2

There's been a load of kerfuffle about how Fortnite on Android saves APKs to external storage and how they can be overwritten before they are installed. (The press is awkwardly calling this a man-in-the-disk attack.)

I've heard from a couple of people that Amazon's Android app store also downloads APKs to external storage before installing them. Is it not vulnerable to the same attack?

Edit: To be clear I am talking about when you install the Amazon app store yourself on a normal Android device, not when it comes preloaded on a Kindle device. Obviously in that case they have complete control and can easily do things securely.

Timmmm
  • 121
  • 4

1 Answers1

1

Amazon Store app actually controls the download and installation process, so it doesn't expose exactly this vulnerability. Note that the Google Play Store does essentially the same. Protection of the temporary disk space where the APK is being downloaded, may be compromized by a hacker; but at least both stores don't rely on the end user to manually install the file. Samsung devices have access to Galaxy apps, but this is again controlled by a preinstalled system app.

This is a limitation to Fortnite's model: no app on Play Store may become an alternative installer of APKs. Therefore, at some point, to achieve independent installation, you must use the unsecure manual installation of a downloaded APK.

Alex Cohn
  • 823
  • 5
  • 7
  • 2
    Sorry, I'm talking about the Amazon App store running on normal Android devices, not Kindle devices. In that case it is installed by downloading [an APK](https://www.amazon.com/androidapp) and turning on Unknown Sources. It has exactly the same limitations as Fortnite. – Timmmm Sep 13 '18 at 12:09
  • Yes, you are right. – Alex Cohn Sep 14 '18 at 06:18