Google's disclosure policy and Android security in general came under question after the company disclosed a flaw...
in the Android installer for the world's most popular game, Fortnite. The flawed installer is only for Android users because Fortnite developer Epic Games bypassed security protections available for apps distributed through the Google Play Store, in order to maximize profits and avoid paying distribution fees to Google.
On Friday, Google disclosed the Fortnite vulnerability and described it as a risk for a man-in-the-disk attack where any "fake [Android Package Kit] with a matching package name can be silently installed" by the Fortnite installer. Google disclosed the flaw to Epic Games on Aug. 15, and Epic had produced a patch within 24 hours.
After testing the patch and deploying it to users on Aug. 16, Epic asked Google on the issue tracker page if they could have "the full 90 days before disclosing this issue so our users have time to patch their devices." Google did not respond on the issue tracker until Aug. 24, when it noted that "now the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google's standard disclosure practices."
Epic Games founder Tim Sweeney accused Google on Twitter of wanting "to score cheap PR points" by disclosing the Fortnite vulnerability because Epic Games had released the game outside of the Google Play Store.
Epic Games had previously claimed the reason for not releasing Fortnite for Android through the Play Store was twofold: to maintain a "direct relationship" with customers and to avoid the 30% cut Google would take from in-app purchases. Security experts immediately expressed skepticism about the move because of the security checks in Android that need to be turned off in order to sideload an app from outside of the Play Store and the risk of malicious fakes.
Sweeney admitted on Twitter that the Fortnite vulnerability was Epic's responsibility, but took issue with Google's fast disclosure.
I grant that Google finding a flaw in our software and sourcing stories about the fact of it is a valid PR strategy.— Tim Sweeney (@TimSweeneyEpic) August 25, 2018
But why the rapid public release of technical details? That does nothing but give hackers a chance to target unpatched users.
It is unclear if Epic Games contacted users directly regarding the Fortnite vulnerability and the need to update. And the company did not respond to requests for comment at the time of this post.
Sweeney did note on Twitter that the "Fortnite installer only updates when you run it or run the game" and said Google was monitoring the Fortnite vulnerability situation.
Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.— Tim Sweeney (@TimSweeneyEpic) August 25, 2018
Liviu Arsene, senior e-threat analyst at Romania-based antimalware firm Bitdefender, said that "from a security perspective there's no right or wrong in this scenario."
Liviu Arsenesenior e-threat analyst, Bitdefender
"As soon as the vulnerability was reported, Epic fixed [it] within 24 hours, which is commendable, and then Google publicly disclosed it according to their policy. Technically, users are now safe and informed regarding a potential security vulnerability that could have endangered their privacy and devices," Arsene wrote via email. "Granted, not all users will receive and install the update instantly, but the same can be said for most security patches and updates. As long as Epic is committed to delivering patches for their apps, regardless if they're in Google Play or not, and Google is committed to finding and responsibly disclosing vulnerabilities, security is enforced and users are the ones that benefit most."