A few weeks ago, Epic announced that their incredibly popular Fortnite Battle Royale port on Android would be circumventing Google’s Play Store and posting their own installer. Unlike the iOS store, Android app developers can simply post their own installer to download if they want and avoid giving Google a cut of their revenue, though it limits their theoretical reach, unless you’re the biggest game in the world.
Now both Google and Epic are clashing over that decision and the security vulnerabilities inherent to it.
While the Google Play Store has received criticism for poor quality control over things like clones, by and large Google claims responsibility over making sure apps don’t contain malicious code. When installers are separate, like Epic is doing with Fortnite, that safety net is gone, and you both have to be sure that what you’re downloading is the Fortnite APK and that the installer’s permissions don’t leave holes for anything else to sneak through.
With Epic currently enjoying a relationship with Samsung over Fortnite coming with Samsung’s line of new Galaxy phones, Google discovered that this actually lead to a vulnerability. Dubbed a “man-in-the-disk” attack, the APK was vulnerable to other malicious programs coming in at the point of installation. ArsTechnica has a more technical breakdown, but basically the whole thing could be solved by using private internal storage.
Which Epic did in the very next update for the game, closing that particular vulnerability a day after Google filed the bug for the game. Per Google’s policy, when they discover a bug, they tell the app vendor (Epic) first, who has 90 days to fix it until Google releases it publicly. If the vendor fixes it before that, however, Google releases the information whenever they want. They aren’t bound to do so immediately, but certainly can.
In this case, Epic fixed it the day after being found, but asked Google to still hold back the announcement of the vulnerability for the full 90 days. Google did not comply, which Epic’s Tim Sweeney called “irresponsible” when we asked for comment.
“Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered,” Sweeney said. “However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
“An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed,” Sweeney continued. “Google refused. You can read it all [here]. Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”
Both Google and Epic have strong vested interests in seeing this Google Play Store agnosticism succeed or fail. Google wants all app developers to work through the Google Play Store and give them a revenue share, especially a game like Fortnite which makes millions of dollars a day. Epic likely wants to prove that Google Play Store is unnecessary and does not want to give up 30% to Google Play store, so the idea that it’s dangerous to download Fortnite on its own is bad PR for Epic.
This likely isn’t the last shot across the bow for either company, but it should be interesting to see where it goes next.