The nay-sayers were right – releasing the Android version of the mega-successful game Fortnite in a way that bypassed Google’s Play Store was a security risk after all.
Publisher Epic Games opened invitations to download the beta version of Fortnite from its website on August 9. Just days later, a Google security researcher identified only as ‘Edward’ published news of a vulnerability in its installer that could make possible what has recently been dubbed the ‘Man-in-the-disk’ (MITD) attack.
This was bad for several reasons, the first being that anyone exploiting it could too easily substitute their malware for the Fortnite Android Package (APK) file on Samsung devices (the game’s exclusive launch partner), without the user being any the wiser.
An alarming possibility, of course, which is why Epic fixed the game by changing the downloader’s storage location from a public to a private area within a day of being told about it, on August 16.
But Epic faced a second problem – Google said it would make the flaw public a week later, on August 23, as mandated by its famously tough disclosure policy.
Epic wasn’t happy, claiming this didn’t allow enough time for all of its Samsung launch and beta users to receive an update.
Tweeted Epic’s CEO and founder, Tim Sweeney, the day after Google made the flaw public:
We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points.
Of course, if Epic had made Fortnite for Android available through the Play Store instead of offering it as a sideloaded app pointing at Epic’s servers, perhaps the vulnerability wouldn’t have existed in the first place.
Finding a flaw in a game looks bad enough but finding a gaping flaw in the software designed to download that game from outside the Play Store looks even worse, even if the flaw was easily fixed.
Fortnite users couldn’t care less where they get the Android app from, but Epic – and Google – do.
As was widely debated in the weeks leading up to the app’s release, hosting Fortnite for Android on Google Play would mean handing over as much as 30% of the proceeds for the privilege.
Given that Fortnite for Apple’s iOS has reportedly been making $27 million per month, hosting the APK on Epic’s servers looked like a great way to cut out the middleman.
Cynics will point out that Google’s Android business model depends in part at least on taking that cut, and losing the biggest games phenomenon of the moment to a direct download was never going to go down well.
However true that might be, sideloading comes with big risks, particularly on Android versions prior to Android 8.0 (Oreo), which still allows users to download from ‘unknown sources’ on a global rather than app-by-app basis.
Malicious apps can exploit this setting to install themselves, including completely fake Android Fortnite apps of the sort found circulating earlier this summer.
Whether Google’s decision to disclose the flaw after a week was justified or not, it’s hard to argue the case that Epic’s distribution model is good for the long-term security of its users.