Epic Slams Google For Irresponsible Disclosure Of Active Fortnite Security Flaw
Make no mistake about it, Google could not have been happy with Epic Games for deciding to make its wildly popular battle royale shooter, Fortnite, available on Android devices only by sideloading it. By skipping the Play Store, Google is missing out on potentially tens of millions of dollars in revenue. As Google would point out, this also puts users at an added security risk. To drive the point home, Google disclosed a security vulnerability affecting Fortnite on Android, and Epic games is pretty ticked off about it.
The vulnerability resides in the Fortnite installer. It potentially allows the installation of any app on a user's phone, and if leveraged, a hacker would install anything they wanted in the background, including apps with full permissions.
"If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure," Google explains in an Issue Tracker.
After discovering the bug on August 15, Google notified Epic Games right away, for which the developer was appreciative. Epic Games pushed out a subsequent patch 48 hours later, and asked Google not to disclose the details so users would have time to protect themselves. However, Google didn't oblige.
Google states in its disclosure guidelines that it has a 90-day disclosure deadline. After 90 days, or when a patch is made broadly available, the bug report becomes visible to the public. Google can, however, wait the full 90 days even after a patch is released, if it chooses to do so. It did not.
"Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable," Epic Games CEO Tim Sweeney told Mashable.
Sweeney went on to say that even though Epic Games appreciates Google's efforts, "a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play."
In other words, Sweeney is basically saying that Google was vindictive in its security disclosure. We don't know if that is actually the case, though it certainly seems like Google could (and perhaps should) have waited a bit longer to disclose the bug, at the developer's request. By not doing so, it's hard to see how Google had the best interest of Android users in mind.
