Google warned Epic that doing so could potentially put Android users at greater security risk, but the game developer brushed it off, insisting on going it alone for several reasons — including not having to give Google a cut in-app revenue and “embracing open platforms.”
Well, now the worst has happened. Despite having no obligation to do so, Google recently discovered an exploit within the Fortnite installer app that allowed malicious apps installed on one’s Android phone to hijack the download process so that instead of downloading the game from Epic’s server, it could download and install something entirely different, which could potentially leave the device open to attacks.
Here’s a quick run-down of what happened:
Google first discovered the vulnerability inside of the Fortnite installer app on Aug. 15 and immediately notified Epic. Details for the exploit weren’t public yet. Within 48 hours, Epic patched the Fortnite installer and deployed it to all Android users who installed the app.
Here’s where things get a little ugly. Even though Epic quickly released a patch for the installer app, it asked Google not to disclose the details of the exploit until after 90 days. Not only would there be more time for users to update their installer apps, but hackers also wouldn’t be able to take advantage of the bug.
However, Google’s bug disclosure guidelines explicitly states the following:
“This bug is subject to a 90-day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report – including any comments and attachments – will become visible to the public.”
Despite Epic’s request for Google to wait the full 90 days before disclosing the exploit, Google abided by its own guidelines and shared the details.
Per a Google rep posting to an Issue Tracker thread on the bug report:
“…now the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google’s standard disclosure practices”.
Naturally, the Fortnite developer wasn’t happy about Google’s decision at all. Epic provided Mashable the following comment from CEO Tim Sweeney:
“Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”
Ultimately, who’s in the right and who’s in the wrong? Honestly, neither company is.
Google is right that Epic’s decision to not release Fortnite through the Play Store leaves the app more vulnerable. As my colleague, Mashable tech reporter Matt Binder, previously made clear: Android users need to disable certain Android security permissions in order to install Fortnite and there’s no guarantee they’ll remember to turn them back on after doing so.
Maybe Google really is chafing at the idea of not getting any revenue from the massively popular game (apps listed on Google Play pay a share of their sales to Google), as Sweeney implied. But the Android gatekeeper maintains that its speedy disclosure of the exploit was done in the name of user security.
Following Sweeney’s statement, Google had only this to say in response to Mashable’s request for comment: “User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer. We immediately notified Epic Games and they fixed the issue.”
And it’s true, Google does have a responsibility to ensure that users are safe. Otherwise, third-party developers could give the entire platform an even worse reputation.
That said, if Google truly cares about protecting its users first and foremost, it should have been more flexible on its bug disclosure deadline so as to not tip off hackers so quickly. That’s why Epic asked for 90 days to begin with.
The disagreements between Google and Epic should not be overlooked. Google may wish to have nothing to do with Fortnite after being shunned by Epic Games, but their paths will inevitably cross because of the Android platform.
It’s possible Google will discover vulnerabilities in future versions of the Fortnite installerm or even other app installers from other companies that decide to follow in Epic’s footsteps and not offer their apps in the Play Store. Will Google have to monitor and perform security audits on all of those as well in order to protect Android users? Hard to say, but it’s sure gonna be interesting to watch from the sidelines.
If anyone’s laughing at this turn of events, it’s Apple. The company’s closed platform means all apps must be released through the App Store. By not allowing apps to be officially released in any other way, Apple has guarded itself against the issue Google’s now facing.
With additional reporting by Adam Rosenberg.