Fortnite devs unhappy as Google publicly reveals Android app vulnerability

Earlier this month, Google revealed a serious issue with the Android version of Fortnite, which could allow mischievous apps to hijack the installer and download pretty much anything to your phone. Now publisher Epic Games is letting its frustrations known about the way that Google went about disclosing the issue.  

To understand the disagreement you need to know a little about the nature of the bug, so here is a quick explanation of the exploit. Fortnite isn’t available via the Google Play Store – instead, you have to visit download the game directly from Epic. The idea of this is to avoid the punishing 30% fee that Google takes on all Play Store sales and in-app purchases.

The problem with this approach is that what you’re downloading from Epic isn’t the game itself – it’s simply an installer. Google discovered that the installer had a weakness where any app on your phone could hijack the process and install something nasty in its place. Worse, because it could also do so in the background, the app didn’t need to highlight to users that it was doing anything out of the ordinary. Given Fortnite’s popularity, all it would need is one popular rogue app to exploit this and you could have a mobile malware epidemic.

Related: Fortnite Battle Royale tips

Epic Games fixed the exploit within 48 hours of being told, and if you have version 2.1.0 or newer of the installer you should be clear. All the same, the way in which Google has gone public with the exploit has some wondering whether this is a tacit warning to any other big-name developers considering bypassing the Google Play Store.

“How does rapidly disclosing the technical details of a security flaw to hackers do anything to protect Android users?” asked Epic CEO Tim Sweeney on Twitter.

“Yes, telling users that a flaw was found and advising updating is valuable,” he added in a follow-up tweet. “But, again, why did Google have to rapidly disclose the technical details? Who does that help, other than the hackers?”

Related: Fortnite Battle Royale vs PUBG

Google’s policy is to publicly reveal issues seven days after the private disclosure to ensure that users can take security into their own hands. Epic apparently wanted 90 days to ensure that the patch was more widely spread before an explainer on the vulnerability was revealed.

The popularity of Fortnite has made it an easy target for cybercriminals – something reflected in Epic’s recent decision to reward activation of two-factor authentication with a free in-game emote.

Was Google right to disclose, or should it have given Epic longer to get the patch out? Let us know what you think on Twitter: @TrustedReviews