A serious bug discovered in the Fortnite installer app was disclosed to the public before the fix was released widely.
There has been no other mobile title on Android that has brought immense levels of attention to itself than Fortnite. Epic Games’ free-to-play battle royale game for Android was released with a lot of twists — it was exclusive to Samsung devices initially and then was not made available on Google PlayStore. Therefore, it seemed that things could turn sour between Google and the Fortnite maker, which it has eventually indeed.
Google has been pretty serious about maintaining top-notch security on Android by requiring several app developers to opt for the highly-secured PlayStore rather than relying on third-party app repositories. Since Fortnite can only be installed by a separate installer APK file, Google decided to perform an audit on it and came out with a result that’s expected on app installers found outside the PlayStore.
Google found out that the Fortnite installer had a flaw which could lead malicious apps installed on an Android phone to hack the download process and download something unintended. Google declared this to be unsafe, claiming that the installer left Android phones vulnerable to attacks and therefore, notified Epic Games to get the issue rectified before the issue was made public.
Epic Games quickly resolved the issue and rolled out a patch for the app across all Android smartphones. However, Epic Games requested Google to keep the flaw a secret for 90 days, which could give enough time for people to update the app. Google instead made the issue public just after a week, putting Epic Games dissatisfied.
“Now the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google's standard disclosure practices," read Google’s disclosure on the Issue Tracker page.
Epic Games replied, saying, “Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336.
Google's security analysis efforts are appreciated and benefit the Android platform, however, a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play."
It’s clearly evident that Google chose to ignore Epic Games’ request by unveiling the bug to the public. However, Google goes by its strict guidelines for ensuring user data security and maintaining transparency about its processes. "User security is our top priority, and as part of our proactive monitoring for malware, we identified a vulnerability in the Fortnite installer. We immediately notified Epic Games and they fixed the issue," — this statement makes Google right in its place.
Had Epic Games gone for the PlayStore route instead of hogging all its profits for itself, it wouldn’t have had to face such issues. Apple clearly restricts developers to its App Store as the sole source for installing new apps on iOS devices, which helps the company maintain security on its devices across the world.