Epic Calls Google ‘Irresponsible’ for Disclosing Serious Security Flaw in Fortnite

Epic Calls Google ‘Irresponsible’ for Disclosing Serious Security Flaw in Fortnite

Epic Games is riding high on the success of Fortnite, which is available on desktop, game consoles, and even mobile devices. The company took the unusual step of skipping the Play Store for Android distribution, which brings the potential for security issues. Sure enough, the first version of Fortnite on Android contained a bug that could have allowed malware to sneak onto your phone. Rather than accept the responsibility for making a mistake, an Epic founder Tim Sweeney says Google was “irresponsible” to release the bug details after it was fixed.

Because Epic Games decided to distribute the game with device restrictions via its own website, installing Fortnite on Android is a two-step process. You have to download the installer APK and grant it permission on your phone (this by itself is a security risk). Then, the installer verifies your phone is supported and downloads the actual game.

According to a Google bug report from earlier this month, the first version of the installer had a vulnerability that other apps could exploit to install anything they wanted. This is a version of the “man in the disk” attack recently uncovered in some other apps. Epic Games worked quickly to deploy a fix, and after confirming, Google disclosed the details of the bug via the public issue tracker. That’s par for the course with open source projects like Android.

However, Tim Sweeny has taken to Twitter to object to the way Google handled the situation. He contends Google disclosed the bug too quickly in order to score PR points. The implication is that Google is upset about not having Fortnite in the Play Store, which deprives it of the usual 30 percent cut of in-app purchases. Sweeny says Google should have waited until the patch was more widely distributed.

Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update.

The only irresponsible thing here is Google’s rapid public release of technical details.

— Tim Sweeney (@TimSweeneyEpic) August 25, 2018

There are several things wrong with this line of reasoning. First, it’s not normal to hold bug reports for an arbitrary length of time after a fix. Android is open source, and this is just the way it works. The idea that Google’s dev team is being used by PR or executives to embarrass Epic Games is also rather silly. If Google really wanted to embarrass Epic at the expense of its users, it could have ignored the bug and waited for it to blow up in Epic’s face.

Sweeney is most likely worried because the company didn’t build a mechanism to get users to update their installer client. This is the sort of thing companies need to think about when distributing apps outside the Play Store. For most, it’s not worth the hassle. Epic made its bed, though, and now it has to lie in it.

Continue reading

Huawei’s Phone Deal With AT&T Reportedly Killed On Account of Politics

The upcoming (and unannounced) deal with AT&T to sell the new Mate 10 series was supposed to be the start of Huawei's push into North America, but the deal has reportedly fallen apart at the last minute after AT&T got cold feet, and some sources point to a political cause.

OnePlus May Have Accidentally Sent Clipboard Data to Chinese Server

The latest beta version of its custom "OxygenOS" Android build was sending user clipboard data to a server in China. Oops.

NASA Finds Vast Deposits of Ice Just Under Martian Surface

We've known for years that there is at least some water ice on Mars, but it's been hard to pin down where it is and how easy it would be to extract. New data from NASA's Mars Reconnaissance Orbiter indicates it could be almost everywhere.

Apple Exaggerates MacBook Standby Battery Life, Owners Report

Apple's MacBook and MacBook Pro users are unhappy about their system's standby battery life, but Apple isn't interested in hearing it.