Epic Calls Google ‘Irresponsible’ for Disclosing Serious Security Flaw in Fortnite

Epic Calls Google ‘Irresponsible’ for Disclosing Serious Security Flaw in Fortnite

Epic Games is riding high on the success of Fortnite, which is available on desktop, game consoles, and even mobile devices. The company took the unusual step of skipping the Play Store for Android distribution, which brings the potential for security issues. Sure enough, the first version of Fortnite on Android contained a bug that could have allowed malware to sneak onto your phone. Rather than accept the responsibility for making a mistake, an Epic founder Tim Sweeney says Google was “irresponsible” to release the bug details after it was fixed.

Because Epic Games decided to distribute the game with device restrictions via its own website, installing Fortnite on Android is a two-step process. You have to download the installer APK and grant it permission on your phone (this by itself is a security risk). Then, the installer verifies your phone is supported and downloads the actual game.

According to a Google bug report from earlier this month, the first version of the installer had a vulnerability that other apps could exploit to install anything they wanted. This is a version of the “man in the disk” attack recently uncovered in some other apps. Epic Games worked quickly to deploy a fix, and after confirming, Google disclosed the details of the bug via the public issue tracker. That’s par for the course with open source projects like Android.

However, Tim Sweeny has taken to Twitter to object to the way Google handled the situation. He contends Google disclosed the bug too quickly in order to score PR points. The implication is that Google is upset about not having Fortnite in the Play Store, which deprives it of the usual 30 percent cut of in-app purchases. Sweeny says Google should have waited until the patch was more widely distributed.

Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update.

The only irresponsible thing here is Google’s rapid public release of technical details.

— Tim Sweeney (@TimSweeneyEpic) August 25, 2018

There are several things wrong with this line of reasoning. First, it’s not normal to hold bug reports for an arbitrary length of time after a fix. Android is open source, and this is just the way it works. The idea that Google’s dev team is being used by PR or executives to embarrass Epic Games is also rather silly. If Google really wanted to embarrass Epic at the expense of its users, it could have ignored the bug and waited for it to blow up in Epic’s face.

Sweeney is most likely worried because the company didn’t build a mechanism to get users to update their installer client. This is the sort of thing companies need to think about when distributing apps outside the Play Store. For most, it’s not worth the hassle. Epic made its bed, though, and now it has to lie in it.

Continue reading

Google Pixel Slate Owners Report Failing Flash Storage
Google Pixel Slate Owners Report Failing Flash Storage

Google's product support forums are flooded with angry Pixel Slate owners who say their devices are running into frequent, crippling storage errors.

Western Digital Changes Its Reported Drive Speeds to Reflect Reality
Western Digital Changes Its Reported Drive Speeds to Reflect Reality

Western Digital has launched new WD Red Plus models to correct previous communicated inaccuracies regarding the spindle speeds on its 8TB-14TB products in this family.

No Flying Cars Yet, But How About a $300 Toaster With a Touch Screen?
No Flying Cars Yet, But How About a $300 Toaster With a Touch Screen?

As 2020 draws to a close, there's still no word on flying cars, but don't worry: We found something even better. For a certain definition of the word "better."

Ripples Reveal Ancient Global Megafloods on Mars
Ripples Reveal Ancient Global Megafloods on Mars

New findings from the Curiosity rover point to megafloods in the planet's past. NASA couldn't see the evidence of this event from space, but Curiosity was able to make the determination by scanning Martian geology from the surface.