How do trusted app stores release and disclose patches?

Google recently found a flaw in the Android installer for Fortnite and disclosed it to Epic Games Inc., which then produced a patch and began testing within 24 hours. Despite Epic's request for 90 days before public disclosure, Google only gave them seven days per its standard disclosure practices. Was Google imposing a penalty on Epic Games for bypassing Google's trusted app store, and should Google have been more flexible on reporting the vulnerability?

One of the key improvements in mobile security was the introduction of trusted app stores and the security controls they offer. Trusted app stores do some security vetting and can provide users with important context for an app, such as if the app might be infected with malware.

While this makes it easier for users to avoid some malware, it is still difficult to completely avoid it, as some strains are capable of bypassing app store security controls. Even though some malware can defeat trusted app store security, that doesn't mean that software developers shouldn't use app stores.

When Google recently found a flaw in the Epic Games' Fortnite installer and notified them of it, Epic Games produced a patch within 24 hours.

However, Epic Games released its Fortnite installer outside of the Google Play Store to avoid paying Google distribution fees, and the savings accrued may have been overbalanced by the consequences Epic suffered from bypassing the security afforded by using trusted app stores. Epic Games reportedly did this to build a direct relationship with their users, not just to avoid paying Google for the use of the Google Play Store. However, given the popularity of Fortnite, a significant number of people were still potentially put at risk by this action.

The act of producing a patch in less than 24 hours could be an indicator of the seriousness of the vulnerability, but it could also mean other things, such as how trivial the bug was. How updates are distributed could vary in difficulty depending on the app; trusted app stores can also be used to distribute updates to end users, as some apps have auto-update mechanisms, which is how the patch was distributed for Fortnite.

While auto-updates enable the mass releases of patches, they can also be faked, which ultimately exposes users to additional risks. In order to ensure that updates are actually installed on user devices, developers should communicate with their users. For example, if Google had been willing to give Epic Games more time before it made the vulnerability public, it could have enabled security vendors to incorporate detections into their products to further protect end users.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)