It has been rumbling for a while, but Epic Games’ decision to bypass the Google Play Store and distribute the Fortnite game as a download from its website is perhaps not as good an idea as initially thought. Google has revealed the exact details of the security flaw, as well as the fact that game developer Epic Games wanted Google to keep quiet about it for a while.
Google did detail the exact flaw in the Fortnite installation process for Android and showed how the very first installation file shared by Epic Games for the Fortnite game installation on Android phones (these files have the .apk extension), allowed hackers to basically push any malicious app to the devices. The Android device user would certainly not know about any malicious background activities or apps running under the disguise of the Fortnite installer.
Google details the flaw in the Issue Tracker published by the company—“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK. On Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently the fake APK with a matching package name can be silently installed. If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.”
Google shared this update with Epic Games on 15 August, and while the game developer acknowledged the issue and got down to fixing it, on 16 August, they asked Google something that should worry all Android phone users— “We would like to request the full 90 days before disclosing this issue so our users have time to patch their devices.” On 24 August, Google responded with, “Now the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google's standard disclosure practices.”
“There’s a technical detail here that’s important. The Fortnite installer only updates when you run it or run the game. So if a user only runs it every N days, then the update won’t be installed for N days. We felt N=90 would be much safer than N=7,” posted Tim Sweeney, CEO, Epic Games, on Twitter. However, as Android users, we don’t really buy that at all.
The worst part about this whole episode is that the installation file, the .apk file in question here, is pretty much the first step to getting the Fortnite game. For a game developer that is trying to set a new trend by bypassing the Google Play Store and asking millions of Android phone users to download the .apk file from their own website, so as to not have to pay Google a share of the earnings from the in-app purchases made by gamers—the fact that the installation file itself had a vulnerability is a huge embarrassment.
The Play Store is the official application store for Android phones, and this is usually preloaded on Android smartphones that you buy. The way the app store arithmetic works is that whenever a user does a purchase on the Play Store, a share of that purchase amount goes to Google. A lot of apps and games now offer in-game purchases as well, and a cut from that also goes to Google, which is about 30 percent cut. Apple also takes a similar share for any purchases routed through the Apple App Store. Incidentally, Fortnite for iOS is available exclusively through the App Store, and Epic Games pays Apple the necessary share of the earnings.
The unfortunate reality of Epic Games trying to show the world that they can do without Google and the Play Store, is that it has put the user at risk. Had the game been distributed via the Play Store on Android devices, there would have been no vulnerable installation file to open your device to, and invite subsequent malware too. We do suspect that the company which would perhaps be smiling at this turn of events is Apple. For all the criticisms that it faces for being a “walled garden” and a “closed platform”, the apps and games being distributed on the App Store for iOS devices have to go through mandatory security checks and there is no option to bypass it.
Also read: Fortnite Bypassing Play Store Could Cost Google More Than $50 Million This year
Also read: Fortnite Bypassing Google Play Store is a Good And Bad Thing
Comments
0 comment