The nay-sayers were right – releasing the Android version of the mega-successful game Fortnite in a way that bypassed Google’s Play Store was a security risk after all.
Publisher Epic Games opened invitations to download the beta version of Fortnite from its website on August 9. Just days later, a Google security researcher identified only as ‘Edward’ published news of a vulnerability in its installer that could make possible what has recently been dubbed the ‘Man-in-the-disk’ (MITD) attack.
This was bad for several reasons, the first being that anyone exploiting it could too easily substitute their malware for the Fortnite Android Package (APK) file on Samsung devices (the game’s exclusive launch partner), without the user being any the wiser.
An alarming possibility, of course, which is why Epic fixed the game by changing the downloader’s storage location from a public to a private area within a day of being told about it, on August 16.
But Epic faced a second problem – Google said it would make the flaw public a week later, on August 23, as mandated by its famously tough disclosure policy.
Epic wasn’t happy, claiming this didn’t allow enough time for all of its Samsung launch and beta users to receive an update.
Tweeted Epic’s CEO and founder, Tim Sweeney, the day after Google made the flaw public:
We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points.
Of course, if Epic had made Fortnite for Android available through the Play Store instead of offering it as a sideloaded app pointing at Epic’s servers, perhaps the vulnerability wouldn’t have existed in the first place.
Finding a flaw in a game looks bad enough but finding a gaping flaw in the software designed to download that game from outside the Play Store looks even worse, even if the flaw was easily fixed.
Fortnite users couldn’t care less where they get the Android app from, but Epic – and Google – do.
As was widely debated in the weeks leading up to the app’s release, hosting Fortnite for Android on Google Play would mean handing over as much as 30% of the proceeds for the privilege.
Given that Fortnite for Apple’s iOS has reportedly been making $27 million per month, hosting the APK on Epic’s servers looked like a great way to cut out the middleman.
Cynics will point out that Google’s Android business model depends in part at least on taking that cut, and losing the biggest games phenomenon of the moment to a direct download was never going to go down well.
However true that might be, sideloading comes with big risks, particularly on Android versions prior to Android 8.0 (Oreo), which still allows users to download from ‘unknown sources’ on a global rather than app-by-app basis.
Malicious apps can exploit this setting to install themselves, including completely fake Android Fortnite apps of the sort found circulating earlier this summer.
Whether Google’s decision to disclose the flaw after a week was justified or not, it’s hard to argue the case that Epic’s distribution model is good for the long-term security of its users.
Max
“We asked Epic to offer their game via the regular Google Play Store. They refused, creating an unnecessary risk for Android users in order to make more profits.” All a matter of perspective. They knew about the security risks beforehand, and they also knew about Googles disclosure policy. So this is pretty much just a PR move to shift the blame.
Brandon
DIng ding ding. Google isn’t Apple.
Anonymous
When that “man in the disk” report first came out (basically, caching secure, trusted downloads temporarily on insecure, untrusted external storage where other apps can mess with them between the time theyre downloaded and deployed), wasn’t several of Google apps on the vulnerable list? Would a “man in the disk” bug really have kept a vulnerable app out of the Play Store if Google wasn’t even looking for this flaw in its own software?
Mahhn
Alt headline: “Google exposes Epic fail in half a fortnite to bolster risky store.”
I’d have some respect for google, if they had Emailed even one of the millions of people that downloaded the 700,000 apps they removed due to security issues last year.
Anonymous
Google created the risk? How about you not launching the app on the playstore which allowed this security to exist?
Anant
Google is to be commended in the way this was handled. They waited until a patch was available, and then made sure that users were aware that they were vulnerable as soon as possible so they could take the appropriate action to fix it.
It is sad that Epic feels it is better to keep users in the dark about a known vulnerability to their system.
ther0nin
So Epic’s position was that Google should wait to tell users about the risk until after Epic got around to patching it for everyone? How does that make sense? Never mind the spurious claim that Google was the one creating a risk…
Paul Ducklin
The patch was out and therefore the existence of a flaw was already known. Epic’s position was that Google should hold off from disclosing specific details of the vulnerability for a bit longer because such disclosures often act as “incentivising how to” guides that show cybercrooks how to attack those users who haven’t patched yet.
Given that the bug had already been acted on by Epic, Google didn’t need the threat of publication to force Epic to do something about it, which is what responsible disclosure is supposed to do: stop bugs being swept under the carpet.
So, on balance, why not leave a bit longer than a week during which the vulnerability was known about but not publicly described, to let a greater percentage of users catch up before alerting the bad guuys?
Epic is not alone in thinking that Google’s very rigorous and algorithmic bug disclosure policy ought to be blessed with a bit of humanity; Google is adamant that a non-human “clock-based” disclosure process is more objective and avoids subsequent complaints about favouritism.