Google has popped back in tremendous fashion on Epic Games, which earlier this month decided to make the phenomenally popular Fortnite available for Android through its own website instead of the Google Play Store. Unfortunately, the installer had a phenomenally dangerous vulnerability in what would allow a malicious actor to essentially install any software they wanted. Google just missed the time to point out this extreme mistake.
As a brief explanation, why this even happened, Epic explained that it would be good to have "competition between software sources on Android" and that the best would be "successful based on profits." Everyone understood, of course, that what he meant was that Epic would not share the revenue from his cash deal with Google, which took 30 percent of purchases in the app.
Many warned that this was a security risk for several reasons , for example, users had to enable app installs from unknown sources ̵
Google was understandably not entertained by Epic's play, which undoubtedly played a part in the decision to investigate the download and installation process – although I'm sure that the user's security was also a motivating factor. And you would not know, they found one whopper right outside the bat.
In a thread written one week after the Fortnite downloader went live, a Google engineer named Edward explained that the installer would initially allow an attacker to install everything they want to use.
Fortnite installer downloads an APK (package for Android apps), saves it locally and then launches it. But because it was stored on shared external storage, a bad guy could replace a new file for it to start, in what is called "man in disk" attack.
And because the installer only checked that the name of APK is correct as long as the attacker's file is called "com.epicgames.fortnite", it would be installed! Silently, and with many additional permissions too, if they want, because of how the unknown sources install the installation policies. Not good!
Edward pointed out that this could be solved easily and in a fantastic low-key shadow cast useful for a page on the Android Developer's website describing the basic function Epic should have used.
To Epic's credit, its engineers jumped on the problem at once and had a solution in the work so much afternoon and distributed by the next. Epic InfoSec asked Google to wait 90 days before publishing the information.
As you can see, Google was not generous. A week later (it is today) and the error has been published on the Google Issue Tracker page in all its … well, not honesty exactly. Really, the opposite of glory. This seems to have been Google's way of warning someone would be the Play-shop mutines that they would not be given careful handling.
Epic Games, CEO Tim Sweeney, was still unmanned. In a comment that was given to Android Central – which by the way predicted that this exact thing would happen – he took the assignment for his "irresponsible" decision to "disturb users."
Epic sincerely appreciated Google's efforts to perform a thorough security audit of Fortnite immediately after our release on Android and share the results with Epic so that we could quickly fix an update to fix the mistake they discovered.
However, it was irresponsible for Google to publish the technical details of the error so quickly, while many installations were not yet updated and were still vulnerable.
An epic security engineer, on my call, requested that Google delay publication for the typical 90 days to allow time for the update to be more installed. Google refused. You can read everything at https://issuetracker.google.com/issues/112630336
Google's security analysis processes are valued and enjoyed the Android platform, but a company that is as powerful as Google should practice more responsible enlightenment than this and do not interfere users during the PR campaign against Epics distribution of Fortnite outside of Google Play.
In fact, companies should try not to disturb users for selfish reasons.