After circumventing the Google Play Store to post their own installer for Fortnite on Android, Epic Games is now in a bind with Google over the inherent vulnerabilities of that decision. Epic Games decided to cut out the Google Play Store to avoid having to give Google a portion of their revenue. While the Google Play Store isn’t perfect, Google does use the store as a way to ensure that apps don’t contain malicious code for Android users. So apps downloaded through separate installers aren’t guaranteed by Google.
So every single device owner needs to be certain that they are not downloading a clone of the Fortnite APK, and that Epic has made sure the installer’s permissions are water tight. Otherwise, users might end up with some nasty viruses.
And while you might think Epic Games is capable of making an installer that’s void of obvious vulnerabilities, Google disagrees.
From Game Informer’s story on the situation:
With Epic currently enjoying a relationship with Samsung over Fortnite coming with Samsung’s line of new Galaxy phones, Google discovered that this actually lead to a vulnerability. Dubbed a “man-in-the-disk” attack, the APK was vulnerable to other malicious programs coming in at the point of installation. ArsTechnica has a more technical breakdown, but basically the whole thing could be solved by using private internal storage.
Which Epic did in the very next update for the game, closing that particular vulnerability a day after Google filed the bug for the game. Per Google’s policy, when they discover a bug, they tell the app vendor (Epic) first, who has 90 days to fix it until Google releases it publicly. If the vendor fixes it before that, however, Google releases the information whenever they want. They aren’t bound to do so immediately, but certainly can.
In this case, Epic fixed it the day after being found, but asked Google to still hold back the announcement of the vulnerability for the full 90 days. Google did not comply, which Epic’s Tim Sweeney called “irresponsible” when we asked for comment.
“Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered,” Sweeney said. “However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
“An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed,” Sweeney continued. “Google refused. You can read it all [here]. Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”
Both Google and Epic have strong vested interests in seeing this Google Play Store agnosticism succeed or fail. Google wants all app developers to work through the Google Play Store and give them a revenue share, especially a game like Fortnite which makes millions of dollars a day. Epic likely wants to prove that Google Play Store is unnecessary and does not want to give up 30% to Google Play store, so the idea that it’s dangerous to download Fortnite on its own is bad PR for Epic.
While GI does point out the obvious biases of both companies in regards to the Fortnite Android app, it seems like no one is really going to be hurt by this but Fortnite Android players. Sure, Google is losing money from sales on the biggest game app ever, and Epic doesn’t want to lose even a small cut of their profits at the expense of their own program’s security, but no matter how this plays out, the ones paying in the end are the consumers. And that’s not great for any one on our end of the deal.