortnite Installer is a standard Android Package Kit (APK) file, but Google researchers found a vulnerability in it. This vulnerability could enable a man-in-the-disk attack in which a fake APK with a matching package name could be silently installed by the Fortnite Installer. A man-in-the-disk attack allows a malicious app to manipulate the data of other apps held in unprotected external storage. This can result in the installation of undesired apps instead of a legitimate update.

The vulnerability only worked on Samsung devices, as Samsung's API stores the downloaded file in Android's external storage, which is openly readable, and it only checks that the APK being installed matches the package name -- an easy check to pass. If the fake APK is installed on Android 5.1 Lollipop or lower, it will be granted any permissions it asks for during installation without the user's knowledge.

Epic Games fixed the vulnerability within 24 hours by moving the default storage directory to a private internal storage directory. As long as users have installed the update, they are safe, but other developers may not be so committed to delivering patches for their side-loaded apps.

Apps distributed via third-party app stores and not curated stores like the Google Play Store can expose users to unnecessary risks; third-party app stores are a leading cause of infection globally. However, Google Play has often presented a challenge for enterprises, as it requires a Google account for every device -- or enabling unknown sources on devices and pushing APK files directly from an enterprise mobility management solution.

Organizations should instead use the enterprise-targeted managed Google Play Store, which enables employees to browse and install IT-approved apps while corporate applications silently and automatically install as soon as the device is enrolled.

Ask the expert:                                        
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing