Epic’s decision to launch Fortnite for Android outside of Google Play was an interesting one. It was obvious that the company was trying to avoid paying Google a cut of in-app purchases that were made within the game, but this raised some eyebrows as there were some who questioned the decision, namely due to security reasons.
It looks like the naysayers might have been proven right because it appears that the game’s Android installer was shipped with a security flaw, and ironically enough it was Google who discovered it (via TechCrunch), in which this issue could have been detected or avoided had it been released via the Play Store.
That being said, to Epic’s credit its developers were quick to fix the flaw and had it completed in less than a day, meaning that there was little chance that the flaw could have been discovered by hackers and exploited in that short window of time. Epic had previously requested Google to wait 90 days before disclosing the bug as they are wont to do, but it seems that Google decided to go ahead and publish it early regardless.
Epic’s CEO Tim Sweeney clearly wasn’t too thrilled by this development and has since issued a statement to Android Central where he called Google “irresponsible” to disclose the technicalities of the flaw this soon.
Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.