Fortnite vulnerability on Android causes disclosure tension
Google’s disclosure policy and Android security in general came under question after the company disclosed a flaw in the Android installer for the world’s most popular game, Fortnite. The flawed installer is only for Android users because Fortnite developer Epic Games bypassed security protections available for apps distributed through the Google Play Store, in order to maximize profits and avoid paying distribution fees to Google.
On Friday, August 26th, Google disclosed the Fortnite vulnerability and described it as a risk for a man-in-the-disk attack where any “fake [Android Package Kit] with a matching package name can be silently installed” by the Fortnite installer. Google disclosed the flaw to Epic Games on Aug. 15, and Epic had produced a patch within 24 hours.
After testing the patch and deploying it to users on Aug. 16, Epic asked Google on the issue tracker page if they could have “the full 90 days before disclosing this issue so our users have time to patch their devices.” Google did not respond on the issue tracker until Aug. 24, when it noted that “now the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google’s standard disclosure practices.”
Epic Games founder Tim Sweeney accused Google on Twitter of wanting “to score cheap PR points” by disclosing the Fortnite vulnerability because Epic Games had released the game outside of the Google Play Store.