Fortnite Android app flaw put Epic at odds with Google
Downloading Fortnite for your Android isn't particularly dangerous. Installing Fortnite on your Android might be dangerous if you don't know the risks. This week Google and Epic Games began a battle that started with an act of good will. Google showed Epic Games that they had a flaw in their Fortnite APK app file – seems innocent enough an action on it's own, right?
Google showed a flaw in the Fortnite APK to Epic Games InfoSec (developers and fixers at Epic Games, the developers behind Fortnite.) Once they'd shown this flaw to Epic Games, Epic Games went to work on a fix. They patched the vulnerability rather quickly – approximately 33 hours after the first message from Google.
Google included the video above with their initial message to Epic Games to show how the vulnerability might affect an unsuspecting user at the receiving end of an attack. This sort of attack would require that the attacker knew that the vulnerability existed in the first place. This was not commonly known until this week.
Two bits of information are important here, and one of them is important especially to you, the Fortnite gamer. If you've downloaded Fortnite for your Android device direct from any source, your device was quite possibly compromised by a malicious party. The part you missed was the Fortnite Installer.
Epic Games built in a bit of security to make sure they had a direct line between their servers with updates to the app and the end user. This was the Fortnite Installer app. This is separate from the Fortnite app itself. If you did not download the Fortnite Installer app from Epic Games, you might well want to reset your device now and change all the passwords you've ever entered in on your smartphone or tablet.
That bit isn't what Google was talking about. Google was talking about a vulnerability with the Fortnite Installer with versions before 2.0.1. The SPECIFIC set of circumstances you'd have to be in for this vulnerability to have affected you are as follows:
1. You downloaded the Fortnite Installer before version 2.0.1 AND
2. Installed Fortnite from the Fortnite Installer after the 24th of August
If you installed on the 23rd of August or before, you're probably fine. If you downloaded the patched version of the Fortnite Installer at version 2.0.1 or later, you're probably fine. This rather specific set of circumstances is what we're here about.
Google included a disclaimer in their disclosure of the vulnerability to Epic Games, then to the world. In the disclosure they included the following text, which is standard with such disclosures: "This bug is subject to a 90-day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report – including any comments and attachments – will become visible to the public."
The part that's easy to misunderstand here is the 90-day disclosure deadline. This is active so long as no patch was issued. If, and when, a patch (a fix) is released, a new countdown goes into effect. This new countdown, as mentioned by Google later in the thread, is a week's time. The timeline goes like this:
1. August 15: Google identifies flaw
2. August 15: 90-day timer goes into play before public disclosure of flaw.
3. August 15: Epic begins working on fix
4. August 16: Epic finds fix, begins sending patch to users
5. August 16: 7-day timer goes into play before public disclosure of flaw.
6. August 24: Time's up, flaw publicly disclosed by Google.
In the Google Issue Tracker for this issue, you can see how, on the 16th, Epic asked for "the full 90 days before disclosing this issue so our users have time to patch their devices." No other emails seem to have been sent (and/or disclosed) between that request and the confirmation by Google that 90 days are no longer in effect – and that the 7 days are up.
Meanwhile over at Mashable, Epic Games' CEO Tim Sweeney shared a statement: "Google's security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play."
Keep your seatbelts tightened, folks, this isn't the end of this particular exchange. Fortnite is one of the biggest games in recent history, and its launch on mobile devices was an explosion the likes of which haven't been seen since Pokemon GO. Epic Games decided they'd like to launch the game outside of Google play to avoid what they saw as unfair fees for hosting their app for download. Google, for their part, made clear in their search engine that Fortnite wasn't on the Google Play app store, to avoid any unnecessary foolish downloads of 3rd-party apps posing as official apps. Since then, there's been a bit of a behind-the-scenes tussle.
This is not the first time the fee-battle's gone public. Have a peek at the timeline below for related events. Stay tuned as we watch the throne for more.