X

Fortnite is putting users at risk, to prove a point about Google's Android monopoly

Commentary: Fortnite gives Google the middle finger, but both are failing us to some degree.

Sean Hollister Senior Editor / Reviews
When his parents denied him a Super NES, he got mad. When they traded a prize Sega Genesis for a 2400 baud modem, he got even. Years of Internet shareware, eBay'd possessions and video game testing jobs after that, he joined Engadget. He helped found The Verge, and later served as Gizmodo's reviews editor. When he's not madly testing laptops, apps, virtual reality experiences, and whatever new gadget will supposedly change the world, he likes to kick back with some games, a good Nerf blaster, and a bottle of Tejava.
Sean Hollister
6 min read

Fortnite is a global phenomenon. It's the biggest thing in video games, in no small part because kids are obsessed with the part-Minecraft, part-PUBG shooter they can play on an iPhone for absolutely zero money (as long as you disable in-app purchases).

Now, the game is available on Android too, meaning the other 85 percent of the world's smartphone audience may soon find out what all the fuss is about.

But Fortnite for Android will put some of those users at risk of hacks and malware -- all because its creator, Epic Games, is tired of the raw deal it claims that Google is giving developers and users. 

Honestly, Epic may have something of a point.

But it's you -- not Epic -- that's on the hook if things go sideways. 

samsung-galaxy-note-9fortnitejp
Sarah Tew / CNET

Editors' note, Aug. 9: Today, Samsung revealed Fortnite is now available via its own Game Center, and you can download it right now if you have a Galaxy S7 or a more recent device. Samsung is offering what seems to be a slightly safer install path than the one we originally described in this editorial, but that means there's even more confusion for people who plan to install Fortnite on Android devices from other manufacturers. We're republishing this piece to help spread the word. 

What's going on?

It's pretty simple, really: Fortnite for Android will not be available on the Google Play Store. You'll have to "sideload" it by installing it direct from Epic, either by waiving a variety of Google security prompts (if your phone is running the latest Android 8.0 Oreo) or by manually toggling the "Unknown Sources" option in the Android settings menu to waive even more protections.

Let me make it clear: Unknown Sources can be dangerous. Sure, it's one of the reasons why Google can call Android an open platform, because you can use it to install all kinds of apps that weren't approved (or security checked) by Google.

unknown-sources-android.jpg

One iteration of "Unknown Sources."

Jason Cipriani/CNET

But once you toggle Unknown Sources, your phone is vulnerable to all sorts of malware. That's why CNET doesn't link to leaked APKs of hot new Android apps as a general rule -- all it takes is one quick swap or URL redirect, and the hot new game you think you were downloading might actually install a piece of spyware on your phone. Or a copy of the game that actually works -- but spies on you in the background.

And once you turn on "Unknown Sources," you've generally gotta remember to turn it off again so future apps don't take advantage.

That's one of the reasons Android app developers generally don't fight the Google Play Store and the 30 percent fee that Google charges developers. That, and publicity -- Google can give premium apps a big boost.

But Fortnite doesn't need Google's publicity. Epic wants all the money. And honestly, Epic isn't entirely to blame if there are consequences.

Fragmentation

In a tweet today, Epic Games CEO Tim Sweeney told CNET that the "Unknown Sources" button isn't required if your phone is running the latest version of Android -- Android 8.0 "Oreo." 

That's good if true -- for those users on Oreo, specifically, that sounds like a pretty reasonable ask. 

But by Google's last count, only 12.1 percent of Android users are on Oreo or above. 87 percent are not. 

That disparity is known as Android's fragmentation issue, and it's dogged the mobile operating system pretty much since the get-go -- no matter how much power you might think Google has over device partners and cellular carriers, it's never been able to convince or force them to update phones in a timely fashion. 

(Things have gotten a little better with security updates, and Google says it'll soon make OEMs sign those into their contracts, but one study found that manufacturers have lied about security updates, too.) 

To be clear, this isn't just Google's fault -- OEMs and carriers share responsibility for updates in Google's scheme -- and if Epic thinks Oreo is safer, why not limit the game to Oreo phones?

Because of fragmentation, up to 87 percent of Fortnite players on Android will have to do something slightly risky to download the game. Perhaps more of us will have Oreo by the time the game ships, though? 

An effective monopoly

The other good point Epic's Tim Sweeney raised: If companies like Epic can't release apps outside the official Google Play Store without users raising a stink about security, then Google effectively has a monopoly on the platform. 

If you think about it, there's not a lot of incentive for Google to improve device security for apps that come from outside the store. Why would they, when they stand to profit by getting their 30-percent cut? (Particularly since Apple charges the same.)

Epic doesn't want Google to have a monopoly, so it's betting (with your security at stake!) it can challenge the stigma of releasing apps outside the Play Store.

But Epic also argues that the price Google's monopoly charges is too high: "30 percent is disproportionate to the cost of the services these stores perform, such as payment processing, download bandwidth, and customer service," Sweeney told TouchArcade

Mind you, Epic doesn't seem to be protesting Apple's monopoly and its identical 30-percent cut -- but Epic argues that there, it didn't have a choice. "If the question is 'Would you have done this on iOS if you could have?' the answer would be 'Yes,'" the company told CNET.

Google declined to comment.

Where Epic's arguments don't hold up

If you believe that Google backed Epic into this corner, then it makes sense that Google might share some small blame if users get hacked. But I don't think all of Sweeney's arguments make sense.

For instance, this one I tweeted about earlier:

Open platforms are an expression of freedom: the freedom of users to install the software they choose, and the freedom of developers to release software as they wish. With that freedom comes responsibility. You should look carefully at the source of software you're installing, and only install software from sources you trust.  

Kids play Fortnite. Kids aren't responsible, even if they're often more tech-savvy than adults. Kids nowadays seem to trust things they see on YouTube (yes I'm overgeneralizing), and YouTube has already pointed people to fake, malicious copies of Fortnite

That's also why I'm not convinced by arguments that other third-party app stores have done the same thing -- kids aren't champing at the bit to go download Amazon's Appstore. (I'd forgotten Amazon's Appstore still existed until I started writing this editorial.)

Here's another:

Most importantly, mobile operating systems increasingly provide robust, permissions-based security, enabling users to choose what each app is allowed to do: save files; access the microphone; access your contacts. In our view, this is the way all computer and smartphone platforms should provide security, rather than entrusting one monopoly app store as the arbiter of what software users are allowed to obtain.  

When was the last time you seriously looked at the permissions an app asks for? Much less a kid eager to score a copy of Fortnite to play with friends at school? Yes they play it at school. Particularly if they're already jumping through hoops like Unknown Sources.

Besides, how do you know that fake copy of Fortnite doesn't just want to use your microphone for the game's built-in voice chat, or your contacts for a matchmaking system? Google is indeed planning to keep apps from sneakily using your camera and mic -- but not till Android P. For now, app permissions are not sufficient security.

I also had this conversation with Sweeney on Twitter, but I wasn't quite convinced:

While I'm happy he took the time to reply, it doesn't sound to me like Epic will necessarily take "responsibility" if anything happens with a bad sideloaded app, or that it's working with partners on any specific ways to keep that from happening.

I think it'd be all too easy for them to pin any problems on user error -- if users even discover that they've contracted a malicious app at all. (Google's Play Protect may help with this, though.) 

Which is a shame, because I agree with Sweeney that Android could be a more open platform, and I'm curious to see if Fortnite batters down the door. I'm just worried that it's wishful thinking -- and that he's betting with chips he doesn't own.

Hilarious Fortnite memes

See all photos

First published Aug. 3, 5:52 p.m. PT. 
Update, Aug. 9, 1:44 p.m. PT: Adds that Samsung says Fortnite is now available via its own Game Center. 

Fortnite Season 5: What to know about the Worlds Collide update: The Fortnite you know and love has just gotten a ton of new changes to add more fun to the game.

Fortnite: The complete guide to the biggest battle royale game: Get the lowdown on Fortnite: Battle Royale, the video game being played by everyone from kids to celebrities.