Over the last few months, Epic Games released their Android port of Fortnite in a manner that is very unusual for a mobile-platform app. Here, they released this port of the hit game as an APK software package file that is downloaded from their Website and installed on the user’s Android device as if you are installing a program on a regular Windows or MacOS computer. This allows them to maintain control over the sale of game additions and similar merchandise without having to pay Google a cut of their turnover. Or it could allow them to maintain control over the software’s availability such as issue beta or pre-release versions of software or simply offer high-demanding software like action games to devices known to perform at their best with the software.
The Android platform has a default setting of disallowing software installations unless they come from the Google Play Store or the device manufacturer’s app store. This is a software-security setting to prevent the installation of software that has questionable intent on your Android device. But the “regular” computer platforms have implemented other approaches to allow secure installation of software thanks to their heritage of being able to install software delivered on package media or from download resources like the software developer’s Website or a download site. It also caters towards the role that regular computers play in the course of business computing where line-of-business software is being installed on these systems by value-added resellers and solutions providers.
This question will become more real as the Android platform is taken beyond mobile devices and towards the smart TV like with NVIDIA Shield or recent Sony smart TVs. It could also appeal towards other “smart devices” like network printers that are based on the Android software codebase where there is a desire to add functionality through an app store.
Recent efforts that Microsoft, Apple and the open-source community have taken to protect our regular computers against include software-authenticity certification, least-privilege execution, sandboxing and integrated malware detection. In some cases, there is the ability for users to remove software-authenticity certificates from their regular computer in case questionable software was deployed as highlighted with the Lenovo Superfish incident.
Similarly, these operating system vendors and many third parties have developed endpoint-security software to protect these computers against malware and other security threats.
Google even introduced the Google Play Protect software to the Android platform to offer the same kind of “installed malware” detection that Windows Defender offers for the Windows platform and Xprotect offers on the MacOS platform. Samsung even implements Knox as an endpoint-protection program on their Android devices.
Android does maintain its own app store in the form of the Google Play Store but allows device manufacturers and, in some cases, mobile-phone service providers to create their own app store, payment infrastructure and similar arrangements. But it is difficult for a third-party software developer to supply apps independent of these app stores including creating their own app store. This is more so for app developers who want to sell their software or engage in further commerce like selling in-game microcurrency without having to pay Google or others a cut of the proceeds for the privilege of using that storefront.
Android users can install apps from other sources but they have to go in to their phone’s settings and enable the “install unknown apps” or a similar option for them to install apps from sources other than the Google Play Store or their OEM’s / carrier’s app store.
What could be done for the Android platform could be to support authenticated software deployment that uses the same techniques as Microsoft and Apple with their desktop and server operating systems. It can also be augmented with the creation of authenticated app-stores to allow software developers, mobile carriers, business solutions providers and the like to implement their own app stores on the Android platform. The authentication platform would also require the ability for end-users to remove trusted-developer certificates or for certificate authorities to revoke these certificates.
It could allow for someone like, for example, Valve or GOG to operate a “Steam-like” storefront which is focused towards gaming. Or an app developer like Microsoft could use their own storefront to sell their own software like the Office desktop-productivity suite. Then there are people courting the business segment who want to offer a hand-curated collection of business-focused apps including line-of-business software.
But there would have to be some industry-level oversight regarding certified apps and app stores to make it hard for questionable software to be delivered to the Android ecosystem, This also would include app stores having to make sure that their payment mechanisms aren’t a breeding ground for fraud in its various forms.
There will be the common question that will crop up regarding alternative app stores and developer-controlled or third-party-controlled app-level certification is the ability to purvey apps that have socially-questionable purposes like gambling or pornography. Here, the Android ecosystem will have to have the ability to allow end-users to regulate the provenance of the software installed on these devices.
At least the Fortnite software-distribution conversation is raising questions about how software is delivered to the Android mobile-computing platform and whether this platform is really open-frame.