Fortnite’s Android installer shipped with an Epic security flaw

Google has clapped back in tremendous fashion at Epic Games, which earlier this month decided to make the phenomenally popular Fortnite available for Android via its own website instead of Google’s Play Store. Unfortunately, the installer had a phenomenally dangerous security flaw in it that would allow a malicious actor to essentially install any software they wanted. Google wasted exactly zero time pointing out this egregious mistake.

By way of a short explanation why this was even happening, Epic explained when it announced its plan that it would be good to have “competition among software sources on Android,” and that the best would “succeed based on merit.” Everyone of course understood that what he meant was that Epic didn’t want to share the revenue from its cash cow with Google, which takes 30 percent of in-app purchases.

Many warned that this was a security risk for several reasons, for example that users would have to enable app installations from unknown sources — something most users have no reason to do. And the Play Store has other protections and features, visible and otherwise, that are useful for users.

Google, understandably, was not amused with Epic’s play, which no doubt played a part in the decision to scrutinize the download and installation process — though I’m sure the safety of its users was also a motivating factor. And wouldn’t you know it, they found a whopper right off the bat.

In a thread posted a week after the Fortnite downloader went live, a Google engineer by the name of Edward explained that the installer basically would allow an attacker to install anything they want using it.

The Fortnite installer basically downloads an APK (the package for Android apps), stores it locally, then launches it. But because it was stored on shared external storage, a bad guy could swap in a new file for it to launch, in what’s called a “man in the disk” attack.

And because the installer only checked that the name of the APK is right, as long as the attacker’s file is called “com.epicgames.fortnite,” it would be installed! Silently, and with lots of extra permissions too, if they want, because of how the unknown sources installation policies work. Not good!

Edward pointed out this could be fixed easily and in a magnificently low-key bit of shade-throwing helpfully linked to a page on the Android developer site outlining the basic feature Epic should have used.

To Epic’s credit, its engineers jumped on the problem immediately and had a fix in the works by that very afternoon and deployed by the next one. Epic InfoSec then requested Google to wait 90 days before publishing the information.

As you can see, Google was not feeling generous. One week later (that’s today) and the flaw has been published on the Google Issue Tracker site in all its… well, not glory exactly. Really, the opposite of glory. This seems to have been Google’s way of warning any would-be Play Store mutineers that they would not be given gentle handling.

Epic Games CEO Tim Sweeney was likewise unamused. In a comment provided to Android Central — which, by the way, predicted that this exact thing would happen — he took the company to task for its “irresponsible” decision to “endanger users.”

Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.

However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.

An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336

Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.

Indeed, companies really should try not to endanger their users for selfish reasons.


Android – TechCrunch

Google Ejects Android ROM-Maker Cyanogen’s Installer App From Play – Citing Developer T&C Violations

Well that didn’t take long. Google has asked Cyanogen Inc. to remove its alternative Android ROM installer app from the Play store.

Cyanogen raised $ 7 million from Benchmark Capital back in September to turn its geek-beloved aftermarket version of Android into a mainstream flavour of the platform – with the ultimate aim of using an Android variant to compete with standard Android (and iOS) for consumers’ attention.

To kick off its mainstream market targeting effort, Cyanogen released an installer app for its CyanogenMod earlier this month – to make it easier for less tech savvy Android users to flash the ROM on their devices.

But, writing in a blog yesterday, Cyanogen said Google’s Play support team had contacted it to ask it to remove the app, citing violations of Play’s developer terms – warning that if the app wasn’t voluntarily removed it would be forcibly ejected.

So Cyanogen’s attempt to boost the popularity of its Android-based alternative to Android apparently got Google’s attention too.

Google Cyanogen

At the time of writing Google had not responded to requests for comment on why it asked Cyanogen to remove its installer app.

But here’s what Cyanogen said Google told it:

Today, we were contacted by the Google Play Support team to say that our CyanogenMod Installer application is in violation of Google Play’s developer terms.

They advised us to voluntarily remove the application, or they would be forced to remove it administratively. We have complied with their wishes while we wait for a more favorable resolution.

To those unfamiliar with the application, it has a single function – to guide users to enable “ADB”, a built in development and debugging tool, and then navigates the user to the desktop installer. The desktop application then performs the installation of the CyanogenMod on their Android device.

After reaching out to the Play team, their feedback was that though application itself is harmless, since it ‘encourages users to void their warranty’, it would not be allowed to remain in the store.

Android being an open platform means users can still download and install Cyanogen Mod via a number of routes, including from Cyanogen’s own website.

However, if you’re on a mission to lower the barrier of entry to your alternative Android firmware, requiring people to seek out and sideload your software rather than stumble across an installer app sitting on the shelves of Google’s mainstream store does make that mission a lot harder – as Cyanogen’s blog post goes on to note:

Fortunately, Android is open enough that devices allow for installing applications via ‘Unknown Sources’ (ie sideload). Though it’s a hassle and adds steps to the process, this does allow us a path forward, outside of the Play Store itself.

According to Cyanogen, the installer app was downloaded “hundreds of thousands” of times in the two weeks+ it was available on Google Play, which it argues proves “the demand for more choice” – another reason Google may have started feeling uncomfortable about the installer’s presence on its store. Android may be an open platform but Google Play is very much ‘made and maintained in Mountain View’.

Cyanogen is clearly hoping to resolve the Play blip if it can. “As we work through this new hurdle, we will continue to make available and support the installation process via our own hosting services,” it added in its blog.

Why might the average Android user want to install Cyanogen Mod? It’s a way to ditch the bloatware and crapware loaded onto many Android devices by carriers, for instance, or to remove a custom Android skin – such as HTC’s Sense UI – that’s irritating or slows down the Android experience.

Custom skins also typically delay the process of getting Android updates, and can also force Android users to be stuck on older version of the platform even if their device hardware could technically handle an upgrade.

Cyanogen Mod also includes features not offered in standard Android – including native theming, an OpenVPN client, support for Wi-Fi- Bluetooth- and USB-tethering, CPU overclocking and FLAC audio codec support.

In addition, Cyanogen argues that its ROM can increase the performance and reliability of Android compared with official firmware releases.

Why might Google be nervous about Cyanogen? If an alternative Android platform was able to gain significant traction it could undermine Google’s monetisation of Android – via the services it preloads onto Android (such as Play, Maps, YouTube) – by providing an opportunity for other services to be preloaded instead (as is often the case in the Chinese market).

It could also weaken Google’s control of Android, and it could erode the attractiveness of the platform in carriers’ eyes, making them less keen to promote Android devices to their customers and in their retail stores if they can’t be sure their users won’t be saddled with their branded bloatware.


TechCrunch » Android