Epic boss criticises Google decision to publicise Fortnite flaw

Says Google is trying to "score cheap PR points."

News by Emma Kent Contributor

Updated on 28 Aug 2018

In the aftermath of Epic's decision to have battle royale phenomenon Fortnite avoid the Google Play store, it seems tensions remain high between the two companies. Over the past few days, a new tussle has emerged - this time over a security flaw found in the Android version of the game.

On Friday, Google published a report which revealed the Fortnite app could be hijacked by other apps "to instead install a fake APK with any permissions that would normally require user disclosure". This essentially meant apps could silently download unapproved software in the background. Huh, I guess this "worm" file isn't a Fortnite dance move after all...

Google reported the flaw to Epic on 15th August, and according to records on Google's issue tracker, the vulnerability was fixed by the Fortnite team two days later. Epic's CEO Tim Sweeney believes publishing the flaw is a "valid PR strategy," but criticised Google's decision to publicise it a week after the patch had been issued.

The flaw has been addressed in a recent Fortnite patch.

Epic originally requested Google refrain from revealing the problem for a period of 90 days rather than Google's usual seven days "so users have time to patch their devices". According to Sweeney, this is because Fortnite updates on Android are downloaded only when the game is launched. Interestingly, as security expert Graham Cluley notes, this would not have been an issue on Google Play where updates happen automatically.

There’s a technical detail here that’s important. The Fortnite installer only updates when you run it or run the game. So if a user only runs it every N days, then the update won’t be installed for N days. We felt N=90 would be much safer than N=7.
— Tim Sweeney (@TimSweeneyEpic) August 26, 2018

Despite the fact Google stuck to its standard disclosure policies, in Sweeney's opinion, the move has done "nothing but give hackers a chance to target unpatched users". Today, Sweeney even hinted he felt "the word punishment is very appropriate here". Some have suggested this might have been payback for Fortnite avoiding the Google Play store - and thus Google's cut of sales generated by the game.

We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points.
— Tim Sweeney (@TimSweeneyEpic) August 25, 2018

The word punishment is very appropriate here, but how does rapidly disclosing the technical details of a security flaw to hackers do anything to protect Android users?
— Tim Sweeney (@TimSweeneyEpic) August 28, 2018

In any case, Fortnite's decision to avoid the Google Play store seems to have come at a cost. Although Epic has avoided paying out 30 per cent to Google, the downside is Fortnite on Android carries the perception of an increased vulnerability to security problems. Related, Fortnite recently encouraged users to add additional security measures to their accounts, such as two-factor authentication (which will land you a sweet boogie emote).

Read this next