Epic Calls Google ‘Irresponsible’ for Disclosing Serious Security Flaw in Fortnite
Epic Games is riding high on the success of Fortnite, which is available on desktop, game consoles, and even mobile devices. The company took the unusual step of skipping the Play Store for Android distribution, which brings the potential for security issues. Sure enough, the first version of Fortnite on Android contained a bug that could have allowed malware to sneak onto your phone. Rather than accept the responsibility for making a mistake, an Epic founder Tim Sweeney says Google was “irresponsible” to release the bug details after it was fixed.
Because Epic Games decided to distribute the game with device restrictions via its own website, installing Fortnite on Android is a two-step process. You have to download the installer APK and grant it permission on your phone (this by itself is a security risk). Then, the installer verifies your phone is supported and downloads the actual game.
According to a Google bug report from earlier this month, the first version of the installer had a vulnerability that other apps could exploit to install anything they wanted. This is a version of the “man in the disk” attack recently uncovered in some other apps. Epic Games worked quickly to deploy a fix, and after confirming, Google disclosed the details of the bug via the public issue tracker. That’s par for the course with open source projects like Android.
However, Tim Sweeny has taken to Twitter to object to the way Google handled the situation. He contends Google disclosed the bug too quickly in order to score PR points. The implication is that Google is upset about not having Fortnite in the Play Store, which deprives it of the usual 30 percent cut of in-app purchases. Sweeny says Google should have waited until the patch was more widely distributed.
Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update.
The only irresponsible thing here is Google’s rapid public release of technical details.
— Tim Sweeney (@TimSweeneyEpic) August 25, 2018
There are several things wrong with this line of reasoning. First, it’s not normal to hold bug reports for an arbitrary length of time after a fix. Android is open source, and this is just the way it works. The idea that Google’s dev team is being used by PR or executives to embarrass Epic Games is also rather silly. If Google really wanted to embarrass Epic at the expense of its users, it could have ignored the bug and waited for it to blow up in Epic’s face.
Sweeney is most likely worried because the company didn’t build a mechanism to get users to update their installer client. This is the sort of thing companies need to think about when distributing apps outside the Play Store. For most, it’s not worth the hassle. Epic made its bed, though, and now it has to lie in it.
Continue reading
MSI’s Nvidia RTX 3070 Gaming X Trio Review: 2080 Ti Performance, Pascal Pricing
Nvidia's new RTX 3070 is a fabulous GPU at a good price, and the MSI RTX 3070 Gaming X Trio shows it off well.
190,000 Ceiling Fans Recalled After Blades Fly Off, Hitting People
King of Fans is recalling some 190,000 ceiling fans sold through Home Depot after the blades began detaching during operation.
Tesla Ordered to Recall 150K+ Vehicles to Repair Memory Failures
Tesla has been asked — or "asked" — to recall some 159,000 vehicles to repair a NAND memory issue that will eventually cause failures on every affected vehicle.
Qualcomm Revamps Snapdragon 865 Again, Calls It Snapdragon 870
Qualcomm just unveiled a new high-end 800-series ARM processor, and I know what you're thinking. Didn't Qualcomm already announce its 2021 flagship system-on-a-chip (SoC)? It did, but the new Snapdragon 870 will slot in below the flagship Snapdragon 888.