Epic Games’ standard shooter Fortnite has been out on Android for only some weeks, and already there are concrete examples of one of the most safety fears led to via the sport’s distinctive distribution approach. Google disclosed a vulnerability within the Fortnite Installer that would trick the installer into putting in one thing as opposed to Fortnite.
Fortnite is among the uncommon Android apps that is not disbursed at the Google Play Store. Epic, in an effort to keep away from Google’s 30-percent reduce of in-app purchases, is distributing the sport itself on Android. Users who need Fortnite should move to Epic’s site and obtain an app referred to as the “Fortnite Installer,” which can then obtain and set up the Fortnite recreation and stick with it to date. This distribution approach opens up customers to quite a few possible safety dangers. Getting the installer method customers should permit “unknown sources” set up in the course of the browser, and they have got to make certain they are in fact downloading Fortnite from Epic Games and now not only a site claiming to be Epic Games.
The Fortnite Installer used to be prone to a “Man-in-the-disk” (MITD) assault. The installer, after downloading the sport, will have the Android APK document swapped out with a malicious reproduction via a third-party app simply ahead of it used to be put in. The vulnerability handiest labored on Samsung units—the “exclusive” release OEM for Fortnite on Android. According to Google’s computer virus document, on Samsung telephones, the Fortnite Installer used a “private Galaxy Apps API.” Samsung’s API retail outlets the downloaded document in Android’s “external” garage, which is international readable, main to the safety issues. Google’s computer virus document even mentions that “Using a private internal storage directory rather than external storage would help avoid this vulnerability.”
Samsung’s API handiest tests that the APK being put in fits the bundle title “com.epicgames.fortnite.” Package names on Android are not more safe than filenames, and because of this any person may make an app that passes this test. A malicious app may stay up for the Fortnite Installer to obtain an replace, change out the “com.epicgames.fortnite” APK ahead of the set up occurs, and the Fortnite Installer would set up the malicious app. To make issues worse, if the pretend APK has a targetSdkVersion of 22 (Android five.1 Lollipop) or decrease, it’ll be granted any permissions it asks for at set up with out the consumer’s wisdom.
Google filed the computer virus on August 15, and Epic Games fastened the computer virus the following day, pronouncing “The patched launcher is version 2.1.0, and all existing installs should upgrade in place.” The repair gave the impression beautiful easy: as Google steered, Epic simply moved the default garage listing from public exterior garage to a non-public chew of interior garage.
This is the place issues get somewhat atypical. Epic asked that Google now not inform any person concerning the computer virus for 90 days. Google’s safety disclosure coverage states, “We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.” Since Epic fastened the computer virus after a unmarried day, the “or sooner” a part of that coverage kicked in, and Google waited seven days after the repair used to be launched to move public. Epic used to be now not proud of Google’s choice, and Epic CEO Tim Sweeney despatched the next remark to Mashable:
Epic if truth be told favored Google’s effort to carry out an in-depth safety audit of Fortnite right away following our free up on Android, and proportion the consequences with Epic so shall we speedily factor an replace to repair the flaw they came upon.
However, it used to be irresponsible of Google to publicly reveal the technical main points of the flaw so temporarily, whilst many installations had now not but been up to date and have been nonetheless prone.
An Epic safety engineer, at my urging, asked Google prolong public disclosure for the everyday 90 days to permit time for the replace to be extra extensively put in. Google refused. You can learn all of it at https://issuetracker.google.com/issues/112630336
Google’s safety research efforts are favored and receive advantages the Android platform, on the other hand an organization as tough as Google must follow extra accountable disclosure timing than this, and now not endanger customers throughout its counter-PR efforts in opposition to Epic’s distribution of Fortnite outdoor of Google Play.
Both firms can have ulterior motives right here. Google desires builders to use the Play Store as it makes Google cash and since a curated retailer is more secure for customers. Epic desires to end up it may possibly sidestep the Play Store with out harming customers, so the computer virus disclosure indisputably harms Epic and is helping Google.
Demanding Google wait 90 days to reveal a patched app vulnerability (now not even an OS replace!) turns out like critical overkill. I am not certain how continuously the Fortnite Installer updates, however on Google Play, app updates are typically checked for each and every 24 hours. If Epic takes longer than this to push an replace out to customers, in all probability it must have the installer test for updates extra continuously.