Tim Sweeney says Google's Fortnite security report created 'an unnecessary risk' for Android users
Epic Games boss Tim Sweeney called Google 'irresponsible' after the search giant publicly revealed a security flaw in the Android version of Fortnite.
A new and perhaps unintended rivalry seems to have formed between tech giant Google and Epic Games, the developers of Fortnite. Google recently published a report detailing security flaws in the Android version of Epic Games' hit battle royale title, and Epic's Tim Sweeney has now taken to the internet to explain how Google not only failed to grant a request to delay the publication of the report, but also "created an unnecessary risk for Android users" in the process.
Edit: this article was updated at 3:22 p.m. to clarify the timeframes involved around the Fortnite Android security vulnerability and the availability of its patch.
Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update.— Tim Sweeney (@TimSweeneyEpic) August 25, 2018
The only irresponsible thing here is Google’s rapid public release of technical details.
A little bit of history: mobile gaming fans had to wait months before the crew at Epic Games was able to port Fortnite over to Android devices. And, in a move that's only the slightest bit unusual, Epic Games eventually decided to release Fortnite for Android outside of the Google Play market, effectively cutting Google out of a potential 30% cut of the game's sales in the process.
To make matters more complicated, installing Android apps outside of the Google Play Store opens up the potential for security risks — users basically have to tell their phone it's okay to install applications from unknown sources. And as if that wasn't enough, Google's report on the Fortnite app itself found that the software could essentially be hijacked by other apps in order to "install a fake APK with any permissions that would normally require user disclosure."
There’s a technical detail here that’s important. The Fortnite installer only updates when you run it or run the game. So if a user only runs it every N days, then the update won’t be installed for N days. We felt N=90 would be much safer than N=7.— Tim Sweeney (@TimSweeneyEpic) August 26, 2018
According to a report from Eurogamer, Epic Games requested that Google give the studio 90 days before alerting the public, as opposed to Google's typical seven-day waiting period. That request was not met, and though Epic was able to fix the vulnerability only a matter of days after it was found, the publication of the report opened up a window that allowed coders and hackers to begin to explore Fortnite Android's security flaws.
This seems to be where most of Sweeney's contention lies: that Google failed to grant a simple request, and turned a small and relatively common problem into a potential disaster. Speaking on Twitter, Sweeney called Google out for "creating an unnecessary risk for Android users in order to score cheap PR points."
The word punishment is very appropriate here, but how does rapidly disclosing the technical details of a security flaw to hackers do anything to protect Android users?— Tim Sweeney (@TimSweeneyEpic) August 28, 2018
We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points.— Tim Sweeney (@TimSweeneyEpic) August 25, 2018
While it's easy to see why Sweeney might be miffed with Google over creating a potentially dangerous situation for Fortnite fans and Android users, this situation does feel karmic. After all, Google treated Epic Games the same way they'd apparently treat just about any other software developer — it just happens that in this case, the developer in question was one that refused to adhere to Google's typical Android software market standards.
As for the bottom line, Fortnite on Android has been patched, and the security vulnerability has been neutralized. Google did its part in notifying the public, and Epic Games did its part in keeping Android gamers' phones more secure. It's doubtful that this turn of events will have any influence over the future success of Fortnite, but all the same, we encourage Android players to update their software to the latest version as soon as possible.
Kevin Tucker posted a new article, Tim Sweeney says Google's Fortnite security report created 'an unnecessary risk' for Android users
I thought generally you only alert the public on bugs and security issues after it's been patched, not before. Google doing this makes no sense. Why are they reporting to the public about apps released outside their store front? For the good of the general public? This just looks like one company bullying another.
No, as a rule you alert the public after a certain fixed period of time, when a patch becomes available, or when active exploits are in the wild. It's done that way to keep companies honest when it comes to fixing things, and to give people the ability to mitigate the problem themselves as quickly as possible.