Epic Games is riding high on the success of Fortnite, which is available on desktop, game consoles, and even mobile devices. The company took the unusual step of skipping the Play Store for Android distribution, which brings the potential for security issues. Sure enough, the first version of Fortnite on Android contained a bug that could have allowed malware to sneak onto your phone. Rather than accept the responsibility for making a mistake, an Epic founder Tim Sweeney says Google was “irresponsible” to release the bug details after it was fixed.
Because Epic Games decided to distribute the game with device restrictions via its own website, installing Fortnite on Android is a two-step process. You have to download the installer APK and grant it permission on your phone (this by itself is a security risk). Then, the installer verifies your phone is supported and downloads the actual game.
According to a Google bug report from earlier this month, the first version of the installer had a vulnerability that other apps could exploit to install anything they wanted. This is a version of the “man in the disk” attack recently uncovered in some other apps. Epic Games worked quickly to deploy a fix, and after confirming, Google disclosed the details of the bug via the public issue tracker. That’s par for the course with open source projects like Android.
However, Tim Sweeny has taken to Twitter to object to the way Google handled the situation. He contends Google disclosed the bug too quickly in order to score PR points. The implication is that Google is upset about not having Fortnite in the Play Store, which deprives it of the usual 30 percent cut of in-app purchases. Sweeny says Google should have waited until the patch was more widely distributed.
Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update.
The only irresponsible thing here is Google’s rapid public release of technical details.
— Tim Sweeney (@TimSweeneyEpic) August 25, 2018
There are several things wrong with this line of reasoning. First, it’s not normal to hold bug reports for an arbitrary length of time after a fix. Android is open source, and this is just the way it works. The idea that Google’s dev team is being used by PR or executives to embarrass Epic Games is also rather silly. If Google really wanted to embarrass Epic at the expense of its users, it could have ignored the bug and waited for it to blow up in Epic’s face.
Sweeney is most likely worried because the company didn’t build a mechanism to get users to update their installer client. This is the sort of thing companies need to think about when distributing apps outside the Play Store. For most, it’s not worth the hassle. Epic made its bed, though, and now it has to lie in it.