Recently we learned that the Android version of Fortnite—which will most certainly be an immensely popular app—will be distributed outside of the Google Play store (out in Android Beta as of publish date). To install it, users will have to change settings on their devices to allow apps from unknown sources. Naturally, this presents security issues: users could install fake or malicious versions of Fortnite, and in general, allowing apps from random sources to run puts devices in more a vulnerable state.
This brings up a whole host of EMM, BYOD, and mobile security questions. Inspired by a recent discussion on LinkedIn, today I want to take a closer look at this issue. What if this became the new normal?
Our assumptions change
In our current world, we assume that apps from Google Play are generally safe and that apps from unknown sources (i.e., anything outside of Google Play) are risky. This is backed up by plenty of research from Google, mobile threat defense (MTD) vendors, and others. Also, in recent years (at least prior to Fortnite), most consumers haven’t had a huge incentive to go out side of the Play store, anyway. These assumptions are the basis for many organizations’ EMM and mobile security strategies.
Now, we can cite a lot of reasons why Fortnite for Android would be better off in Google Play. Besides better security and making EMM admin lives easier, Fortnite might get better visibility, as several people pointed out on that LinkedIn thread. For their part, Epic Games said the decision to go outside of Play was about openness and competition, but let’s get real—it’s more likely about the 30% Google would take on in-game purchases, which are a huge aspect of Fortnite.
Anyway, for the sake of argument, let’s just imagine that installing random Android apps from unknown sources becomes something that consumers (and thus enterprise end users) grow accustomed to, and that they expect to be able to do it on personalized devices (i.e., on BYOD or COPE devices). In this new world, a lot of our assumptions about EMM, BYOD, and mobile security will have to change.
Approaches to this new world
Our first instinct might be to just block apps from unknown sources, which is of course no problem on work-managed devices. For BYOD Android devices, the industry is rapidly heading towards Android Enterprise work profiles. By design, work profiles have very limited management rights on the personal side of the device, but apparently, this is one of the few rights that will be retained. (Incidentally, this feature is not available yet.)
But again, we’re talking about a hypothetical world where users expect to install random apps from unknown sources. If we block this practice, suddenly our BYOD and COPE policies become a notch more draconian. Another option would be to just take a MAM-only approach using secure versions of apps, but then we lose the great benefits of a work profile. Either way, it’s like EMM is going back in time.
If users are indeed installing random apps and potential malware, to what degree do work profiles keep our enterprise data secure? Surely they will protect against run-of-the-mill nuisances, like apps that try to steal contact data, but what about truly nasty malware like spyware or something that roots the device? Android has gained many protections against these types of threats, but things can still happen. For example, what happens to a work profile on a rooted device?
This is where device attestation and MTD come into play. The device policy controller inside the work profile (i.e., the EMM agent) could do a device integrity check; or so could an MTD app. If the device becomes rooted or otherwise compromised, IT could enforce mitigation policies such as wiping the work profile.
(This is a pretty interesting question, though—we’ll have to talk to some Android security researchers about what attacks are likely to happen against work profiles.)
Short of the whole device becoming compromised, what about other types of malware on the personal side? The whole point of a work profile is that it keeps the personal side of a phone private; but also, we don’t want our users running around with malware. For example, if it’s a COPE device, we don’t want a premium SMS scam running up our corporate phone bills.
So first off, Google Play Protect should already be present and providing an initial layer of protection. To go beyond that, we’d have to install a separate MTD app outside the work profile. For BYOD, this MTD would likely be running in a consumer-oriented deployment model—i.e., the MTD app should notify the user about any malware it finds, but it shouldn’t be reporting a list of personal apps back to the enterprise, and enterprise admins won’t have to be in the business of deciding what consumer apps to whitelist or anything like that.
One last note: Android 8 Oreo refined the unknown sources approval process, though it’s still not as granular as it could be. Basically, in Android 8 and later, unknown source approval is scoped so that users can give specific apps permission to install and sideload other apps. But this still leaves the door wide open—for example, you could whitelist Chrome, and then it could install any other apps from random websites. What we really need are full per-publisher or per-app permissions (which some devices apparently do already).
Fortnite for Android is yet another example of how security principles we rely on can be compromised for economic reasons. This particular event may fade from the news and pass without incident, but we should be thinking about what might happen if the personal side of BYOD and COPE devices turns into a security threat.
What do we do? I’m not sure yet. If you have or are thinking about putting any policies in place around Fortnite and other non-Google Play apps, let us know what you’re doing in the comments below.