Google has clapped again in great vogue at Epic Video games, which earlier this month determined to make the phenomenally widespread Fortnite out there for Android via its own website instead of Google’s Play Store. Sadly, the installer had a phenomenally harmful safety flaw in it that will enable a malicious actor to primarily set up any software program they wished. Google wasted precisely zero time mentioning this egregious mistake.
By the use of a brief reason this was even taking place, Epic defined when it introduced its plan that it will be good to have “competitors amongst software program sources on Android,” and that the most effective would “succeed based mostly on benefit.” Everybody after all understood that what he meant was that Epic didn’t wish to share the income from its money cow with Google, which takes 30 % of in-app purchases.
Many warned that this was a safety threat for a number of causes, for instance that customers must allow app installations from unknown sources — one thing most customers haven’t any purpose to do. And the Play Retailer has different protections and options, seen and in any other case, which might be helpful for customers.
Google, understandably, was not amused with Epic’s play, which little question performed an element within the determination to scrutinize the obtain and set up course of — although I’m positive the protection of its customers was additionally a motivating issue. And wouldn’t you already know it, they discovered a whopper proper off the bat.
In a thread posted per week after the Fortnite downloader went stay, a Google engineer by the name of Edward explained that the installer principally would enable an attacker to put in something they need utilizing it.
The Fortnite installer principally downloads an APK (the package deal for Android apps), shops it regionally, then launches it. However as a result of it was saved on shared exterior storage, a foul man may swap in a brand new file for it to launch, in what’s referred to as a “man within the disk” assault.
And since the installer solely checked that the identify of the APK is true, so long as the attacker’s file is named “com.epicgames.fortnite,” it will be put in! Silently, and with numerous further permissions too, if they need, due to how the unknown sources set up insurance policies work. Not good!
Edward identified this may very well be fastened simply and in a magnificently low-key little bit of shade-throwing helpfully linked to a web page on the Android developer website outlining the fundamental characteristic Epic ought to have used.
To Epic’s credit score, its engineers jumped on the issue instantly and had a repair within the works by that very afternoon and deployed by the following one. Epic InfoSec then requested Google to attend 90 days earlier than publishing the data.
As you possibly can see, Google was not feeling beneficiant. One week later (that’s immediately) and the flaw has been revealed on the Google Problem Tracker website in all its… effectively, not glory precisely. Actually, the alternative of glory. This appears to have been Google’s approach of warning any would-be Play Retailer mutineers that they’d not be given mild dealing with.
Epic Video games CEO Tim Sweeney was likewise unamused. In a comment provided to Android Central — which, by the best way, predicted that this precise factor would occur — he took the corporate to activity for its “irresponsible” determination to “endanger customers.”
Epic genuinely appreciated Google’s effort to carry out an in-depth safety audit of Fortnite instantly following our launch on Android, and share the outcomes with Epic so we may speedily subject an replace to repair the flaw they found.
Nonetheless, it was irresponsible of Google to publicly disclose the technical particulars of the flaw so rapidly, whereas many installations had not but been up to date and had been nonetheless susceptible.
An Epic safety engineer, at my urging, requested Google delay public disclosure for the everyday 90 days to permit time for the replace to be extra broadly put in. Google refused. You possibly can learn all of it at https://issuetracker.google.com/points/112630336
Google’s safety evaluation efforts are appreciated and profit the Android platform, nonetheless an organization as highly effective as Google ought to apply extra accountable disclosure timing than this, and never endanger customers in the middle of its counter-PR efforts in opposition to Epic’s distribution of Fortnite exterior of Google Play.
Certainly, firms actually ought to strive to not endanger their customers for egocentric causes.