An epic vulnerability (pun intended) was discovered recently in the Fortnite android installer. The vulnerability exploits the WRITE_EXTERNAL_STORAGE permission. It allows any app to substitute the APK immediately after the download before the installation completes. The flaw could allow malicious apps to be installed in place of the Fortnite.
According to reports Google notified Epic about the flaw on August 15th. In cases like these companies have 90 days to fix such a flaw. Epic not only took notice of this but was also very fast at taking action. It released a patch for the vulnerability within 2 days. That was pretty damn fast. Good job Epic.
As for what the patch actually does, it will change the default APK storage directory from external to internal storage. How does that help? It helps to prevent a type of attack that’s called Man-in-the-Disk (MITD) during the install flow.
Tussle Between Google and Epic Games
If you think the issue ended there, you’re wrong. Epic requested Google to not disclose the flaw for the full 90-day period. It reasoned that users would have enough time to patch their installers. But Google disagreed and had other plans. Seven days after the patch was released, Google made the news public hence ignoring Epic’s request. Google basically justified their move saying it was just mandatory company procedure.
Epic Games CEO Tim Sweeney had a lot to say against Google’s move. He called it an ‘irresponsible’ decision that can endanger innocent users. He basically said that because Google revealed this so quickly, many devices might not have had the chance to update their installers yet.
Google and Epic right now are like two high school kids that don’t get along. It’s almost as if Google is taking revenge that Epic decided to host the game on its own platform instead of putting it on Google Play Store. While it was a profitable business decision as Epic didn’t want to share the revenue from the game with Google. It definitely didn’t go down well with Google because it takes 30 percent of all purchases made through the Play Store. And let’s be honest, no business likes lost revenue.