The popular game Fortnite finally made its debut on Android as a Samsung exclusive a few weeks ago. Last week, Google identified a flaw in the installer that could be used to expose the phone to further vulnerabilities via a Man In The Disk attack. The firm allowed Epic games to fix the issue, waited a week for the fix to roll out to users and then publicised it after the threat had been neutralised. You’d think the story would stop there, but never one to resist from shooting himself in the foot, Epic’s Tim Sweeney turned the incident into an attack on the concept of mobile app stores and attacked Google for irresponsible disclosure.
The following statement was delivered to Mashable.
Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.
It is unclear what responsible disclosure Sweeney intended, giving as the bug was fixed for 7 days before Google disclosed it. Normal app stores check for app updates once a day, if Sweeney’s own app cannot handle such a simple task, then perhaps he should spend less time badmouthing all and sundry and more time understanding why companies like Microsoft and Google are now pushing the secure app store mode.