Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

Epic games CEO calls Google “irresponsible” for disclosing the security flaw in Fortnite Android Installer before patch was ready

Save for later
  • 4 min read
  • 28 Aug 2018

article-image

Epic Games CEO, Tim Sweeney has accused Google of being “irresponsible” for disclosing a major security flaw in the Fortnite Android Installer to the public eye before patch of this game was widely available.

After the Fortnite installer went live, Google security engineers pointed out a security bug. This showed that installing the file (with .apk extension) shared by Epic Games, enabled the hackers to push malicious apps that could take over a user’s device. To make things even worse, the .apk file shared by Epic Games is the first step to follow while installing the Fortnite game.

As mentioned in the Google thread, “Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK”.

Epic was quick to respond to this and took appropriate action to secure the newer Android devices from being vulnerable to the attacks. Additionally, Epic had asked Google for 90 days before making the security issue public as it would provide users with enough time to update the installers. However, last Friday, Google released a thread titled “Fortnite Installer downloads are vulnerable to hijacking” that talks about the vulnerability issues in the installer, clearly not granting Epic the requested 90 days. Google proceeded to “unrestrict the issue in line with Google’s standard disclosure practices”.

Google spokesperson said that “User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer. We immediately notified Epic Games and they fixed the issue”.

Epic games didn’t appreciate the move, and its CEO Tim Sweeney released a statement saying how “Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered. However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.”

Sweeney also took to Twitter to express his disapproval regarding the situation.

https://twitter.com/TimSweeneyEpic/status/1033225118405804032

https://twitter.com/TimSweeneyEpic/status/1034117758332661760

He even went ahead to say that this was Google’s attempt to “score cheap PR points” against Epic as they decided to release Fortnite via their own website instead of Google Play Store. This would have left Google out of the 30% cut it would’ve received with in-app purchases made on Fortnite Android.

“Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play” as mentioned on the Fortnite blog.

https://twitter.com/TimSweeneyEpic/status/1033226094357504000

This is not the first time that Google has been criticized, Microsoft also accused it of disclosing its vulnerabilities before patches were made widely available.

Now, whether this was really a PR move by Google against Epic cannot be verified. Epic games have now come out with a 2FA or two-factor authentication to “ help protect user accounts from unauthorized access by requiring them to enter an additional code when they sign in”.


Google’s incognito location tracking scandal could be the first real test of GDPR

1k+ Google employees frustrated with continued betrayal, protest against Censored Search engine project for China

Google gives Artificial Intelligence full control over cooling its data centers

 

Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at $19.99/month. Cancel anytime