Epic Games decided to skip Google’s Play Store for the release of Fortnite on Android. They did this primarily to avoid giving google a 30% cut of profits just for using their store. Many people wondered if this would be a security risk, given that the installer doesn’t go through the Google’s security checks.
It turns out these fears weren’t unfounded, and the Fortnite installer had a massive security flaw that could allow an attacker to install any software they wanted. The beautiful irony here is that the security flaw was discovered by Google. A Google engineer let Epic know of the flaw, which allowed for a “man in the disk” attack, where the installer would silently install any file matching Fortnite’s APK name, complete with all the permissions necessary to completely take over a system. That engineer also pointed Epic towards a link on the Android developer site that outlined a rudimentary fix that would have saved Epic the embarrassment.
Epic, to its credit, had a fix deployed and live the very next day, and issued a request to google to not publish the vulnerability until a 90-day window had expired. Google, however, decided to publish the information on Google Tracker anyway. According to Google, the disclosure timing is “90 days, or sooner if the vendor releases a fix.” As Epic had already released a fix, they felt it within their rights to publish the info.
Epic’s Tim Sweeney was not pleased, calling Google “irresponsible”
“Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.“
Of course, many security experts predicted this would happen, and it did…on the very first day of Fortnite’s Android release.
Last Updated: August 27, 2018
