Looks like Google is a little upset Epic Games isn’t using the Google Play Store.
Epic Games chose to forego the 30% cut that Google charges developers for selling applications in game purchases through their Google Play Store. Instead, they are offering the their game Fortnite through their own site. Nearly immediately we saw an influx of stories from media claiming that this was a large security issue for users. That users wouldn’t be able to switch their phones to allow installs from outside the Google Play Store, and remember to turn it back. We were told that the only safe applications were found from the Google Play Store and not from developers themselves. Everything seemed a little fishy. To me, it seemed like this influx of articles felt like marketing from Google.
Now, Google has done something which they normally don’t do, aimed at Epic Games. Google employs security researchers that look for vulnerabilities in products. They look for these vulnerabilities not just in Google products, or products that run on their products, but all throughout the world of software. They will alert vendors of security vulnerabilities so that these vendors will be able to patch them, and allow them 90 days to do so before they make the information public. This is a noble cause, that has no doubt helped keep many safe.
The reason for withholding the information is two-fold. First, it allows the vendor time to create a patch to guard against it, and disperse it to users, before the vulnerability becomes public. Once the vulnerability is public, it makes those users of the product much more vulnerable to attack because now malicious actors know of the vulnerability and can exploit it. Also, by giving a time limit of 90 days, it will often force an urgency on the vendors to patch the vulnerability before it is known. It’s a good system for all.
Google discovered a vulnerability within Epic Game’s Fortnite game. The very game which Epic has bypassed the Google Play Store. The vulnerability allowed for a “Man-in-the-Disk” attack. With this attack, malware that is already on the phone can hijack the installation process of the vulnerable app and allow for other malicious apps to be downloaded with extra permissions.
Epic Games patched the vulnerability within 48 hours of discovery. A fairly quick response, and made the update available to users. They also requested that Google allow them the normal 90 day timeframe before making it public to allow for users to install the patched safe version. Google chose to forego that and made the vulnerability discover public within 7 days.
Epic Games founder Tim Sweeney issued the following statement.
Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.
He also took to Twitter with this alarming message,
Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.
— Tim Sweeney (@TimSweeneyEpic) August 25, 2018
So Google is monitoring installs of a game that they have no hand in on people’s devices? That’s frightening.
Google’s response was that the update was widely available, so apparently that means that Epic Games, and their users, do not warrant the same courtesy Google gives to everyone else.
This is not a good look Google. Let’s hope you outgrow it.