Epic Games earlier ditched the Google Play Store by launching the Fortnite Android Installer, and now, Google publicly disclosed a major flaw in the Fortnite installer app. Whether or not there is a connection between the two is not known, and we may also never know Google’s real intent behind disclosing the flaw.
What was wrong with the Fortnite Android Installer?
Earlier this month, Epic started distributing the Android version of Fortnite outside the Play Store to avoid Google’s 30% revenue cut. Such a move meant more revenue for the developers, but came with its own inherent risks for the Android users. For installing the Android apps from other sources, users need to disable default security settings.
Security experts also warned of the risks, saying not everyone will be attentive enough to turn back the default security settings after each update. Now, it appears that those concerns were justified.
Even though the Play Store is not fully secure, it does have in place protections for the Android users. By allowing side-loading of the Fortnite Android Installer, Epic put users at risk of installing from unknown sources, something that is not recommended.
So, just days after Epic started distributing the Fortnite Android Installer, Google researchers disclosed a major issue on their Issue Tracker site. As per the researchers, the vulnerability in the Fortnite Android Installer could allow hackers to use malicious apps (already installed) to control the installation procedure and even install other malicious apps with extra permission.
Such a type of hacking is referred to as a Man-in-the-Disk (MitD) attack, and is made possible only when the Android apps store data on the External Storage, rather than the Internal Storage (or system memory). Since, the Fortnite Android installer only verifies the name of the APK, any file carrying the “com.epicgames.fortnite” would get approved.
“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. … The Fortnite Installer will proceed to install the substituted (fake) APK,” the Google researcher warned.
Epic Games vs. Google
Even though the bug has been fixed now, Epic Games is not too happy with the way Google disclosed the flaw, thus questioning Google’s intent behind revealing the flaw. Google, which discovered the flaw on August 15, said that it immediately informed about the same to Epic, which then fixed the patch within two days. Though the issue was patched, users still had to install proper updates to fix the issue.
To ensure this, Epic asked Google to wait for 90 days, which is the standard and also Google’s own policy, before disclosing the flaw in the Fortnite Android Installer publicly. The ninety days wait period is meant to allow app developers to ensure that the issue has been fixed perfectly, and all the users have updated their devices with that patch.
Despite this, the search giant made the issue public – on its Issue Tracker – just a week after the patch was issued. Expressing discontent over this, Epic boss Tim Sweeney released a statement, lambasting Google for being “irresponsible.” Sweeney said that Epic truly appreciated Google’s effort in sharing its in-depth security audit report on the Fortnite Android Installer.
Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.
— Tim Sweeney (@TimSweeneyEpic) August 25, 2018
“However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable,” Sweeney said. Further, he said that a company as “powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”
Who’s to blame?
We believe that both the parties must share the blame for being irresponsible. Epic can’t be blamed for bypassing the Play Store as it has every right to think about its revenue. But, since it chose to bypass Google (and also its security), it was Epic’s responsibility to ensure that all the plugs were in place and the Android users were safe.
For Google, like Sweeney said, it should have acted more responsibly by following its own policy of the 90-day wait period. Google is a powerful organization and is seen as a trend setter. But by breaching the industry norm, it has sent a wrong signal along with disparaging its image in an apparent attempt to foil Epic’s public image for ditching the Play Store route.