Epic Games founder Tim Sweeney has hit out at advertising giant Google, accusing the company of deliberately shortening its usual vulnerability disclosure deadline in order to discourage developers from releasing Android software outside the Google Play ecosystem.
To say that Epic Games has a hit on its hand with Fortnite, a game originally developed for co-operative survival purposes but which hit the big time when the company introduced a battle royale mechanism, is stating the obvious - and with a massive share of the PC gaming market sewn up, the company has turned its attention to mobile gaming. Its Android port of the game, however, doesn't come via the Google Play store as you might expect; instead, it is provided as a separate download, handily bypassing the need to give Google a cut of the proceeds.
Unfortunately, Epic's chosen distribution method also bypasses a range of security features put in place to protect Android users against malicious software. A bug in the game's installer, which is a small shell program that downloads the larger game data, left players at risk of attack - but while Epic Games founder Tim Sweeney has coughed to his company's security misstep, he believes the issue has been deliberately mishandled by Google.
The security flaw, which allows an attacker to replace the game files with malicious data which is then installed and executed with the same permissions as the Fortnite installer itself even when third-party application installation has been disabled, was discovered by Google's Project Zero security team. As with all Project Zero bugs, the issue was privately disclosed to the vendor - Epic - so it could be patched before public disclosure.
It's here that Sweeney claims Google has been disingenuous: Rather than the usual 90-day deadline offered by Project Zero, Epic was given a much shorter deadline. 'Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update. The only irresponsible thing here is Google’s rapid public release of technical details,' Sweeney claims in a Twitter post. 'We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points.
'Yes, Epic is responsible for [the] security flaw and, as I communicated to the @AndroidCentral folks, we're grateful that Google did the in-depth security analysis of Fortnite and reported the flaw to us,' Sweeney continues. 'I grant that Google finding a flaw in our software and sourcing stories about the fact of it is a valid PR strategy. But why the rapid public release of technical details? That does nothing but give hackers a chance to target unpatched users. Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.'
The issue, Sweeney intimates, is that Google has a serious incentive to push developers into releasing software via Google Play rather than taking Epic's do-it-yourself approach: All software distributed on Google Play is required to give a cut of its sales to Google, including any sales of in-app purchases - the key revenue stream for Epic's Fortnite.
Google has not publicly responded to Sweeney's criticisms, while the original bug report can be found on the Project Zero issue tracker.
March 25 2020 | 14:00