Tim Sweeney says Google's Fortnite security report created 'an unnecessary risk' for Android users

Epic Games boss Tim Sweeney called Google 'irresponsible' after the search giant publicly revealed a security flaw in the Android version of Fortnite.

6

A new and perhaps unintended rivalry seems to have formed between tech giant Google and Epic Games, the developers of Fortnite. Google recently published a report detailing security flaws in the Android version of Epic Games' hit battle royale title, and Epic's Tim Sweeney has now taken to the internet to explain how Google not only failed to grant a request to delay the publication of the report, but also "created an unnecessary risk for Android users" in the process.

Edit: this article was updated at 3:22 p.m. to clarify the timeframes involved around the Fortnite Android security vulnerability and the availability of its patch.

A little bit of history: mobile gaming fans had to wait months before the crew at Epic Games was able to port Fortnite over to Android devices. And, in a move that's only the slightest bit unusual, Epic Games eventually decided to release Fortnite for Android outside of the Google Play market, effectively cutting Google out of a potential 30% cut of the game's sales in the process.

To make matters more complicated, installing Android apps outside of the Google Play Store opens up the potential for security risks — users basically have to tell their phone it's okay to install applications from unknown sources. And as if that wasn't enough, Google's report on the Fortnite app itself found that the software could essentially be hijacked by other apps in order to "install a fake APK with any permissions that would normally require user disclosure."

According to a report from Eurogamer, Epic Games requested that Google give the studio 90 days before alerting the public, as opposed to Google's typical seven-day waiting period. That request was not met, and though Epic was able to fix the vulnerability only a matter of days after it was found, the publication of the report opened up a window that allowed coders and hackers to begin to explore Fortnite Android's security flaws.

This seems to be where most of Sweeney's contention lies: that Google failed to grant a simple request, and turned a small and relatively common problem into a potential disaster. Speaking on Twitter, Sweeney called Google out for "creating an unnecessary risk for Android users in order to score cheap PR points."

While it's easy to see why Sweeney might be miffed with Google over creating a potentially dangerous situation for Fortnite fans and Android users, this situation does feel karmic. After all, Google treated Epic Games the same way they'd apparently treat just about any other software developer — it just happens that in this case, the developer in question was one that refused to adhere to Google's typical Android software market standards.

As for the bottom line, Fortnite on Android has been patched, and the security vulnerability has been neutralized. Google did its part in notifying the public, and Epic Games did its part in keeping Android gamers' phones more secure. It's doubtful that this turn of events will have any influence over the future success of Fortnite, but all the same, we encourage Android players to update their software to the latest version as soon as possible.

Guides Editor

Kevin Tucker is a core component of Shacknews' powerful guide development team. For questions, concerns, tips, or to share constructive criticism, he can be reached on Twitter @dukeofgnar or through e-mail at kevin.tucker@shacknews.com.

From The Chatty
    • reply
      August 28, 2018 2:39 PM

      Almost everyone else said Epic's Tim Sweeney was a dumbass for trying to skip the Play Store.

    • reply
      August 28, 2018 3:03 PM

      I thought generally you only alert the public on bugs and security issues after it's been patched, not before. Google doing this makes no sense. Why are they reporting to the public about apps released outside their store front? For the good of the general public? This just looks like one company bullying another.

      • reply
        August 28, 2018 3:07 PM

        It was patched within 48 hours, which started their public disclosure timer. Their guidelines are to disclose things 7 days after the patch is released. The problem is the launchers update policy is super lazy, so there are probably still people out there with the buggy launcher.

        • reply
          August 28, 2018 3:09 PM

          Oh I guess I misread that part. I read it as Google waited 7 days after noticing the flaw, not seven days after it was patched

          • reply
            August 28, 2018 3:14 PM

            I think you're right, Google waited 7 days after notifying Epic, as is their policy. A fix was already available, but because Epic is run by morons and assholes there's no telling when users would actually get the update.

      • reply
        August 28, 2018 3:10 PM

        If I had an android phone I'd want to know about it. I would give no fucks for how Epic feels about it.

      • reply
        August 28, 2018 3:11 PM

        No, as a rule you alert the public after a certain fixed period of time, when a patch becomes available, or when active exploits are in the wild. It's done that way to keep companies honest when it comes to fixing things, and to give people the ability to mitigate the problem themselves as quickly as possible.

    • reply
      August 28, 2018 3:11 PM

      Why not release it through your own App installer and through the conventional appstores. From a security stand point wouldn't it make sense to have a safe install they can find instead of having to install a 3rd party APK just a thought.