- "Fortnite" launched on Android recently, starting with Samsung smartphones and expanding out to other major flagship Android phones.
- Instead of launching on Google's Play Store, Epic Games opted to skip the storefront and distribute the free game itself.
- By skipping Google's storefront, a critical security flaw was introduced to the download process.
- The issue went unnoticed by Epic Games until Google pointed it out. It has since been fixed.
- This example highlights a major security risk that comes with mass distribution of software, and why platforms like Google Play are important.
When the insanely popular game "Fortnite" finally arrived on Android earlier this month, it skipped Google's ubiquitous Play Store.
You couldn't just navigate to Google's store and download "Fortnite." It wasn't there.
There was a clear reason to skip the Google Play Store: Google takes 30% of all sales through its storefront, and "Fortnite" maker Epic Games wanted to keep 100% of its sales. "The 30% store tax is a high cost in a world where game developers' 70% must cover all the cost of developing, operating, and supporting their games," Epic Games founder and CEO Tim Sweeney told me earlier this month.
"Thirty percent is disproportionate to the cost of the services these stores perform - such as payment processing, download bandwidth, and customer service," he said.
And thus, in a brazen move, Epic skipped Google Play with "Fortnite."
Instead, you must navigate to a website operated by Epic Games where you can download what's called an "installer." That installer program from Epic then facilitates the download and management of "Fortnite."
It was apparently in this step of the installation process where "Fortnite" had a critical security flaw.
"Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified," a Google engineer wrote in mid-August, as discovered by Techcrunch. "This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK."
In so many words, the "Fortnite" installation program on Android had a loophole that allowed malicious actors to gain access to your phone. Worse, that wasn't the only problem if you were downloading the game on a Samsung phone or tablet.
As the Google engineer, identified only as Edward, said:
"On Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently the fake APK with a matching package name can be silently installed."
In plain terms, Samsung devices were only verifying that the name of the APK file matched "com.epicgames.fortnite" - if a piece of malicious software were swapped in with the same name, it would pass muster and be installed.
This "Fortnite" security kerfuffle on Android highlights an issue that critics leveled when Epic first announced plans to skip the Google Play Store: Downloading installer software outside of Google Play forces users to accept installation of all software from "unknown sources."
Because the "Fortnite" installer is downloaded from Epic Games' website, and the game it installs is being downloaded from Epic Games - outside the Google Play Store - users have to explicitly open various security permissions that would otherwise remain secured.
For example: When I downloaded the "Fortnite" installer on a Google Pixel 2 smartphone, Android prompted me with several warnings that I wasn't allowed to download or install software outside of Google Play without first giving explicit permission. Opening those security permissions is required to install "Fortnite."
It's this toggle that poses a threat, as it opens up the phone to malicious third-party software from similarly "unknown sources." Coupled with the issues Epic introduced by leaving security holes in its installer, millions of "Fortnite" players were at risk of having information stolen and/or their device bricked.
Both issues have since been patched by Epic Games; it's unclear if anyone was affected by the security flaws.