Fortnite’ Developers Are Definitely Not Happy with Google
The developer of the super popular Fornite decided to withdraw its app from Google Play Store and instead make it available through its own app. This was because the game developer insisted on going it alone, and one of the reasons is not having to share the app-revenue with Google. This was an essential slap in the face of Google.
The Epic’s move obviously was going to hurt Google, and they warned the Gamers that by going alone could put Android users at greater risk. Now, that the worst has happened, Google found a bug within the Fortnite installer app, which allows malicious apps to download on one’s Android phone. The malicious app will hijack the downloading process, so instead of downloading the game from Epic server, it could download something entirely different, and thus putting the device open to attack.
Well, it was on August 15, that Google first discovered the vulnerability inside of the Fortnite installer, and Epic was notified immediately. Google didn’t make the details of the exploit, and Epic immediately sprang into action and released a patch within 48-hours.
So, where did it go wrong? Even though Epic released the patch quickly, it asked Google not to disclose the details of the exploit until after 90-days as per the standard 90-days disclosure deadline. This will give the users ample time to update their apps, and hackers will also not be able to take much advantage of the bug. This 90-days disclosure deadline explicitly states the following:
“This bug is subject to a 90-day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report – including any comments and attachments – will become visible to the public.”
Though Epic made this request to wait the full 90 days before disclosing the exploit, but Google went ahead and shared the details, which reads.
“The patched version of Fortnite Installer has been available for 7 days we will proceed to un-restrict this issue in line with Google’s standard disclosure practices”.
Obviously, the Fortnite developers were not happy with Google’s take. The Epic’s CEO Tim Sweeney’s statement to Mashable:
“Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed.
Google’s security analysis efforts are appreciated and benefit the Android platform, however, a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”
Ultimately, who’s in the right and who’s in the wrong? Honestly, neither company is.
Anyway, either of them are right in their own ways and we cannot blame one company for their decision. Looking at the larger pictures, Google is right that if the app is downloaded from other sources will leave the app more vulnerable. Or you can say that Google was not happy with Epic’s pulling out, which means a huge loss in revenue from the popular game.
Finally, Google has this one standard statement and it’s true and you cannot blame them for that as they say that “User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer. We immediately notified Epic Games and they fixed the issue.”
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.