Epic Video games
Epic Video games’ standard shooter Fortnite has been out on Android for just some weeks, and already there are concrete examples of among the safety fears led to by the sport’s distinctive distribution methodology. Google disclosed a vulnerability within the Fortnite Installer that might trick the installer into putting in one thing aside from Fortnite.
Fortnite is without doubt one of the uncommon Android apps that is not distributed on the Google Play Retailer. Epic, in an effort to keep away from Google’s 30 % lower of in-app purchases, is distributing the sport itself on Android. Customers that need Fortnite should go to Epic’s web site and obtain an app known as the “Fortnite Installer,” which is able to then obtain and set up the Fortnite recreation and maintain it updated. This distribution methodology opens up customers to numerous potential safety dangers. Getting the installer means customers should permit “unknown sources” set up by the browser, they usually have to ensure they’re really downloading Fortnite from Epic Video games and never only a web site claiming to be Epic Video games.
The Fortnite Installer was susceptible to a “Man-in-the-disk” (MITD) assault. The installer, after downloading the sport, might have the Android APK file swapped out with a malicious copy by a third-party app simply earlier than it was put in. The vulnerability solely labored on Samsung units—the “unique” launch OEM for Fortnite on Android. In keeping with Google’s bug report, on Samsung telephones the Fortnite Installer used a “non-public Galaxy Apps API.” Samsung’s API shops the downloaded file in Android’s “exterior” storage, which is world readable, resulting in the safety issues. Google’s bug report even mentions that “Utilizing a personal inner storage listing somewhat than exterior storage would assist keep away from this vulnerability.”
Samsung’s API solely checks that the APK being put in matches the package deal title “com.epicgames.fortnite.” Package deal names on Android are not any safer than filenames, and consequently anybody might make an app that passes this verify. A malicious app might watch for the Fortnite Installer to obtain an replace, swap out the “com.epicgames.fortnite” APK earlier than the set up occurs, and the Fortnite Installer would set up the malicious app. To make issues worse, if the pretend APK has a targetSdkVersion of 22 (Android 5.1 Lollipop) or decrease, will probably be granted any permissions it asks for at set up with out the person’s information.
Google filed the bug on August 15, and Epic Video games fastened the bug the following day, saying “The patched launcher is model 2.1.zero, and all present installs ought to improve in place.” The repair appeared fairly easy: as Google prompt, Epic simply moved the default storage listing from public exterior storage to a personal chunk of inner storage.
That is the place issues get a bit unusual. Epic requested that Google not inform anybody concerning the bug for 90 days. Google’s safety disclosure coverage states, “We notify distributors of vulnerabilities instantly, with particulars shared in public with the defensive group after 90 days, or sooner if the seller releases a repair.” Since Epic fastened the bug after a single day, the “or sooner” a part of that coverage kicked in, and Google waited seven days after the repair was launched to go public. Epic was not pleased with Google’s resolution, and Epic CEO Tim Sweeney despatched the next remark to Mashable:
Epic genuinely appreciated Google’s effort to carry out an in-depth safety audit of Fortnite instantly following our launch on Android, and share the outcomes with Epic so we might speedily concern an replace to repair the flaw they found.
Nonetheless, it was irresponsible of Google to publicly disclose the technical particulars of the flaw so rapidly, whereas many installations had not but been up to date and have been nonetheless susceptible.
An Epic safety engineer, at my urging, requested Google delay public disclosure for the everyday 90 days to permit time for the replace to be extra extensively put in. Google refused. You possibly can learn all of it at https://issuetracker.google.com/points/112630336
Google’s safety evaluation efforts are appreciated and profit the Android platform, nonetheless an organization as highly effective as Google ought to apply extra accountable disclosure timing than this, and never endanger customers in the midst of its counter-PR efforts in opposition to Epic’s distribution of Fortnite outdoors of Google Play.
Each firms could have ulterior motives right here. Google needs builders to make use of the Play Retailer as a result of it makes Google cash, and since a curated retailer is safer for customers. Epic needs to show it might sidestep the Play Retailer with out harming customers, so the bug disclosure undoubtedly harms Epic and helps Google.
Demanding Google wait 90 days to reveal a patched app vulnerability (not even an OS replace!) looks like severe overkill. I am undecided how typically the Fortnite Installer updates, however on Google Play, app updates are normally checked for each 24 hours. If Epic takes longer than this to push an replace out to customers, maybe it ought to have the installer verify for updates extra typically.