Google has clapped again in super vogue at Epic Video games, which earlier this month determined to make the phenomenally standard Fortnite accessible for Android via its own website instead of Google’s Play Store. Sadly, the installer had a phenomenally harmful safety flaw in it that might enable a malicious actor to primarily set up any software program they needed. Google wasted precisely zero time mentioning this egregious mistake.
By the use of a brief reason this was even occurring, Epic defined when it introduced its plan that it could be good to have “competitors amongst software program sources on Android,” and that the very best would “succeed primarily based on advantage.” Everybody in fact understood that what he meant was that Epic didn’t wish to share the income from its money cow with Google, which takes 30 % of in-app purchases.
Many warned that this was a safety threat for a number of causes, for instance that customers must allow app installations from unknown sources — one thing most customers don’t have any motive to do. And the Play Retailer has different protections and options, seen and in any other case, which can be helpful for customers.
Google, understandably, was not amused with Epic’s play, which little question performed an element within the choice to scrutinize the obtain and set up course of — although I’m certain the protection of its customers was additionally a motivating issue. And wouldn’t you understand it, they discovered a whopper proper off the bat.
In a thread posted every week after the Fortnite downloader went stay, a Google engineer by the name of Edward explained that the installer mainly would enable an attacker to put in something they need utilizing it.
The Fortnite installer mainly downloads an APK (the package deal for Android apps), shops it domestically, then launches it. However as a result of it was saved on shared exterior storage, a nasty man may swap in a brand new file for it to launch, in what’s referred to as a “man within the disk” assault.
And since the installer solely checked that the identify of the APK is true, so long as the attacker’s file is named “com.epicgames.fortnite,” it could be put in! Silently, and with a number of additional permissions too, if they need, due to how the unknown sources set up insurance policies work. Not good!
Edward identified this could possibly be fastened simply and in a magnificently low-key little bit of shade-throwing helpfully linked to a web page on the Android developer web site outlining the fundamental characteristic Epic ought to have used.
To Epic’s credit score, its engineers jumped on the issue instantly and had a repair within the works by that very afternoon and deployed by the following one. Epic InfoSec then requested Google to attend 90 days earlier than publishing the knowledge.
As you’ll be able to see, Google was not feeling beneficiant. One week later (that’s at the moment) and the flaw has been revealed on the Google Subject Tracker web site in all its… effectively, not glory precisely. Actually, the alternative of glory. This appears to have been Google’s approach of warning any would-be Play Retailer mutineers that they’d not be given light dealing with.
Epic Video games CEO Tim Sweeney was likewise unamused. In a comment provided to Android Central — which, by the best way, predicted that this actual factor would occur — he took the corporate to activity for its “irresponsible” choice to “endanger customers.”
Epic genuinely appreciated Google’s effort to carry out an in-depth safety audit of Fortnite instantly following our launch on Android, and share the outcomes with Epic so we may speedily concern an replace to repair the flaw they found.
Nonetheless, it was irresponsible of Google to publicly disclose the technical particulars of the flaw so rapidly, whereas many installations had not but been up to date and had been nonetheless weak.
An Epic safety engineer, at my urging, requested Google delay public disclosure for the everyday 90 days to permit time for the replace to be extra extensively put in. Google refused. You’ll be able to learn all of it at https://issuetracker.google.com/points/112630336
Google’s safety evaluation efforts are appreciated and profit the Android platform, nevertheless an organization as highly effective as Google ought to apply extra accountable disclosure timing than this, and never endanger customers in the midst of its counter-PR efforts towards Epic’s distribution of Fortnite exterior of Google Play.
Certainly, corporations actually ought to strive to not endanger their customers for egocentric causes.