Epic Games’ popular shooter Fortnite has been out on Android for just a few weeks, and already there are concrete examples of some of the security fears brought about by the game’s unique distribution method. Google disclosed a vulnerability in the Fortnite Installer that could trick the installer into installing something other than Fortnite.
Fortnite is one of the rare Android apps that isn’t distributed on the Google Play Store. Epic, in an effort to avoid Google’s 30-percent cut of in-app purchases, is distributing the game itself on Android. Users who want Fortnite must go to Epic’s website and download an app called the “Fortnite Installer,” which will then download and install the Fortnite game and keep it up to date. This distribution method opens up users to a number of potential security risks. Getting the installer means users must allow “unknown sources” installation through the browser, and they have to make sure they’re actually downloading Fortnite from Epic Games and not just a website claiming to be Epic Games.
The Fortnite Installer was vulnerable to a “Man-in-the-disk” (MITD) attack. The installer, after downloading the game, could have the Android APK file swapped out with a malicious copy by a third-party app just before it was installed. The vulnerability only worked on Samsung devices—the “exclusive” launch OEM for Fortnite on Android. According to Google’s bug report, on Samsung phones, the Fortnite Installer used a “private Galaxy Apps API.” Samsung’s API stores the downloaded file in Android’s “external” storage, which is world readable, leading to the security problems. Google’s bug report even mentions that “Using a private internal storage directory rather than external storage would help avoid this vulnerability.”
Samsung’s API only checks that the APK being installed matches the package name “com.epicgames.fortnite.” Package names on Android are no more secure than filenames, and consequently anyone could make an app that passes this check. A malicious app could wait for the Fortnite Installer to download an update, swap out the “com.epicgames.fortnite” APK before the install happens, and the Fortnite Installer would install the malicious app. To make matters worse, if the fake APK has a targetSdkVersion of 22 (Android 5.1 Lollipop) or lower, it will be granted any permissions it asks for at install without the user’s knowledge.
Google filed the bug on August 15, and Epic Games fixed the bug the next day, saying “The patched launcher is version 2.1.0, and all existing installs should upgrade in place.” The fix seemed pretty simple: as Google suggested, Epic just moved the default storage directory from public external storage to a private chunk of internal storage.
This is where things get a bit strange. Epic requested that Google not tell anyone about the bug for 90 days. Google’s security disclosure policy states, “We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.” Since Epic fixed the bug after a single day, the “or sooner” part of that policy kicked in, and Google waited seven days after the fix was released to go public. Epic was not happy with Google’s decision, and Epic CEO Tim Sweeney sent the following comment to Mashable:
Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.
Both companies may have ulterior motives here. Google wants developers to use the Play Store because it makes Google money and because a curated store is safer for users. Epic wants to prove it can sidestep the Play Store without harming users, so the bug disclosure definitely harms Epic and helps Google.
Demanding Google wait 90 days to disclose a patched app vulnerability (not even an OS update!) seems like serious overkill. I’m not sure how often the Fortnite Installer updates, but on Google Play, app updates are usually checked for every 24 hours. If Epic takes longer than this to push an update out to users, perhaps it should have the installer check for updates more often.