Fortnite is risking user security in bypassing Google Play Store

Fortnite is a massively popular third-person shooter game, and its highly-anticipated Android version is coming soon. However, the launch has a caveat: Fortnite won't be available on the Google Play Store. Instead, users will have to download it directly from the game's website.

Fortnite maker Epic Games CEO Tim Sweeney told The Verge the company wants to have a "direct relationship" with customers by cutting out the middleman, Google, and in this case also cutting out Google's 30% cut on in-app purchases. But the move could also mean users will have a more direct relationship with malware developers, too.

Bypassing the Play Store also means bypassing its built-in security protections while conditioning people to feel comfortable with downloading apps and services directly from the web. The Google Play Store isn't totally malware-free of course, but its protections like Google Play Protect and regular application security audits mean users who get apps from trusted developers directly from Google's marketplace are better protected than those who install third-party apps outside Google's official store. 

To install a third-party app from a website outside of Google Play (a method called "sideloading"), users must allow apps from unknown sources by modifying the device's security settings. This will let you download Fortnite; but it would also make it easier for illegitimate developers to get you to download malicious content. We've already seen how bad actors will take advantage of Fortnite's move to Android—when the company announced its Android app would be available this summer, Fortnite scams and malicious downloads began popping up on YouTube and around the web to make money off unsuspecting users looking for the game's mobile version. 

It's somewhat understandable from a business perspective. Fortnite hit $1 billion in revenue from in-app purchases last month, and the company doesn't want to split the check with Google. (Apple also takes a chunk of apps' revenue, however the company makes it virtually impossible for iOS users to legitimately download apps from anything but the iOS App Store). 

But from a customer perspective, it sucks. Security experts, tech companies, and app developers all agree it's best practice to only download apps from trusted developers, and only from legitimate app stores. By shirking these practices, Epic Games is normalizing behavior that can lead to kids' phones getting hacked. 

For instance, hackers could masquerade as legit Fortnite representatives or gamers and trick people into downloading malware. This method of phishing Android users to install bad apps and spyware has been used by state-backed adversaries and average bad actors alike. 

Sweeney appears to have a lot of faith in Fortnite users fully understanding proper Android security hygiene. That includes remembering to disable allowing downloads from unknown sources once they've got the game (unless they're running Android Oreo, which asks for permissions individually), and being able to identify malicious applications from the legitimate Fortnite app in the first place. 

By avoiding the Google Play Store, it appears Epic Games is putting profit over the risk of privacy and security issues for its users. In doing so, its players lose. 

Update: A previous version of this post misstated Fortnite's revenue. My bad, thanks Jordan!