Google has clapped again in great style at Epic Video games, which earlier this month determined to make the phenomenally well-liked Fortnite accessible for Android via its own website instead of Google’s Play Store. Sadly, the installer had a phenomenally harmful safety flaw in it that may enable a malicious actor to basically set up any software program they needed. Google wasted precisely zero time mentioning this egregious mistake.
By the use of a brief reason why this was even taking place, Epic defined when it introduced its plan that it will be good to have “competitors amongst software program sources on Android,” and that the perfect would “succeed based mostly on advantage.” Everybody in fact understood that what he meant was that Epic didn’t wish to share the income from its money cow with Google, which takes 30 % of in-app purchases.
Many warned that this was a safety danger for a number of causes, for instance that customers must allow app installations from unknown sources — one thing most customers don’t have any motive to do. And the Play Retailer has different protections and options, seen and in any other case, which might be helpful for customers.
Google, understandably, was not amused with Epic’s play, which little doubt performed an element within the choice to scrutinize the obtain and set up course of — although I’m certain the protection of its customers was additionally a motivating issue. And wouldn’t it, they discovered a whopper proper off the bat.
In a thread posted per week after the Fortnite downloader went dwell, a Google engineer by the name of Edward explained that the installer mainly would enable an attacker to put in something they need utilizing it.
The Fortnite installer mainly downloads an APK (the package deal for Android apps), shops it regionally, then launches it. However as a result of it was saved on shared exterior storage, a foul man might swap in a brand new file for it to launch, in what’s known as a “man within the disk” assault.
And since the installer solely checked that the title of the APK is correct, so long as the attacker’s file is known as “com.epicgames.fortnite,” it will be put in! Silently, and with plenty of additional permissions too, if they need, due to how the unknown sources set up insurance policies work. Not good!
Edward identified this might be fastened simply and in a magnificently low-key little bit of shade-throwing helpfully linked to a web page on the Android developer web site outlining the fundamental function Epic ought to have used.
To Epic’s credit score, its engineers jumped on the issue instantly and had a repair within the works by that very afternoon and deployed by the subsequent one. Epic InfoSec then requested Google to attend 90 days earlier than publishing the knowledge.
As you may see, Google was not feeling beneficiant. One week later (that’s at the moment) and the flaw has been printed on the Google Challenge Tracker web site in all its… nicely, not glory precisely. Actually, the other of glory. This appears to have been Google’s method of warning any would-be Play Retailer mutineers that they’d not be given mild dealing with.
Epic Video games CEO Tim Sweeney was likewise unamused. In a comment provided to Android Central — which, by the way in which, predicted that this actual factor would occur — he took the corporate to activity for its “irresponsible” choice to “endanger customers.”
Epic genuinely appreciated Google’s effort to carry out an in-depth safety audit of Fortnite instantly following our launch on Android, and share the outcomes with Epic so we might speedily problem an replace to repair the flaw they found.
Nevertheless, it was irresponsible of Google to publicly disclose the technical particulars of the flaw so rapidly, whereas many installations had not but been up to date and have been nonetheless susceptible.
An Epic safety engineer, at my urging, requested Google delay public disclosure for the everyday 90 days to permit time for the replace to be extra extensively put in. Google refused. You possibly can learn all of it at https://issuetracker.google.com/points/112630336
Google’s safety evaluation efforts are appreciated and profit the Android platform, nevertheless an organization as highly effective as Google ought to apply extra accountable disclosure timing than this, and never endanger customers in the middle of its counter-PR efforts in opposition to Epic’s distribution of Fortnite outdoors of Google Play.
Certainly, firms actually ought to strive to not endanger their customers for egocentric causes.