A still from ‘Fortnite’. Image: Epic Games
Epic Games phenomenon ‘Fortnite’ has been out for just a few weeks on Android, but security flaws are already appearing.
The Android version of Fortnite has only been around since the middle of August. The developers behind the title, Epic Games, chose to bypass the Google Play Store.
Instead, it asked fans to download the game directly, disabling some pretty important security settings to do so.
Avoiding Google Play Store
The Android version of the game is unavailable on the Google Play Store, as Epic Games wants to avoid forking out for Google’s 30pc cut of in-app purchases. Users who want the game need to go to Epic Games’ website and download the Fortnite Installer app, which will install the game and ensure it is updated.
This distribution method opens users up to a bevy of risks by allowing installation from “unknown sources” through the browser. Users must also ensure they are downloading the app from the correct Epic Games website, as there are copies used by cyber-criminals.
Epic Games recently patched a critical man-in-the-disk (MiTD) flaw for the Android version of the game. It exists on the Fortnite Installer, which downloads the game’s APK to external storage on an Android device.
Epic Games anger at Google
Epic Games issued the patch on 17 August, but Google made it public after seven days. This is despite Epic Games asking for a 90-day timeline to complete its automatic update process.
CEO of Epic Games, Tim Sweeney, said Google created “an unnecessary risk for Android users in order to score cheap PR points”.
Sweeney added: “There’s a technical detail here that’s important. The Fortnite Installer only updates when you run it or run the game. So, if a user only runs it every N days, then the update won’t be installed for N days. We felt N=90 would be much safer than N=7.”
Some security researchers are noting that while Google did disclose early, Epic Games was initially putting users at risk with the new distribution method.
How does the flaw work?
The MiTD issue is due to the way Android’s OS is designed. This design flaw was publicised by Check Point at Def Con this year. Put simply, Android’s OS uses two types of storage: internal storage provides every app with its own sandbox, while external storage uses a removable SD card and is shared across the OS and all apps. External storage is shared to enable apps to transfer data between each other.
Using external storage, while common, can sometimes create risks for devices, exposing critical data to external storage. This kind of oversight means critical data written to the external storage could be accessed and replaced. Silent malware downloads are often a result. Google explained that an attacker can easily replace the Android Fortnite APK with a fake version.
