Technology
‘Fortnite’ on Android had a critical security flaw
-
“Fortnite” launched on Android recently, starting with
Samsung smartphones and expanding out to other major flagship
Android phones. -
Instead of launching on Google’s Play Store, Epic Games
opted to skip the storefront and distribute the free game
itself. -
By skipping Google’s storefront, a critical security
flaw was introduced to the download process. -
The issue went unnoticed by Epic Games until Google
pointed it out. It has since been fixed. -
This example highlights a major security risk that
comes with mass distribution of software, and why platforms
like Google Play are important.
When the insanely popular game “Fortnite” finally arrived on
Android earlier this month, it skipped Google’s ubiquitous Play
Store.
You couldn’t just navigate to Google’s store and download
“Fortnite.” It wasn’t there.
There was a clear reason to skip the Google Play Store: Google
takes 30% of all sales through its storefront, and “Fortnite”
maker Epic Games wanted to keep 100% of its sales. “The 30% store
tax is a high cost in a world where game developers’ 70% must
cover all the cost of developing, operating, and supporting their
games,” Epic Games founder and CEO Tim Sweeney
told me earlier this month.
“Thirty percent is disproportionate to the cost of the services
these stores perform — such as payment processing, download
bandwidth, and customer service,” he said.
And thus, in a brazen move, Epic skipped Google Play with
“Fortnite.”
Instead, you must navigate to a website operated by Epic Games
where you can download what’s called an “installer.” That
installer program from Epic then facilitates the download and
management of “Fortnite.”
It was apparently in this step of the installation process where
“Fortnite” had a critical security flaw.
“Any app with the WRITE_EXTERNAL_STORAGE permission can
substitute the APK immediately after the download is completed
and the fingerprint is verified,” a Google
engineer wrote in mid-August, as
discovered by Techcrunch. “This is easily done using a
FileObserver. The Fortnite Installer will proceed to install the
substituted (fake) APK.”
In so many words, the “Fortnite” installation program on Android
had a loophole that allowed malicious actors to gain access to
your phone. Worse, that wasn’t the only problem if you were
downloading the game on a Samsung phone or tablet.
As the Google engineer, identified only as Edward, said:
“On Samsung devices, the Fortnite Installer performs the APK
install silently via a private Galaxy Apps API. This API checks
that the APK being installed has the package name
com.epicgames.fortnite. Consequently the fake APK with a matching
package name can be silently installed.”
In plain terms, Samsung devices were only verifying that the name
of the APK file matched “com.epicgames.fortnite” — if a piece of
malicious software were swapped in with the same name, it would
pass muster and be installed.
This “Fortnite” security kerfuffle on Android highlights an issue
that critics leveled when Epic first announced plans to skip the
Google Play Store: Downloading installer software outside of
Google Play forces users to accept installation
of all software from “unknown sources.”
Because the “Fortnite” installer is downloaded from Epic Games’
website, and the game it installs is being downloaded from Epic
Games — outside the Google Play Store — users have to explicitly
open various security permissions that would otherwise remain
secured.
Epic
Games
For example: When I downloaded the “Fortnite” installer on a
Google Pixel 2 smartphone, Android prompted me with several
warnings that I wasn’t allowed to download or install software
outside of Google Play without first giving explicit permission.
Opening those security permissions is required to install
“Fortnite.”
It’s this toggle that poses a threat, as it opens up the phone to
malicious third-party software from similarly “unknown sources.”
Coupled with the issues Epic introduced by leaving security holes
in its installer, millions of “Fortnite” players were at risk of
having information stolen and/or their device bricked.
Both issues have since been patched by Epic Games; it’s unclear
if anyone was affected by the security flaws.
-
Entertainment6 days ago
WordPress.org’s login page demands you pledge loyalty to pineapple pizza
-
Entertainment7 days ago
Rules for blocking or going no contact after a breakup
-
Entertainment6 days ago
‘Mufasa: The Lion King’ review: Can Barry Jenkins break the Disney machine?
-
Entertainment5 days ago
OpenAI’s plan to make ChatGPT the ‘everything app’ has never been more clear
-
Entertainment4 days ago
‘The Last Showgirl’ review: Pamela Anderson leads a shattering ensemble as an aging burlesque entertainer
-
Entertainment5 days ago
How to watch NFL Christmas Gameday and Beyoncé halftime
-
Entertainment4 days ago
Polyamorous influencer breakups: What happens when hypervisible relationships end
-
Entertainment3 days ago
‘The Room Next Door’ review: Tilda Swinton and Julianne Moore are magnificent