When we told you that everything would be OK with Fortnite distribution happening through Epic Games, outside of Google Play, we did so because we operated under the assumption that Epic Games would take care of their users. We assumed that if you picked-up Fortnite directly from Epic and not some other shady 3rd party app site, you’d be fine. And that idea held up until the day Epic Games released Fortnite through an installer with a pretty major security issue that Google almost immediately discovered.
On August 15, Google opened a private issue at their Issue Tracker to point out to Epic Games that their installer app could be hijacked to install almost any other app because of the way the installer was downloading the APK file for Fortnite. Fortnite’s installer was originally just downloading the Fortnite APK to an external storage location rather than an internal location. By doing so, any app with a particular permission could replace the downloaded Fortnite APK and install in its place without the user knowing what had just happened. This is called a Man-in-the-Disk Attack and you can read more about it here.
To fix the issue, Google recommended that Epic change that storage location to internal. Within minutes of being notified at Google’s Issue Tracker, Epic Games responded, acknowledged the issue and said that they were “working around the clock to fix it.” They did just that and issued an update to users.
At that point, Epic asked Google to hold off from disclosing the vulnerability for 90 days in order to let their users update their devices with the fixed installer. Google made the issue tracker thread public on the 7th day after Epic told them that the issue had been fixed. Again, Epic asked for 90 days and Google went with 7 as that was “in line with Google’s standard disclosure practices.” That earlier-than-expected release sure pissed off Epic Games and they are now suggesting Google did this as a part of a “counter-PR” effort against Epic for not distributing Fortnite through Google Play.
Epic Games CEO Tim Sweeney had this to say:
“Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”
See, he’s really mad at Google.
Here’s my little un-interesting take. Maybe if you plan to shake the system, Epic Games, you shouldn’t f*ck up this badly out of the gate. Forget what Google just did. Remember, when you first acknowledged that you’d be releasing Fortnite directly to users, you said it was fine because your users were smart and knew how to get it legitimately. So they did that from you and yet you were the ones who ended up putting them at risk. Jesus.
I still think this distribution model is fine and not worth the freakout from some in the press, but this is not exactly a great start. If Epic wants people to believe they care about security and that this method of distribution won’t expose millions of people, maybe let’s worry less about what Google is doing and instead get your own product right.