Epic Games is not happy that Google told us about a Fortnite for Android security flaw
Epic Games thinks the company should have waited longer before alerting users.
To make even more money on Fortnite, its developer, Epic Games, decided to sell the newly released Android version without the help of the Google Play Store. Instead, the game is only available by downloading Epic’s Fortnite launcher directly. That might be a problem, now that a security flaw has been discovered, according to Android Central.
According to Google, there was a severe vulnerability in the first installer for Android that allowed any app on your phone to download and install anything in the background. Yes, without the user’s knowledge. This type of attack is referred to as a man-in-the-disk attack.
What makes these types of vulnerabilities even worse is the fact the installer will download anything, but will not ask for permission from “unknown sources” because you already accepted that when downloading the installer. While it does require the user to have other apps that are looking for these types of vulnerabilities in the background, it is obviously a pressing issue, and one Google felt compelled to announce as soon as possible.
The company told Epic Games on Aug. 15 about the flaw, which has since been patched.
To remove the vulnerability, users just have to update the installer. The Fortnite Installer that brought the fix is version 2.1.0, which you can check by launching the Installer and going to its settings. If you aren’t on version 2.1.0, you’ll receive a prompt.
A Google spokesperson said:
User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer. We immediately notified Epic Games and they fixed the issue.
Fortnite, which launched on iOS earlier this year, is the biggest mobile game of the year. By forgoing Google Play for the game’s delivery on Android devices, Epic Games denied Google its 30 percent cut of in-app revenues, which would potentially amount to quite a bit of money.
While Google seemed appreciative of Epic’s quick work on fixing this issue, the game maker had some unkind words for the creator of Android.
Epic Games provided the following comment from CEO Tim Sweeney:
Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.
As Android Central rightly explains: “Google may have jumped the shark in Epic’s mind, but this course of action clearly followed Google’s policy for disclosure of 0day vulnerabilities.”
Perhaps Epic Games needs to rethink its decision and move Fortnite to Google Play. Why so defensive, Epic?
What do you think? Leave your comments below.
In other tech news, see: