Technology
‘Fortnite’ on Android had a critical security flaw
“Fortnite” launched on
Android smartphones recently, but it skipped Google’s Play
Store.
Antonio Villas-Boas/Business
Insider
-
“Fortnite” launched on Android recently, starting with
Samsung smartphones and expanding out to other major flagship
Android phones. -
Instead of launching on Google’s Play Store, Epic Games
opted to skip the storefront and distribute the free game
itself. -
By skipping Google’s storefront, a critical security
flaw was introduced to the download process. -
The issue went unnoticed by Epic Games until Google
pointed it out. It has since been fixed. -
This example highlights a major security risk that
comes with mass distribution of software, and why platforms
like Google Play are important.
When the insanely popular game “Fortnite” finally arrived on
Android earlier this month, it skipped Google’s ubiquitous Play
Store.
You couldn’t just navigate to Google’s store and download
“Fortnite.” It wasn’t there.
There was a clear reason to skip the Google Play Store: Google
takes 30% of all sales through its storefront, and “Fortnite”
maker Epic Games wanted to keep 100% of its sales. “The 30% store
tax is a high cost in a world where game developers’ 70% must
cover all the cost of developing, operating, and supporting their
games,” Epic Games founder and CEO Tim Sweeney
told me earlier this month.
“Thirty percent is disproportionate to the cost of the services
these stores perform — such as payment processing, download
bandwidth, and customer service,” he said.
And thus, in a brazen move, Epic skipped Google Play with
“Fortnite.”
Instead, you must navigate to a website operated by Epic Games
where you can download what’s called an “installer.” That
installer program from Epic then facilitates the download and
management of “Fortnite.”
It was apparently in this step of the installation process where
“Fortnite” had a critical security flaw.
As seen in the middle
screen, Android issues a warning screen about downloading “APK”
files from the internet — APK files are application files on
Android.
Ben Gilbert/Business
Insider/Epic Games
“Any app with the WRITE_EXTERNAL_STORAGE permission can
substitute the APK immediately after the download is completed
and the fingerprint is verified,” a Google
engineer wrote in mid-August, as
discovered by Techcrunch. “This is easily done using a
FileObserver. The Fortnite Installer will proceed to install the
substituted (fake) APK.”
In so many words, the “Fortnite” installation program on Android
had a loophole that allowed malicious actors to gain access to
your phone. Worse, that wasn’t the only problem if you were
downloading the game on a Samsung phone or tablet.
As the Google engineer, identified only as Edward, said:
“On Samsung devices, the Fortnite Installer performs the APK
install silently via a private Galaxy Apps API. This API checks
that the APK being installed has the package name
com.epicgames.fortnite. Consequently the fake APK with a matching
package name can be silently installed.”
In plain terms, Samsung devices were only verifying that the name
of the APK file matched “com.epicgames.fortnite” — if a piece of
malicious software were swapped in with the same name, it would
pass muster and be installed.
This “Fortnite” security kerfuffle on Android highlights an issue
that critics leveled when Epic first announced plans to skip the
Google Play Store: Downloading installer software outside of
Google Play forces users to accept installation
of all software from “unknown sources.”
Because the “Fortnite” installer is downloaded from Epic Games’
website, and the game it installs is being downloaded from Epic
Games — outside the Google Play Store — users have to explicitly
open various security permissions that would otherwise remain
secured.
Epic
Games
For example: When I downloaded the “Fortnite” installer on a
Google Pixel 2 smartphone, Android prompted me with several
warnings that I wasn’t allowed to download or install software
outside of Google Play without first giving explicit permission.
Opening those security permissions is required to install
“Fortnite.”
It’s this toggle that poses a threat, as it opens up the phone to
malicious third-party software from similarly “unknown sources.”
Coupled with the issues Epic introduced by leaving security holes
in its installer, millions of “Fortnite” players were at risk of
having information stolen and/or their device bricked.
Both issues have since been patched by Epic Games; it’s unclear
if anyone was affected by the security flaws.
Google Gemini: Everything you need to know about the new generative AI platform
Indian ride-hailing giant Ola cuts 180 jobs in profitability push
2024 summer TV preview: 33 TV shows to watch this summer
Humanoid robots are learning to fall well
London’s first defense tech hackathon brings Ukraine war closer to the city’s startups
Mark Zuckerberg has found a new sense of style. Why?
TikTok faces a ban in the US, Tesla profits drop and healthcare data leaks
What’s on the far side of the moon? Not darkness.
Greatest video editing laptops 2024: Hands-on recommendations
NASA’s Voyager is in hostile territory. It’s ‘dodging bullets.’
NASA discovered bacteria that wouldn’t die. Now it’s boosting sunscreen.
API startup Noname Security nears $500M deal to sell itself to Akamai
US think tank Heritage Foundation hit by cyberattack
How to watch ‘Argylle’: When and where is it streaming?
Tesla drops prices, Meta confirms Llama 3 release, and Apple allows emulators in the App Store
Tesla layoffs hit high performers, some departments slashed, sources say
Meta to close Threads in Turkey to comply with injunction prohibiting data-sharing with Instagram
TechCrunch Mobility: Cruise robotaxis return and Ford’s BlueCruise comes under scrutiny
Former top SpaceX exec Tom Ochinero sets up new VC firm, filings reveal
Consumer Financial Protection Bureau fines BloomTech for false claims
Google Gemini: Everything you need to know about the new generative AI platform
Indian ride-hailing giant Ola cuts 180 jobs in profitability push
2024 summer TV preview: 33 TV shows to watch this summer
Humanoid robots are learning to fall well
London’s first defense tech hackathon brings Ukraine war closer to the city’s startups
Mark Zuckerberg has found a new sense of style. Why?
TikTok faces a ban in the US, Tesla profits drop and healthcare data leaks
What’s on the far side of the moon? Not darkness.
Greatest video editing laptops 2024: Hands-on recommendations
NASA’s Voyager is in hostile territory. It’s ‘dodging bullets.’
-
Business6 days agoTesla’s new growth plan is centered around mysterious cheaper models
-
Business5 days agoXaira, an AI drug discovery startup, launches with a massive $1B, says it’s ‘ready’ to start developing drugs
-
Business6 days agoUK probes Amazon and Microsoft over AI partnerships with Mistral, Anthropic, and Inflection
-
Entertainment4 days agoSummer Movie Preview: From ‘Alien’ and ‘Furiosa’ to ‘Deadpool and Wolverine’
-
Business5 days agoPetlibro’s new smart refrigerated wet food feeder is what your cat deserves
-
Business3 days agoHow Rubrik’s IPO paid off big for Greylock VC Asheem Chandna
-
Business4 days agoThoma Bravo to take UK cybersecurity company Darktrace private in $5B deal
-
Entertainment3 days agoWhat’s on the far side of the moon? Not darkness.
