Fortnite will require Android users to allow unknown sources. Time to rethink MTD and EMM policies?

If consumers get in the habit of installing Android apps from unknown sources, some of our assumptions around Android BYOD, management, and security will have to change.

Recently we learned that the Android version of Fortnite—which will most certainly be an immensely popular app—will be distributed outside of the Google Play store (out in Android Beta as of publish date). To install it, users will have to change settings on their devices to allow apps from unknown sources. Naturally, this presents security issues: users could install fake or malicious versions of Fortnite, and in general, allowing apps from random sources to run puts devices in more a vulnerable state.

This brings up a whole host of EMM, BYOD, and mobile security questions. Inspired by a recent discussion on LinkedIn, today I want to take a closer look at this issue. What if this became the new normal?

Our assumptions change

In our current world, we assume that apps from Google Play are generally safe and that apps from unknown sources (i.e., anything outside of Google Play) are risky. This is backed up by plenty of research from Google, mobile threat defense (MTD) vendors, and others. Also, in recent years (at least prior to Fortnite), most consumers haven’t had a huge incentive to go out side of the Play store, anyway. These assumptions are the basis for many organizations’ EMM and mobile security strategies.

Now, we can cite a lot of reasons why Fortnite for Android would be better off in Google Play. Besides better security and making EMM admin lives easier, Fortnite might get better visibility, as several people pointed out on that LinkedIn thread. For their part, Epic Games said the decision to go outside of Play was about openness and competition, but let’s get real—it’s more likely about the 30% Google would take on in-game purchases, which are a huge aspect of Fortnite.

Anyway, for the sake of argument, let’s just imagine that installing random Android apps from unknown sources becomes something that consumers (and thus enterprise end users) grow accustomed to, and that they expect to be able to do it on personalized devices (i.e., on BYOD or COPE devices). In this new world, a lot of our assumptions about EMM, BYOD, and mobile security will have to change.

Approaches to this new world

Our first instinct might be to just block apps from unknown sources, which is of course no problem on work-managed devices. For BYOD Android devices, the industry is rapidly heading towards Android Enterprise work profiles. By design, work profiles have very limited management rights on the personal side of the device, but apparently, this is one of the few rights that will be retained. (Incidentally, this feature is not available yet.)

But again, we’re talking about a hypothetical world where users expect to install random apps from unknown sources. If we block this practice, suddenly our BYOD and COPE policies become a notch more draconian. Another option would be to just take a MAM-only approach using secure versions of apps, but then we lose the great benefits of a work profile. Either way, it’s like EMM is going back in time.

If users are indeed installing random apps and potential malware, to what degree do work profiles keep our enterprise data secure? Surely they will protect against run-of-the-mill nuisances, like apps that try to steal contact data, but what about truly nasty malware like spyware or something that roots the device? Android has gained many protections against these types of threats, but things can still happen. For example, what happens to a work profile on a rooted device?

This is where device attestation and MTD come into play. The device policy controller inside the work profile (i.e., the EMM agent) could do a device integrity check; or so could an MTD app. If the device becomes rooted or otherwise compromised, IT could enforce mitigation policies such as wiping the work profile.

(This is a pretty interesting question, though—we’ll have to talk to some Android security researchers about what attacks are likely to happen against work profiles.)

Short of the whole device becoming compromised, what about other types of malware on the personal side? The whole point of a work profile is that it keeps the personal side of a phone private; but also, we don’t want our users running around with malware. For example, if it’s a COPE device, we don’t want a premium SMS scam running up our corporate phone bills.

So first off, Google Play Protect should already be present and providing an initial layer of protection. To go beyond that, we’d have to install a separate MTD app outside the work profile. For BYOD, this MTD would likely be running in a consumer-oriented deployment model—i.e., the MTD app should notify the user about any malware it finds, but it shouldn’t be reporting a list of personal apps back to the enterprise, and enterprise admins won’t have to be in the business of deciding what consumer apps to whitelist or anything like that.

One last note: Android 8 Oreo refined the unknown sources approval process, though it’s still not as granular as it could be. Basically, in Android 8 and later, unknown source approval is scoped so that users can give specific apps permission to install and sideload other apps. But this still leaves the door wide open—for example, you could whitelist Chrome, and then it could install any other apps from random websites. What we really need are full per-publisher or per-app permissions (which some devices apparently do already).

Final thoughts     

Fortnite for Android is yet another example of how security principles we rely on can be compromised for economic reasons. This particular event may fade from the news and pass without incident, but we should be thinking about what might happen if the personal side of BYOD and COPE devices turns into a security threat.

What do we do? I’m not sure yet. If you have or are thinking about putting any policies in place around Fortnite and other non-Google Play apps, let us know what you’re doing in the comments below.

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

Please don't mislead people about Google Play being about "security". Google Play is about financial and monopoly control. It provides no reasonable additional security benefit, and part of the reason Google put in a warning to let Play users know that Fortnite isn't in the Play Store is because malicious copycat apps are a dime a dozen in the Play Store, and even Google knows it: https://betanews.com/2018/08/12/google-play-fortnite-warning/

You may be mistakenly under the impression that Google Play apps get malware scanned and third party apps don't. This is basically wholly untrue on two different levels. One, because Play Protect enabled devices scan third party install apps too, and two, because Play Protect is less than useless as a malware scanner, as found by AV-TEST, where it scores literally a zero: https://www.av-test.org/en/antivirus/mobile-devices/
Cancel
I agree with you that there are still security and malware issues in Google Play, and that third-party MTD apps are likely to spot more malware than Play Protect.

However, I think you'd be hard-pressed to find many (or any) IT and security folks that don't think that staying inside the Play store is safer than allowing unknown sources.
Cancel
Bear in mind, both Amazon's Appstore and F-Droid are also considered "unknown sources", and F-Droid is arguably your best choice for secure apps, as every app is built-from-source for that store.

If I were to deploy Android phones, I'd arguably remove or disable access to the Play Store, in preference of having a curated list of acceptable APK files that could be sideloaded. As a place where random people can upload applications at a whim with no real approval/vetting process, the Play Store is not an acceptable place to be getting apps in a business environment.

With regards to Fortnite, if you go to fortnite.com, the only APK you can get there is legitimate. But if you search for Fortnite on the Play Store, you're just as likely to get a bad clone as doing a web search. Obviously, as much as I'd personally block the Play Store, in a BYOD scenario that's not practical. But suffice to say, "unknown sources" is not the risk, the Play Store is.
Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close