Technology
‘Fortnite’ on Android had a critical security flaw
-
“Fortnite” launched on Android recently, starting with
Samsung smartphones and expanding out to other major flagship
Android phones. -
Instead of launching on Google’s Play Store, Epic Games
opted to skip the storefront and distribute the free game
itself. -
By skipping Google’s storefront, a critical security
flaw was introduced to the download process. -
The issue went unnoticed by Epic Games until Google
pointed it out. It has since been fixed. -
This example highlights a major security risk that
comes with mass distribution of software, and why platforms
like Google Play are important.
When the insanely popular game “Fortnite” finally arrived on
Android earlier this month, it skipped Google’s ubiquitous Play
Store.
You couldn’t just navigate to Google’s store and download
“Fortnite.” It wasn’t there.
There was a clear reason to skip the Google Play Store: Google
takes 30% of all sales through its storefront, and “Fortnite”
maker Epic Games wanted to keep 100% of its sales. “The 30% store
tax is a high cost in a world where game developers’ 70% must
cover all the cost of developing, operating, and supporting their
games,” Epic Games founder and CEO Tim Sweeney
told me earlier this month.
“Thirty percent is disproportionate to the cost of the services
these stores perform — such as payment processing, download
bandwidth, and customer service,” he said.
And thus, in a brazen move, Epic skipped Google Play with
“Fortnite.”
Instead, you must navigate to a website operated by Epic Games
where you can download what’s called an “installer.” That
installer program from Epic then facilitates the download and
management of “Fortnite.”
It was apparently in this step of the installation process where
“Fortnite” had a critical security flaw.
“Any app with the WRITE_EXTERNAL_STORAGE permission can
substitute the APK immediately after the download is completed
and the fingerprint is verified,” a Google
engineer wrote in mid-August, as
discovered by Techcrunch. “This is easily done using a
FileObserver. The Fortnite Installer will proceed to install the
substituted (fake) APK.”
In so many words, the “Fortnite” installation program on Android
had a loophole that allowed malicious actors to gain access to
your phone. Worse, that wasn’t the only problem if you were
downloading the game on a Samsung phone or tablet.
As the Google engineer, identified only as Edward, said:
“On Samsung devices, the Fortnite Installer performs the APK
install silently via a private Galaxy Apps API. This API checks
that the APK being installed has the package name
com.epicgames.fortnite. Consequently the fake APK with a matching
package name can be silently installed.”
In plain terms, Samsung devices were only verifying that the name
of the APK file matched “com.epicgames.fortnite” — if a piece of
malicious software were swapped in with the same name, it would
pass muster and be installed.
This “Fortnite” security kerfuffle on Android highlights an issue
that critics leveled when Epic first announced plans to skip the
Google Play Store: Downloading installer software outside of
Google Play forces users to accept installation
of all software from “unknown sources.”
Because the “Fortnite” installer is downloaded from Epic Games’
website, and the game it installs is being downloaded from Epic
Games — outside the Google Play Store — users have to explicitly
open various security permissions that would otherwise remain
secured.
Epic
Games
For example: When I downloaded the “Fortnite” installer on a
Google Pixel 2 smartphone, Android prompted me with several
warnings that I wasn’t allowed to download or install software
outside of Google Play without first giving explicit permission.
Opening those security permissions is required to install
“Fortnite.”
It’s this toggle that poses a threat, as it opens up the phone to
malicious third-party software from similarly “unknown sources.”
Coupled with the issues Epic introduced by leaving security holes
in its installer, millions of “Fortnite” players were at risk of
having information stolen and/or their device bricked.
Both issues have since been patched by Epic Games; it’s unclear
if anyone was affected by the security flaws.
-
Entertainment7 days ago
‘Only Murders in the Building’ Season 4 ending explained: Who killed Sazz and why?
-
Entertainment6 days ago
When will we have 2024 election results online?
-
Entertainment5 days ago
Halloween 2024: Weekend debates, obscure memes, and a legacy of racism
-
Entertainment6 days ago
Social media drives toxic fandom. Is there a solution?
-
Entertainment5 days ago
Is ‘The Substance’ streaming? How to watch at home
-
Entertainment5 days ago
M4 MacBook Pro vs. M3 MacBook Pro: What are the differences?
-
Entertainment3 days ago
Menendez brothers case reignites online: The questions that keep resurfacing
-
Entertainment4 days ago
‘A Real Pain’ review: Jesse Eisenberg and Kieran Culkin charm as odd-couple cousins