'

Fortnite Epic Games CEO rails against Google vulnerability disclosure

Circumventing the Google Play Store has not gone completely to plan.

The CEO of the firm responsible for developing the popular Fortnite shooting game and Google have become embroiled in a public argument over vulnerability disclosure policies.

"Google could have disclosed the fact that a vulnerability was discovered without disclosing sufficient technical details that hackers could readily exploit it," says Tim Sweeney, the chief executive of Epic Games, developer of Fortnite.

Sweeney was referring to the disclosure of a severe security vulnerability in the Fortnite installer. The game developer chose to stay away from Google Play, and instead, launched its own Android app installer for the shooting game which is downloaded directly from the Epic domain.

Despite not being available through Google Play, as Fortnite comes in an Android version and has proven popular enough to be downloaded what is believed to be millions of times, Google bug hunters were watching.

In an issue tracker post earlier this month, Google researchers revealed that the Fortnite installer APK could be exploited to allow attackers to hijack the app through a Man-in-The-Disk (MiTD) attack.

This technique can be applied to apps which connect to external storage rather than internal storage systems, which are better protected through Android sandbox restrictions.

In the case of Fortnite, the APK could be substituted with a malicious software package immediately after the download has completed and the fingerprint verified, according to Google.

To make matters worse, the APK can be installed with all permissions it requests at the time of installation without raising any user suspicion.

Download.com: Fortnite's deadly Android vulnerability: How to protect your device

"This is easily done using a FileObserver," the team added. "The Fortnite Installer will proceed to install the substituted (fake) APK."

The bug was subject to a 90-day disclosure deadline at the time the event tracker notice was published.

Epic acknowledged the security flaw, commenting:

"We were able to reproduce the bug you submitted and have a team working around the clock to fix it. We are currently testing a fix which resolves the issue on newer Android devices and will provide updates as our development work continues.

We will deploy this update as soon as it becomes available, and have a rough timeline of later this week, possibly as early as tomorrow. Thanks again for bringing this to our attention."

However, things quickly turned sour.

Epic requested the full 90 days before public disclosure. However, as a patch was readied within 48 hours and was available for seven days from August 24, Google declined the request.

"Now the patched version of Fortnite Installer has been available for seven days we will proceed to unrestrict this issue in line with Google's standard disclosure practices," a Google developer said.

Sweeney is not happy with the disclosure and has branded Google's disclosure of the security flaw as "irresponsible."

"Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered," the executive said. "However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable."

While the serious vulnerability has now been fixed in the Fortnite installer, the executive implied on Twitter that the time request was necessary to give more users a chance to receive the update.

CNET: With new iPad support, Google Duo takes another stab at FaceTime

"A company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play," Sweeney added, in reference to the decision made by the game developer to stay out of Google Play when launching the Android version of Fortnite.

See also: Critical remote code execution flaw in Apache Struts exposes the enterprise to attack

The executive added that the move was a way to "score cheap PR points."

That decision, considering the popularity of Fortnite, has cut Google out of untold revenue based on commission. However, it has also sidelined the security protections and update system the store offers to users.

In general, installing mobile apps outside of official stores is not recommended due to a number of security concerns, such as the accidental installation of malicious apps masquerading as the real thing, Man-in-The-Middle (MiTM) attacks, and more.

According to Sweeney, Google privately told Epic that the company was monitoring Fortnite installations on all Android devices, and believes that there are few unpatched installs remaining.

As such, the disclosure would be unlikely to place most users at risk.

However, Sweeney has argued that 90 days would have been more responsible than seven, as the installer only updates when the app is opened:

screen-shot-2018-08-28-at-08-48-40.png

Earlier this year, Microsoft was left scrambling to fix a bug after the Google Project Zero team disclosed a severe vulnerability after Microsoft failed to meet the 90-day deadline. In the case of Fortnite, however, the disclosure can be argued as reasonable.

It may be that Google did push the technical details of the security flaw more quickly than required due to Epic's aversion to the Play Store.

The game developer, however, was still subject to the same disclosure rules that everyone else is -- including other tech giants such as Microsoft when vulnerabilities have the potential to impact millions of users worldwide.

TechRepublic: Six tips to manage your Google Calendar more efficiently

Epic has used gamer interests in an attempt to boost general security, despite the disclosure argument taking place. The company has recently implemented an unusual tactic by offering in-game rewards for those who enable two-factor authentication (2FA) on their accounts.

There is another element of this story worthy of note. In order to process 92 million events a minute and cater for data grow of approximately two petabytes a month, Epic makes use of Amazon Web Services (AWS), rather than rival platforms such as Google Cloud.

According to AWS CTO Werner Vogels, the AWS architecture was the right choice as from day one -- especially in the case of game developers -- traffic and growth can occur in heavy bursts, rather than a steady incline.

It's interesting to see Epic turning away so obviously from Google-owned services to support the growing Fortnite network and we will have to see if other game developers follow suit in the future.

Previous and related coverage