In response to the precedent being set with the distribution of the Fortnite for Android app outside of the Google Play story, two experts with OneSpan offer perspective on the potential implications for banks and others relying on mobile channels for consumer transactions, as well as potential next moves the industry could take in reaction.
Samuel Bakken, Senior Product Marketing Manager at OneSpan:
“Just months ago, fake Fortnite apps for Android were running rampant outside of Google Play, and it’s now confirmed that Epic will not distribute the Android version of its Fortnite app on the Google Play store but instead will force Android users to take the uncommon step of going straight to a website, downloading an “APK” file, and opening up Android’s permissions to approve the game’s install.
“It could be argued that Epic is asking users to compromise the security of their device by making this change in their settings.
“The impact on other industries will be felt. This affects banks because, one, they’d rather not have their users allowing for the sideloading of apps (which in some cases could be malware). This could also get users into the habit of downloading apps from unofficial sources. And that’s where spoofed, repackaged banking apps can be downloaded.
“We strongly recommend only downloading apps from official app stores, and unfortunately this explodes that notion. However, app shielding technologies can prevent attackers from injecting malicious code into an app and repackaging it for distribution in unofficial marketplaces or websites, and they are also context-aware so that if a user’s Android device is rooted or allows for sideloaded apps and is potentially infected with malware, the app itself is still protected.”
Will LaSala, Director Security Solutions, Security Evangelist at OneSpan:
“This move by Epic could usher in a change in policy of Android OS, where apps must be signed by an authority and signatures must be checked before launching. Alternatively, Google could lock the OS down to their approved stores and allow stores to apply for approval, and then lock the OS down to only approved stores.
“In similar situations, we’ve seen instances where individuals are essentially taking a paid app and repackaging it and then republishing it on the app store for a third of the price, and they are sneaking through Google’s checking. So if they move in this direction expect hundreds of apps all at different prices attempting to lure people into paying for them. In my estimation at least half of them will use droppers and there will be a massive outbreak in malware.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.