Epic Games slams Google for sharing Fortnite Android app exploit info
Google essentially got slapped in the face when Epic Games, the developer of the super popular Fortnite, decided not to make the game available through the Play Store, but via its own app.
Google warned Epic that doing so could potentially put Android users at greater security risk, but the game developer brushed it off, insisting on going it alone for several reasons -- including not having to give Google a cut in-app revenue and "embracing open platforms."
Well, now the worst has happened. Despite having no obligation to do so, Google recently discovered an exploit within the Fortniteinstaller app that allowed malicious apps installed on one's Android phone to hijack the download process so that instead of downloading the game from Epic's server, it could download and install something entirely different, which could potentially leave the device open to attacks.
SEE ALSO:What You Should Know About 'Fortnite' AddictionHere's a quick run-down of what happened:
Google first discovered the vulnerability inside of the Fortniteinstaller app on Aug. 15 and immediately notified Epic. Details for the exploit weren't public yet. Within 48 hours, Epic patched the Fortniteinstaller and deployed it to all Android users who installed the app.
Here's where things get a little ugly. Even though Epic quickly released a patch for the installer app, it asked Google not to disclose the details of the exploit until after 90 days. Not only would there be more time for users to update their installer apps, but hackers also wouldn't be able to take advantage of the bug.
However, Google's bug disclosure guidelines explicitly states the following:
"This bug is subject to a 90-day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report - including any comments and attachments - will become visible to the public."
Despite Epic's request for Google to wait the full 90 days before disclosing the exploit, Google abided by its own guidelines and shared the details.
Per a Google rep posting to an Issue Tracker thread on the bug report:
"...now the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google's standard disclosure practices".
Naturally, the Fortnitedeveloper wasn't happy about Google's decision at all. Epic provided Mashable the following comment from CEO Tim Sweeney:
"Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortniteimmediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google's security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play."
Ultimately, who's in the right and who's in the wrong? Honestly, neither company is.
Google is right that Epic's decision to not release Fortnite through the Play Store leaves the app more vulnerable. As my colleague, Mashable tech reporter Matt Binder, previously made clear: Android users need to disable certain Android security permissions in order to install Fortnite and there's no guarantee they'll remember to turn them back on after doing so.
Maybe Google really is upset at the idea of not getting any revenue from the massively popular game (apps listed on Google Play pay a share of their sales to Google), as Sweeney implied. But the Android gatekeeper maintains that its speedy disclosure of the exploit was done in the name of user security.
Following Sweeney's statement, Google had only this to say in response to Mashable's request for comment: "User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortniteinstaller. We immediately notified Epic Games and they fixed the issue."
And it's true, Google does have a responsibility to ensure that users are safe. Otherwise, third-party developers could give the entire platform an even worse reputation.
That said, if Google truly cares about protecting its users first and foremost, it should have been more flexible on its bug disclosure deadline so as to nottip off hackers so quickly. That's why Epic asked for 90 days to begin with.
The disagreements between Google and Epic should not be overlooked. Google may wish to have nothing to do with Fortniteafter being shunned by Epic Games, but their paths will inevitably cross because of the Android platform.
It's possible Google will discover vulnerabilities in future versions of the Fortniteinstallerm or even other app installers from other companies that decide to follow in Epic's footsteps and not offer their apps in the Play Store. Will Google have to monitor and perform security audits on all of those as well in order to protect Android users? Hard to say, but it's sure gonna be interesting to watch from the sidelines.
If anyone's laughing at this turn of events, it's Apple. The company's closed platform means all apps mustbe released through the App Store. By not allowing apps to be officially released in any other way, Apple has guarded itself against the issue Google's now facing.
With additional reporting by Adam Rosenberg.
Featured Video For You
Is the Samsung Galaxy Note 9 worth $1,000?
(责任编辑:产品中心)
- How to unblock Xnxx for free
- Copa final was dream farewell says Di Maria
- US think tank identifies North Korea base likely intended for ICBMs
- 全省唯一!从化区一企业入选全国现代设施畜牧养殖典型案例
- Pragmocracy Now
- 阳江村K开麦,阳西3人晋级!
- Equifax hack reminds everyone how much they hate credit agencies
- 每年服务超100万人次!业内首创分子检测应用,这家公司要打造水产业最完善保障体系
- US calls for emergency UN Security Council meeting on North Korea: diplomats
- 采购商+48,英德红茶在泉城济南蹭蹭涨粉
- 雅安市融资企业联合会举办迎新春联欢活动
- Enjoying “last battles” for Argentina: Messi
- Google Doodle honours Australia's only Nobel Prize winner in chemistry
-
PRE-ORDER NOW: The new Google Nest Learning Thermostat (4th gen) is now available for preorder at Am ...[详细]
-
The stark difference between Hurricanes Andrew and Irma
At first glance, you might think that Hurricane Irma, which is forecast to hit Florida as a Category ...[详细] -
Influit moves to commercialize its ultra
Illinois Tech spinoff Influit Energy says it's coming out of stealth mode to commercialize a recharg ...[详细] -
Power and glory as Rybakina eyes Wimbledon final
LONDON:Elena Rybakina can move closer to a second Wimbledon title on Thursday when she faces Barbora ...[详细] -
Where to pre-order the Pixel 9 and Pixel 9 ProGoogleGoogle Pixel 9Starting at $799 (plus get a free ...[详细]
-
South Korea, US, Japan show unity against North Korea's provocation
U.S. Secretary of State Antony Blinken, center, and South Korean Foreign Minister Chung Eui-yong rea ...[详细] -
This guy went to an 'IT' screening and got a horrible, horrible surprise
If you've plucked up the courage to go and see the new ITadaptation, you'll probably want to be surr ...[详细] -
Seoul expresses 'strong regret' over Pyongyang's continued missile launches
People at Seoul Station, Monday, watch TV footage of a North Korean missile launch. North Korea fire ...[详细] -
Travel Back in Time and Uncover Old
Oozing with Old-World charm, Boston’s Beacon Hill is a time-traveler’s dream. Stay in a hotel that o ...[详细] -
Copa final was dream farewell says Di Maria
MIAMI:Argentina winger Angel Di Maria said Sunday's Copa America triumph over Colombia was the p ...[详细]