The company behind Fortnite decided to distribute it’s game outside of the Google Play Store. While I neither like Google, the Play Store, Android nor Free-To-Play Games that finance themselves via in-app transactions, I would like to pick out the issue that bugs me here: (Presumably) Not being able to verify the security of the software you download outside of an (app) store.
I refuse to accept that the only way of ensuring malware-free software is to use an non-free store. (Which in case of Google additionally even belongs to an privacy-invasive corporation.) I think there is at least one better way, which I will go forward to describe here now.
The issue I see here is that if you download an App from any website, for a normal web user it’s not easy to verify if the app is legit because everything outside of the store is untrusted. While I think it’s right not to trust any random website, I think there should be a way to make an application that comes from outside the store trusted.
Simply put, I would like that it is possible that a trusted corporation or an trusted individual verifies that my application is legit and that is then being accepted as “trusted” outside the app store.
Now, the important bits here that need to be explained further are when a corporation or individual is trusted and when an application is legit.
For establishing the trust I would create an organization which purpose is to act as an trust anchor and would finance itself by membership fees. I would differentiate between two kinds of memberships, where the first one woulds like to trust and the other one wants to be trusted.
While there should be no barriers for members that would like to trust, the other members need to be verified that they can be trusted. The trust into organizations and individuals should be verified regularly.
Now, I as an application developer could look for an organization or individual that is trusted by that organization, go to them and they can verify the legitimacy of my application. This verification I now can use to prove my applications legitimacy.
But wait, isn’t that just code signing, with an open organization instead of the current CA model?
What I don’t know if Android has any certificate trust model outside of the Play Store. Looks like it does not.
So, is it a Platform problem of not providing any means to verify the authenticity of a package? I guess so.