informa
/
Mobile
News

Google spots security vulnerability in Epic-hosted Fortnite Android installer

Google flagged a significant security vulnerability in the Fortnite Android installer released earlier this month, though the issue has since been fixed in the current version of the installer.

Fortnite’s recent Android release made headlines for skipping the Google Play Store and instead launching through an installer downloaded from Epic’s website, but it now looks like a significant security issue was present in the early days of that installer’s release.

As spotted by Android Central, Google flagged a significant security vulnerability in the Fortnite Android Installer released earlier this month, though the company notably first disclosed the issue to Epic and ensured the vulnerability was fixed before publicly detailing the flaw.

The issue itself came from the first version of the Fortnite Installer that would-be players must first download from Epic Games website to get the Fortnite app itself to their devices.

That APK came with a specific permission that opened it up to being easily hijacked by other applications seeking to download files to an Android device without the owner’s knowledge or permission. As Android Central explains, this specific vulnerability opens Android users up to a “man-in-the-disk” attack where an app already installed on their phone keeps an eye on requests from other apps on the device, and uses that flaw in apps like Epic’s Fortnite installer to smuggle its own malicious files onto the device. 

Google’s full breakdown of the issue can be found on the Issue Tracker page for the vulnerability itself, along with the exchange between Google and Epic about the flaw itself.  In that exchange, Epic notably requested that Google refrain from publishing the vulnerability publicly for 90 days to give its users time to patch their devices. However, while Google’s policies allow for 90 days for the developer to respond and pursue a fix before publicly revealing the error, a Google rep noted that it is standard procedure for the company to disclose the issue 7 days after it had been patched out of the offending app and posted the notice despite Epic’s request. 

Epic CEO Tim Sweeney criticized that very policy in a statement given to Android Central, saying that, while Epic appreciated the security assist from Google, it was “irresponsible” of the company to disclose the flaw so soon and accused Google of using the vulnerability as fuel in a PR war.

“Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered. However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable,” said Sweeney.” An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused.”

“Google's security analysis efforts are appreciated and benefit the Android platform,” he continues. “However a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play.”

Latest Jobs

Sucker Punch Productions

Bellevue, Washington
08.27.21
Combat Designer

Xbox Graphics

Redmond, Washington
08.27.21
Senior Software Engineer: GPU Compilers

Insomniac Games

Burbank, California
08.27.21
Systems Designer

Deep Silver Volition

Champaign, Illinois
08.27.21
Senior Environment Artist
More Jobs   

CONNECT WITH US

Register for a
Subscribe to
Follow us

Game Developer Account

Game Developer Newsletter

@gamedevdotcom

Register for a

Game Developer Account

Gain full access to resources (events, white paper, webinars, reports, etc)
Single sign-on to all Informa products

Register
Subscribe to

Game Developer Newsletter

Get daily Game Developer top stories every morning straight into your inbox

Subscribe
Follow us

@gamedevdotcom

Follow us @gamedevdotcom to stay up-to-date with the latest news & insider information about events & more