'Irresponsible' Google Refused Fortnite's Request To Delay Vulnerability Disclosure To Score Cheap PR Points, Says Epic's Chief

The leader of the firm behind the hit game Fortnite has accused Google of being "irresponsible" in the way it revealed a flaw affecting the Android version of the title. BBC, with additional input from Slashdot staff: On Friday, Google made public that hackers could hijack the game's installation software to load malware. The installer is needed because Epic Games has bypassed Google's app store to avoid giving it a cut of sales. Epic's chief executive said Google should have delayed sharing the news. "Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update. The only irresponsible thing here is Google's rapid public release of technical details," he said. "We asked Google to hold the disclosure until the update was more widely installed," tweeted Tim Sweeney. "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."

Google is butthurt

cuz epic is make billions off this game and they don't get any.

Re:Google is butthurt

[Tough+Love]

epic is make billions off this game and they don't get any

Not true. A popular game makes the Android platform more popular, sells more handsets, and enlarge Google's walled garden of services from which it derives advertising income.

Re:Google is butthurt

You mean Android, the most popular OS in the world (ahead of Windows and iOS combined), needs to pass up money to be more popular? Wow, they should really thank Epic for popularizing the Google brand.

Re:Google is butthurt

[Tough+Love]

Reading comprehension issues? OP wrote "don't get any". Now you are arguing a fallback. Suit yourself, Google still looks like shit over this and you know it.

Re:Google is butthurt

[thaylin]

if by "looks like shit" you mean looks responsible, you are correct.

Re:Google is butthurt

[Tough+Love]

So your new fallback argument is "shit is not shit". Nice.

Re:Google is butthurt

epic is make billions off this game and they don't get any

Not true. A popular game makes the Android platform more popular, sells more handsets, and enlarge Google's walled garden of services from which it derives advertising income.

Why does it make the Android platform more popular? That popular game is already available on all other platforms.

And you really think they aren't butthurt about not being able to take a 30% cut of the profits of one of the world's most popular and profitable games on their platform? Really? Come on.

Re:Google is butthurt

A popular game makes the Android platform more popular, sells more handsets, and enlarge Google's walled garden of services from which it derives advertising income.

so why do they take 30% of profit from the apps on the play store then? they should be doing that for free for the reasons you just stated. that would do what you suggest and also make Android way more attractive to developers.

Re: Google is butthurt

It's not about the money. If more developers start skipping the Google Play store, Google could lose control of Android (the control it imposes via the store and Google services) and Android *actually* becomes free open-source. They clearly don't want that.

Re:Google is butthurt

[Tough+Love]

you really think they aren't butthurt about not being able to take a 30% cut of the profits of one of the world's most popular and profitable games on their platform?

Nice strawman, I did not say any such thing.

Re:Google is butthurt

[Tough+Love]

so why do they take 30% of profit from the apps on the play store then? they should be doing that for free for the reasons you just stated.

Great point, and one not missed by antitrust regulators, particularly in Europe and Asia. Apple needs to worry about this too, and Apple shareholders for that matter.

Re: Google is butthurt

[Tough+Love]

If more developers start skipping the Google Play store, Google could lose control of Android (the control it imposes via the store and Google services) and Android *actually* becomes free open-source. They clearly don't want that.

Obviously not, but in the long run it is inevitable and most probably, Larry and Sergey already understand this. They will continue to rake in the 30% gravy while they can, but they will not make the mistake of trying to defend that windfall margin to the point that it brings in the regulators or the forks.

Re: Google is butthurt

Not to be pedantic to all, but they take thirty percent of sales, not profit.* There is a substantial difference for most works, and it can make the difference between success and failure.

* I am not trying to imply that epic hasn't made a boatload of money, they have, but they earned it, google did not. The primary advantage of the play store is that it provides exposure. The game is already pretty well known, so the perceived benefit of being listed on the store is not really of value, consequently, I understand epics approach.

Re:Google is butthurt

the original comment is that google is butthurt that they aren't getting any of the money that epic is making off fortnite on android. it's true, google gets none of that money.

Re: Google is butthurt

[Zero__Kelvin]

F-Droid has been around for quite some time. You can use it so they haven't stopped you at all. Most consumers don't want to be bothered; they want and like the Play centralized repository. Sure Google takes a cut, but they provide added value and the insinuation to the contrary is disingenuous. Finally it is the OS not the apps that are open source so you are conflating two separate issues.

They're miffed

[Hylandr]

Google isn't playing nice. Don't get a cut of the profit? Well screw your security alerts.

Re:They're miffed

[93+Escort+Wagon]

People should've already been aware that Google isn't above playing politics with software vulnerabilities.

We've also seen it go the other way - where Google held onto vulnerability announcements regarding its own software far longer than the 90 days (or whatever it specifically is) Project Zero generally says is how long they're willing to wait.

Re:They're miffed

[Narcocide]

The real question is whether they've previously sued anyone else for irresponsible disclosure like this.

Re:They're miffed

[magarity]

There's 2 sides to this:
1. Google wants to get a cut
but
2. Users really, really, really, don't need yet another gaping security hole AKA "installer" on their devices.

Re:They're miffed

Well gee, it's hard to blame Google here. If Fortnite just used the Google App store, they wouldn't be putting their joint customers at risk.

Re:They're miffed

i wiped out a whole microsoft group because of a bad senior pm who did something like this. her ivy league degree did not include ethics let alone the interior ramifications that legal would have to deal with later on.

Re:They're miffed

[spire3661]

Users really really need to get software from places other than google.

Re:They're miffed

[Zmobie]

You must either work for Google or do some shady practices of your own. Google violated their own policies in stark contrast to normal practices to disclose this damn near as soon as it was found. They literally put people at risk irresponsibly and unethically simply because Epic decided to not contribute to their literal monopoly on app installation platforms for Android (the phone vendors have their own, but they are just trying to pull the same crap as Google on their hardware). This is past petty. I'm really starting to sour on Google's bullshit that they pull with every fucking product or platform they touch...

Also consider, Google is not handling this in any way different than Microsoft was with Internet Explorer and other software that they bundled into Windows, and remember Microsoft lost that anti-trust case badly. Now look at the browser market share... Hell honestly, it may be worse because Google is taking a MASSIVE cut of revenue for doing next to nothing anymore with Google Play. Seriously, most of these companies have to fork more over to Google than they do to the fucking US Government for taxes...

Re:They're miffed

You're perfectly free to use Google Play to deliver your software...

don't do so and it's on your own head

Re:They're miffed

[Aighearach]

The only way that they can have both, long term, is to charge close to the rate that banks charge.

Otherwise, they can only get the early adopters, and they'll get an entrenched reputation for inflated prices. Which is very bad for Google, since Apple does so much better with the "of course I paid more than you" crowd.

Expect a whole wave of these types of stories over the next few years.

Re:They're miffed

[Aighearach]

Most of my android software comes from F-droid, and that's been true for years!

Re:They're miffed

[Zmobie]

I should amend, I feel Google is going against the spirit of their policies (with their extension on disclosure) even though they didn't technically violate the letter of it. If you disagree, then to each their own.

Re:They're miffed

[Xylantiel]

I'm not sure which side you're coming down on.... once the patch is out it is much easier to reverse engineer the vulnerability, so the ethical thing for google to do is disclose it shortly after that time so people know that they need to update. All the ethics problems here seem to be on Epic's side. Google's app store charges may be too high, but that doesn't really compare to Epic's willingness to have their customers get malware just so they make more money.

Re:They're miffed

Everyone makes mistakes, and it's not like Android didn't have any security vulnerbilities either. It's sort of a dickhead move to anounce the PoC right after a patch, but it's not like it doesn't happen often either. I'm not sure there's a ethical problem with EPIC, they just wanted a 90 day window after the patch to probably make sure that they fixed everything. Asking though doesn't mean you'll get it.
Examples abound on Full Disclosure (http://seclists.org/fulldisclosure/)

Timeline
========
2018-02-03 Issues found
2018-04-18 Vendor contacted
2018-04-18 Vendor reply
2018-05-18 Technical details provided
2018-05-24 Private git branch created, fixing started
2018-08-11 Patched version released: https://github.com/x41sec/OpenSC
2018-08-11 Advisory released

Re:They're miffed

30% of profit is "free"? Wow.

Re:They're miffed

Then really really put the effort into doing it right. Security is not easy - nor cheap.

That Epic had users installing this is fucking terrifyng.

Re:They're miffed

[farble1670]

it may be worse because Google is taking a MASSIVE cut of revenue for doing next to nothing anymore with Google Play

The whole reason Epic is able to make billions of dollars on Fortnite Android is because of development done by Google. Are you saying the billions and billions of dollars they spent building the Android ecosystem over the last decade is "next to nothing"?

Re:They're miffed

[viperidaenz]

You mean what Microsoft is now doing again with Edge?

Re:They're miffed

[viperidaenz]

Epic didn't want a security hole publicly announced while they were running their Android rollout campaign, making people think twice about the security warning they accept when side-loading apps on their phone.

Especially since they were already told doing things this way would put the security of their users at risk.

Re:They're miffed

Pro tip: Qualifiers like "anymore" may change the meaning of the sentence.

Re:They're miffed

[Zmobie]

Initial development is beside the point. They've made that investment back with tons of return so many times it is ridiculous. I'm perfectly fine with them taking some cut as everyone should be paid for their work, but 30% is excessive imho especially when they are just abusing a market monopoly. It might be different if they were continuing to invest that much into the infrastructure continuously, but as I said they barely do anything with the Play Store anymore. They also are monetizing in a lot of other ways despite what they want everyone to believe...

Re:They're miffed

[farble1670]

Pro tip: Qualifiers like "anymore" may change the meaning of the sentence.

If you develop a product, you get to make money on it up until (?), then you have to start giving it away for free. That's how it works.

And anyway, as far as Google Play, once you write the code and get those servers running, you just walk away from that shit and take a vacation. That's the Big Secret those Silicon Valley fat cats aren't telling us.

Re:They're miffed

[scdeimos]

@TimSweeneyEpic is just acting like a spoilt child. Epic has published the Fortnite installer patch and Google has acted according to their publicy posted Responsible Disclosure policy, https://www.google.com/about/a...

Re:They're miffed

[Zmobie]

Difference is there is now a viable market alternative and it shows in their market share. Microsoft has barely 10% share factoring in Edge and IE.

Re:They're miffed

[Zmobie]

Seriously man, you're actually like they are still pouring billions into it and getting shit returns for that. Not only that, don't think I ever said they had to give it away for free... I write software for a living, I know what the markets look like and that would be a pretty stupid position for me to take. You're taking a basic argument and way extending it to an extreme that was never even implied. This has gone beyond continuing to make a good living for their initial work. This has drifted well into the gouging realm.

Re:They're miffed

[farble1670]

Initial development is beside the point.

Since when? What other business operates like that? Do you think Honda starts selling their cars at cost when they've made enough profit for the year? How much is enough? Will you decide?

They've made that investment back with tons of return so many times it is ridiculous.

Can you provide revenues and expenditures for the Google Play division? Or do you just have a feeling about it?

but 30% is excessive imho

How much do you understand about what goes into Android? Development of the OS itself. Build all of the Google apps. The backend services. Working with hundreds of OEMs to support Android on their devices. Bug fixing. R&D. Server farms. Linux kernel work. Thousands of employees. All of the same for all the services Google apps depend on: messaging, gmail, calendar, maps, music, video, youtube etc. etc. etc. All with public facing APIs for developers.

I don't claim to know either, but I'm a software engineer with some experience and the scale of that is almost beyond comprehension.

Google is a rich company, but what % of that comes from Google Play? My guess is almost nothing relatively.

They also are monetizing in a lot of other ways despite what they want everyone to believe...

That's mysterious. Sounds like you know about something terrible, just terrible thing that none of us n00bs understands. Let me guess. I AM THE PRODUCT?

Re: They're miffed

It's easy to fault Google: They claim Android is free and open-source, but if a developer skips the "optional" Google service, Google will put Android users at risk just to make an example of the developer.

Re: They're miffed

[Zmobie]

Again, you're exaggerating my point way beyond what I said. I never said it has to be at cost or free. That would be absurdly idealistic and run counter to basic economic principles. Stop with this, you know it isn't even close to my point.

https://www.statista.com/stati...
https://www.statista.com/stati...

20 billion on play alone in 2017. Didn't see their revenue total but Q2 2018 was 30 so 120 is a safe assumption. Meaning it accounted for 1/6 of their revenue... They aren't dumping even half that into the distribution piece or even likely most of the support structure by now. There's your numbers. I'd say 16% is a bit bigger than "relatively nothing."

Now, considering I am a software engineer and work on enterprise level systems and architecture, yea I have a pretty good idea of what goes into Android development. Don't get on a high horse with that like I'm some pleb that doesn't know what I'm talking about. I've deployed large scale systems with everything you're mentioning for fortune 500 companies though mostly not consumer facing.

The last part is just you being asinine. I'm clearly referring to the largely known fact that Google collects and sells information and not even acting like somehow you don't know. Google does in fact want people to believe otherwise, I was merely making an aside.

Re:They're miffed

[farble1670]

Seriously man, you're actually like they are still pouring billions into it and getting shit returns for that.

Yes, Google is still pouring billions into what makes Android. Search. Google maps. Gmail. Hangouts. OS development. Security research. Visual design. Development APIs. Chrome browser. Linux kernel development. Assistant. Voice recognition. Play music. Youtube. Enumerable developer APIs. And so on.

Developers don't write apps for Android because of the store. The store is just a browser for apps. They write apps for Android because Google builds a rich ecosystem that has attracted millions of users, millions of users that will potentially pay for their apps and watch the ads in their apps. They've attracted thousands of OEMs to build many unique hardware permutations.

No, that stuff isn't "done."

Re: They're miffed

[Zmobie]

You ignored the second half of that statement which changes the meaning a lot. They are not trying shit returns on that, and that's the point. Bottom line it is a monopoly and you can choose to believe they won't abuse that but I don't and believe they definitely are.

Re: They're miffed

[Zmobie]

Getting* phone typing is apparently hard for me...

Re: They're miffed

Different AC here.

Yes, google effectively contributed next to nothing. Do you honestly believe that if android did not exist, all android users would not have a smartphone?

Re:They're miffed

one complicating issue is that a LOT of people are installing this particular game. If they do nothing and Epic takes its own sweet time to fix it, what happens? A lot of people around the world are compromised. It's not some obscure app where if you sit on it for 60 days, only a handful of people are burned. Disclosing it immediately, well, Epic fixed it pretty quick.

Re:They're miffed

[rtb61]

Look software coders get away with all sorts of crap, the worst warranties in the history of the word warranty for a start. It's called criminal negligence, https://en.wikipedia.org/wiki/.... This being the purposeful withholding from the public of faults in software which can be criminally exploited, to gain illegal access to the computing device. This not once but upon a repeated basis and in fact instituted illegally upon a cartel basis, all agree to keep secret security faults in each others software to protect their profit margins. "To constitute a crime, there must be an actus reus (Latin for "guilty act") accompanied by the mens rea (see concurrence). Negligence shows the least level of culpability, intention being the most serious, and recklessness being of intermediate seriousness, overlapping with gross negligence." So keeping software bugs secret from the public who should be made aware is technically a criminal act. Only one person needs to be hacked by a known and kept secret bug and those who kept it secret are guilty of a criminal act, that of criminal negligence.

Those little keep it secret deals are actually conspiracy with criminal intent to act in a criminally negligent fashion. By law, upon discovery, those faults should be immediately reported to the applicable authorities, they are the only ones allowed to decide whether or not it be kept secret, your little cushy deals, actually against the law.

Re:They're miffed

god help us if billions was spent on android...
it's basically just a shit java layer over Linux.
Sometimes I feel my PII @166Mhz did more than what a quad core 2Ghz ARM device with android do now.

But I must be getting old, i'm 30y/o now.

Re:They're miffed

[Gimric]

Except the people who get hacked and their android customers, not Epic.

Re: They're miffed

Let me kindly remind you that 1. Google has no business relationship with Epic (at least in regard to this particular game), 2. Google may have circumvented their 'usual' disclosure time, however, the vulnerability itself is exactly caused by Epic circumventing Google's store (with involved benefits and costs)

Re: They're miffed

He's just a PR shill for Big Brother Google. Don't feed the trolls.

Irresponsible Epic released vulnerable code.

Why turn it around on the distributor? Politics or no, Epic failed.

Re: Irresponsible Epic released vulnerable code.

Google is not the distributor. In fact they are aggressively acting out because they are not the distributor.

Re: Irresponsible Epic released vulnerable code.

[barc0001]

Google doesn't distribute Android? When did that happen?

Regardless, anyone with two brain cells to rub together could see this shitshow (and more in future) coming the second Epic announced that in order to install their software you'd have to allow uncertified install packs on Android. Many many people do not have the technical acumen to understand the full ramifications of that, and will probably forget to flip the switch when they're done, so a whole host of malware providers are even as we speak licking their chops waiting to take advantage of the holes in the devices Epic has just convinced their users to open.

Does Google charge too much on the Play Store? Probably. But it's their store and they can set any price they think the market will bear, just like anyone else. That's the deal for using Android. Epic is being very irresponsible.

Re: Irresponsible Epic released vulnerable code.

Bugs happen. Epic is at the very least responsible enough to patch rapidly. As long as the devs acknowledge and address the bug in a timely manner, the responsible thing to do is to allow a reasonable disclosure period. Google is just pissed because they got cut out of their money simply for hosting the installer, so they lashed out.

Re: Irresponsible Epic released vulnerable code.

[Megol]

I think you are a bit confused if you think this bug was in Android...

Re: Irresponsible Epic released vulnerable code.

You're a moron. Epic did the right thing in the abstract, they just fucked up the details.

Re: Irresponsible Epic released vulnerable code.

[tbuddy]

They did the same thing they do with other bugs. Give them 90 days to fix it and disclose 7 days after it is patched, whichever comes first. It's hard to say they are being unfair or aggressive since it is the exact same time window they have for anything else. It's not google's responsibility to hold on to the release beyond 7 days because Epic asks them for more time to ensure everything is long since patched.

Re:Irresponsible Epic released vulnerable code.

[The+Faywood+Assassin]

This is correct. If they don't want Google to shit on their parade, maybe they should have plugged the security holes.

Re: Irresponsible Epic released vulnerable code.

[drinkypoo]

It's not google's responsibility to hold on to the release beyond 7 days because Epic asks them for more time to ensure everything is long since patched.

It's not Google's responsibility to announce the vulnerability, either. They choose to do so, nobody is forcing them.

Re: Irresponsible Epic released vulnerable code.

vulnerabilities need to be announced as soon as they reasonably can, otherwise everyone is running on unpatched systems and being silently exploited, or not so silently once some ransomware gets on there.

Re: Irresponsible Epic released vulnerable code.

[barc0001]

I don't think this bug was in Android. I said that Google distributes Android. Totally separate pieces of information. I then added my opinion that Epic is for their own enrichment opening up additional security holes in a very irresponsible fashion.

Re: Irresponsible Epic released vulnerable code.

The problem is Google allows extensions at their discretion if the party with the vulnerability requests it. If Google feels like not giving you more time, then they will happily destroy your business or livelihood over what could be a simple human mistake. Their draconian disclosure policy treats large software companies and small developers exactly the same. And Google *specifically* searches for vulnerabilities to effectively hold these companies hostage. This isnâ(TM)t altruistic behavior. Iâ(TM)ll be damned if Google isnâ(TM)t playing the stock market knowing they will release damning news about another company and seek to profit from their douchbaggery. Fuck Google and Project Zero.

Re: Irresponsible Epic released vulnerable code.

[Zmobie]

I see two major problems with your argument. First, Android is supposed to be open source/marketed as being the open platform, but the practices of Google are really counter to this. Normally I don't care to get into the pissing matching between companies (frankly I don't care if the companies kill each other usually), but these particular pissing matches are actually harming consumers. Then, Google is intentionally distributing Android with some built in dark patterns to scare users into only being comfortable with using Google Play where they get a large cut of profits for very little work. I mean they didn't even put that much work into Google Play to start. I don't mind them taking some profit as that is how the Android Platform is monetized and allows it to be freely distributed, but they literally take more money than these companies are taxed. Something is pretty wrong with that picture.

On top of that, they have taken great pains to prevent other stores from taking much hold or allowing for simplified individual distribution to the Android platform in any way. Imagine the uproar if Microsoft did this with Windows. Epic did take a risk for this business decision and definitely fucked up with the execution, but Google is doing some real shady shit now and straight up trying to punish them. This is some fucking mob tactics to keep anyone else from doing the same and them losing the stranglehold on their distribution monopoly. This behavior is NOT good for consumers at all and honestly, pretty unfair to businesses and developers too.

Re: Irresponsible Epic released vulnerable code.

[barc0001]

The problem with your arguments are you're applying expectations of open-ness for PC OSs to the mobile phone market. You complain that:

> On top of that, they have taken great pains to prevent other stores from taking much hold or allowing for simplified individual distribution to the Android platform in any way. Imagine the uproar if Microsoft did this with Windows.

We're not talking about Windows, Android's main competitor is Apple's IOS. How's Android look compared to that? How are those IOS competitors to the App Store there doing? Exactly.

> First, Android is supposed to be open source/marketed as being the open platform,

And it is. To MANUFACTURERS. It's a packaged OS that anyone who wants to build a device around can do so. Your disconnect is you are conflating how Android is considered an open platform to how Linux is on the X86 space.

> Epic did take a risk for this business decision and definitely fucked up with the execution, but Google is doing some real shady shit now and straight up trying to punish them.

And I disagree. Google put a mechanism in for experienced users to be able to load an untrusted .apk file with the expectation that only people who understood the ramifications of doing so - i.e. so called "power users" - would use it. And now Epic's told everyone and their grandma to allow untrusted .apks to be installed on their phones. Epic is the party saying "Google wanted a cut of our cash flow so we're just gonna tell everyone to toss out a basic security feature of Android so we can make some more money!"

Re: Irresponsible Epic released vulnerable code.

[Zmobie]

The problem with your arguments are you're applying expectations of open-ness for PC OSs to the mobile phone market.

While true, why should they be applied different? Phones are just mini computers and in many cases people use them as their main computer anyway. The only reason the markets are treated differently in that regard is the companies behind the major developments engineered the market that way. It was a much more organic process with PCs originally and they were not able to force-feed consumers their own ideas with as much success (Plus as much as I dislike Torvalds, Linux gave a big middle finger to closed platform usage in the early days).

We're not talking about Windows, Android's main competitor is Apple's IOS. How's Android look compared to that? How are those IOS competitors to the App Store there doing? Exactly.

Apple is just as guilty if not more. The argument that "It isn't as bad as they other guy" is still weak. Using a more extreme example would be, "I'm not so bad, I only beat that guy into a state or paralysis/coma, while that guy beat another to death!" Neither one is right, just less wrong...

And it is. To MANUFACTURERS. It's a packaged OS that anyone who wants to build a device around can do so. Your disconnect is you are conflating how Android is considered an open platform to how Linux is on the X86 space.

When they came up with it originally they tried to compare it in much the same way as the Windows/Linux relationship, but they became very dissatisfied with the fragmentation of the market. While the Android One development has helped Android beat Apple they also used that initiative to solidify some monopolies within the platform. Google Play is the lynch pin to that monopoly. Companies can't even branch Android effectively and reach a decent market because of Google's policies with it and their is no real alternative market.

And I disagree. Google put a mechanism in for experienced users to be able to load an untrusted .apk file with the expectation that only people who understood the ramifications of doing so - i.e. so called "power users" - would use it. And now Epic's told everyone and their grandma to allow untrusted .apks to be installed on their phones. Epic is the party saying "Google wanted a cut of our cash flow so we're just gonna tell everyone to toss out a basic security feature of Android so we can make some more money!"

I'll give you that Epic did take a big risk in using that to accomplish this, but why exactly should Google have such a monopoly on the distribution of software to the phones? Same with Apple. It creates a serious pay to play scenario that isn't really different than the spirit of net neutrality. Google is trying to force people to access the consumers through them for a hefty fee. It is a "security feature" but it is also a digital bouncer for Google. Why can't they provide a more secure way for independent market places or developers to distribute apps? Simple, profit. They stand to make nothing and even lose their monopoly if they did that. If they really cared about users as much as they claim this would already be standard just like software security certificates and dll signing.

Re: Irresponsible Epic released vulnerable code.

[viperidaenz]

Fucked up like an amature.

And their reason for doing this is because they want to handle the in-app purchases themselves to make more profit.
So they can't write a secure installer and we're expecting them to securely handle peoples credit card information?

Re: Irresponsible Epic released vulnerable code.

[viperidaenz]

Google don't take all of the 30% for themselves. You can get Visa et all will be getting a decent cut of that.

Re: Irresponsible Epic released vulnerable code.

[viperidaenz]

Don't forget Epic also continued to say ".... and on top of that, we're telling them to install an app with a massive security hole in it"

Re: Irresponsible Epic released vulnerable code.

[farble1670]

It's not Google's responsibility to announce the vulnerability, either. They choose to do so, nobody is forcing them.

It's only their responsibility if you assume they have an interest in protecting the security of their users.

Are you for bug disclosures or against them? There is / was a serious security issue w/ the Epic installer. Bug disclosures are a Good Thing. We are all better off for them. Attributing malice to the action doesn't change that fact.

Unless you are looking for a reason to bash Google. If so, disregard the above.

Re: Irresponsible Epic released vulnerable code.

[barc0001]

>> We're not talking about Windows, Android's main competitor is Apple's IOS. How's Android look compared to that? How are those IOS competitors to the App Store there doing? Exactly.

> Apple is just as guilty if not more. The argument that "It isn't as bad as they other guy" is still weak. Using a more extreme example would be, "I'm not so bad, I only beat that guy into a state or paralysis/coma, while that guy beat another to death!" Neither one is right, just less wrong...

I think that's a bit of hyperbole. The default position on apps from phones always was "work with what the manufacturer makes available for purchase on the store or hack your phone. Period". Apple stepped in and let people develop (for a fee) free apps in addition to paid ones, but the single point of distribution was and is the App Store. Android was the very first OS that even gave you the option to sideload .apk files without having to screw with a PC like PalmOS on the Treo. You're angry that it wasn't as open as the PC world. That wasn't ever in the cards.

> I'll give you that Epic did take a big risk in using that to accomplish this, but why exactly should Google have such a monopoly on the distribution of software to the phones?

Because they make the software that runs the phones? If you don't like it, go get a different phone, or write your own software for the phone. Or if you don't want to do that, go get a Tizen or Plasma Mobile compatible phone, overwrite the stock Android with that and have at it. I mean sure, Tizen's riddled with security holes and Plasma only works on a couple of Android devices but baby steps.

> Why can't they provide a more secure way for independent market places or developers to distribute apps? Simple, profit. They stand to make nothing and even lose their monopoly if they did that.

You're right. They stand to make nothing. And they risk introducing instability. So why on God's Green Earth would they? Do you do extra work for free that might cause you more problems in your day job? I don't. Why would they?

Re: Irresponsible Epic released vulnerable code.

[Zmobie]

I think that's a bit of hyperbole. The default position on apps from phones always was "work with what the manufacturer makes available for purchase on the store or hack your phone. Period". Apple stepped in and let people develop (for a fee) free apps in addition to paid ones, but the single point of distribution was and is the App Store. Android was the very first OS that even gave you the option to sideload .apk files without having to screw with a PC like PalmOS on the Treo. You're angry that it wasn't as open as the PC world. That wasn't ever in the cards.

Again though, my point is why? The only reason that is not in the cards is simply because they artificially made it that way.

Because they make the software that runs the phones? If you don't like it, go get a different phone, or write your own software for the phone. Or if you don't want to do that, go get a Tizen or Plasma Mobile compatible phone, overwrite the stock Android with that and have at it. I mean sure, Tizen's riddled with security holes and Plasma only works on a couple of Android devices but baby steps.

Up front I buy that they have some rights to that somewhat due to investment and such, but even though you don't want to accept the comparison to the PC market (for some reason) we already went through this with Microsoft and it was ruled they should not/do not have unilateral authority over something like this. There is an inherent risk when a company puts out more than a product and they are actually creating an ecosystem and/or market. Once they venture into those realms they don't get to dictate to the consumer and businesses within that marketplace everything about that market. If they did we would have a pure oligarchy develop in every country that attempted to create a capitalist system.

You're right. They stand to make nothing. And they risk introducing instability. So why on God's Green Earth would they? Do you do extra work for free that might cause you more problems in your day job? I don't. Why would they?

Instabliity? No. This stuff is not any more unstable than what is going to run on a normal PC. These things are not magic and Google Engineers are not wizards. They are mini PCs with a different Operating System and built on the same principles as everything else. That is just business talk bullshit that no engineer in their right mind is going to accept and honestly neither should the consumers.

Beyond that, as far as making a better side-loading mechanisms, I refer you to my previous point that when they created a marketplace they gave up some of the unilateral authority. Even if they were allowed that, they shouldn't be/have been acting like it is this huge open and free platform. They know it was misleading to people, but thought no one would notice or care on the consumers side if they were only taking advantage of the developers and businesses. To their credit sadly, they are right and most people don't care or notice. The backwards part is the consumers are either literally paying for it in higher costs for the software or indirectly paying for it due to lower quality work.

Bottom line, I have absolutely no issue with them making money for what they do. Everyone has that right and that is how the system works, but they are outright gouging and taking advantage of a monopoly that they intentionally created.

Re: Irresponsible Epic released vulnerable code.

[barc0001]

> You're angry that it wasn't as open as the PC world. That wasn't ever in the cards.

> Again though, my point is why? The only reason that is not in the cards is simply because they artificially made it that way.

Because a phone is not a computer. It's a phone. And it's subject to some incredibly strict regulations that computers are not subject to surrounding many things, including the availability of the device to call and stay in contact with emergency services, for example. Google, Apple, and others have to abide by these rules, and part of that is mitigating risk of malware rendering the phones unable to contact those services. Can you imagine the shit show that would entail if half the Android phones in the US couldn't call 911 due to a malware infection? Or worse, half the android phones called 911 ALL AT ONCE due to a malware infection?

That is one reason they have to do their damndest to maintain a level of security over their devices and that means playing gatekeeper as much as possible. And at the end of the day it's their ass on the line. If the phone gets hacked people are going to blame Google, not Epic.

Re: Irresponsible Epic released vulnerable code.

[Zmobie]

That's a cop out though. Google assumed their own risk by getting into the market and turning the phones into a computer just like Epic assumed risk buy using their own installer. And if Epic created the vulnerability you damn right they are going to be held responsible for that. Microsoft isn't held accountable for Adobe putting garbage software on their platform.

This is a platform. They are computers with telephony functions. I really don't understand why you want to give them a pass based on some idea that they are some how different, but you're clearly not going to agree with me nor I with you. You're entitled to your own opinion but we're rehashing now and not really contributing to a productive discussion at this point.

Re: Irresponsible Epic released vulnerable code.

[easyTree]

+1 interesting

Re: Irresponsible Epic released vulnerable code.

[barc0001]

> That's a cop out though. Google assumed their own risk by getting into the market

> This is a platform. They are computers with telephony functions.

You have that backwards. They are a telephone run by a computer. It's not a cop out, it's a very real risk they have to mitigate. As I pointed out, Android is the only environment that even goes this far to be "user friendly" toward unvetted apps. If you're looking for an open platform, go look somewhere else because you'll never find it on a phone. You're correct, we're seeing this from different perspectives and won't be meeting in the middle.

Re: Irresponsible Epic released vulnerable code.

Install .apk => system sends you to the settings to flip the switch for installing unknown sources => after flipping the switch you are asked if you want to allow just this one .apk to be installed with the default being yes => switch gets flipped back to no automatically.

So forgetting to flip that switch back isn't a big issue.

Re: Irresponsible Epic released vulnerable code.

[Megol]

Google doesn't distribute Android? When did that happen?

When the distribution wasn't referring to Android but the code that was buggy - which Epic designed and wasn't distributed by Google. If that's not confusion it's a changing of goalposts strategy trying to hide the problem this article claim exists: that of Google being irresponsible opening up for Android users to be targeted.

The rest of your comment is largely irrelevant and claiming that Epic is irresponsible is something I'd expect of a Google investor or fanboy(do they still exist?) - so exactly what is your relation to Google?

Re: Irresponsible Epic released vulnerable code.

Heil Hitlary Down with freedom! Fuck those deplorable users! Long live the prison state! Heil Hitlary!

So what's the full story

[alvinrod]

I'd at least like to hear Google's side of this first.

Would hate to unpack the pitchfork for nothing and all that.

Re:So what's the full story

should be obvious, it was retaliatory because they are cut out of the profits

Re:So what's the full story

[thaylin]

Google followed its own guidelines. Their guidelines are that they will release the details when the first of 2 things happens, either 90 days has expired OR a general availability patch has been released. The second happened, but Epic wanted google to violate its own guidelines for them.

Re:So what's the full story

I'd at least like to hear Google's side of this first.

Follow the second link in TFS, which will get you to the Slashdot article from August 24th, and has a link to the Google issue tracker.

Basically Google found out that Epic's installer was vulnerable to other people taking it over and using it to install pretty much anything.

This sounds like a company pushed out an update to bypass the app store, and in the process introduced a giant security hole.

Sounds like Google was more concerned with user security than giving a damn about Epic's PR.

Re:So what's the full story

[u19925]

I'd at least like to hear Google's side of this first.

You heard google already. They told what they had to when they announced the security issue. Only then Epic has reacted. In this instance, Google is outright greedy and wants to kill anybody who wants to distribute software outside of Google Play store. So much for the open Android platform. Manufacturers cannot fork Android otherwise none of the phones can be connected to Play Store. They must install dozens of privacy invading Google apps in default settings otherwise no Play Store. Android are simply Google peeking devices. At least with FB, they get what you explicitly provide. Apple virtually does not use anything you provide and collects far little data. Google implicitly collects all data that you may not be aware of and sells them to the highest bidders even if they know that purchaser is using it illegally (one of the largest corporate fines ever was paid by Google to settle illegal drug ads).

Re:So what's the full story

[u19925]

Google does not provide level of details that id did for Epic flaw immediately after the patch is made generally available.

Re:So what's the full story

[SantiagoMcRib]

This is well stated. And for those that think that it's vindictive on Google's part, well... you're not wrong, but it's the consequence of releasing outside the ecosystem that would automatically deploy the update to the install base.

I think a lot of people are failing to realize that the 30% cut isn't just to make Google money, but also to fund the infrastructure to host and deploy apps according to their own best practices.

Re:So what's the full story

They must install dozens of privacy invading Google apps in default settings otherwise no Play Store.

Which will all have to live in tandem with the dozens of privacy invading apps put there by the OEM.

Honestly, this is why Android is pretty much dead to me ... if Google still made the Nexus stuff, you'd get a vanilla install of Android with Google's shit on it. For all other phones, you have the pile of shit the manufacturer or carrier add to it as well.

The end result, a heavily fragmented market, where you are going to get privacy invading shit from at least two companies.

No thanks, my next tablet I'll go back to some version of the iPad, and my ancient HTC Desire which is my personal phone doesn't much matter since it has no data plan, never goes onto wireless, and has no apps installed on it.

Android has become a turd precisely because everybody has their own version with their own crap on it.

Android is an ad platform meant to spy on you. Fuck that.

Re:So what's the full story

[Albanach]

Let's think about what Epic were asking for. They'd prefer users not be notified of a critical vulnerability for three months and instead just wait to see how many upgrade naturally.

Google on the other hand have a published policy that they will notify of security events after 90 days if un-patched or after a patch is widely available, exactly what happened here.

While Google does have a strong financial incentive to stop other companies from operating outside the play store, they also have an incentive for Android not to be viewed as a less secure mobile operating system. It seems to me that, if you want to encourage security patches to be applied, you would want to let users know that their existing install has a critical vulnerability. Why Epic would prefer silence can be inferred, but it's not to the benefit of their customers.

Re:So what's the full story

The patch was released a week ago. Epic is basically complaining that Fortnite users are slow to update and/or that a week is not generally enough. Well, the same argument could be made for 90 days to release a patch (in some circumstances). The whole point is that Google has to light a little bit of fire under both companies and users to actually update, not just wait until everyone gets around to updating--which may be never--to release info.

The whole argument that Google is being vindictive because they dare to treat Epic like everyone else is pretty fuck crazy to me.

Re:So what's the full story

https://en.wikipedia.org/wiki/... . Have fun.

Re:So what's the full story

The whole argument that Google is being vindictive because they dare to treat Epic like everyone else is pretty fuck crazy to me.

Because they didn't jackass. They provided specific technical details allowing others to infest android user's phones with malware. Google hasn't done that before because its the right thing to do for android users. This time they threw 70 million people to the wolves because they thought it would make the Fortnite developers look bad.

Re:So what's the full story

[Cochonou]

It is certainly reasonable for server-side software in which a security team ensures that the current installation is not vulnerable to exploits, and performs the required patching/updating operations.
For commercial software aimed at general users, the benefits of (very) prompt disclosure are more questionable:
- Regardless of the disclosure status, these users will most likely never hear about it.
- Even if they hear about it, in the specific case of games such as Fortnite, a significant proportion of the users will not care about the vulnerability as long as they can play.
- Updates will be pushed through the app store/update manager/etc, with no user interaction.

Re:So what's the full story

[thaylin]

Actually before they released the patch they ensured that darn near everyone had the patch, even Epic stated that:

"Sweeney concedes that "Google did privately communicate something to the effect that they're monitoring Fortnite installations on all Android devices(!) and felt that there weren't many unpatched installs remaining"."

Also pretty much every disclosure I have seen has had technical details.

Re:So what's the full story

Good. It SHOULD make Epic look bad. You use Google Play for app delivery or it's your ass

Re:So what's the full story

[Aighearach]

Google did not follow their own guidelines, and this is obvious.

They don't have information about how many devices are updated. Their guideline is to wait 90 days unless most of the devices have been patched. Which sounds reasonable. But now they're trying to split hairs at the edge of that, and that doesn't work because Google has to rely on Epic Games for information about how widely the patch has been adopted. But they didn't do that; they're arguing about how the hair gets split, but they don't even have the information that would be needed to decide it in their direction. Epic Games is who knows if enough devices have been patched for it to be safe to release technical details.

If Google's security people can't even handle the analysis of the known information, if google can't even tell the difference between information that they have, and information that they don't have, then none of their security analysis should ever be trusted.

Re:So what's the full story

[Xylantiel]

It doesn't help that if Epic's launcher had been distributed through the play store, I think having it update would be less of a problem. And this is one of the major security advantages of distributing through the play store. So you can view the entire decision of Epic to not distribute through the Google store as sacrificing user security for more money. I don't even want to know how many scam download sites there are. It is a lot harder to tell the difference on a phone than on a desktop. If this is any indication of how seriously Epic takes their customers' security, one better assume it's pretty much a field day of vulnerabilities.

I happen to agree that the Google play store is kindof onerous, but what Epic has done is a worse solution from the user standpoint and failed in a completely predictable way in this case. There are other possible solutions, but the handset vendors are too used to having Google do a lot of things for them to push the issue, or too hostile to each other to work together. ...or maybe it actually all comes back to DRM such that an actual open and fair platform is untenable from the start.

Re:So what's the full story

[Zmobie]

Some money is appropriate, but 30% is pretty damn excessive. Factor in the taxes and most of the companies are lucky to get half of what they are charging and a bunch of that I'm sure is overhead.

Re:So what's the full story

[RhettLivingston]

Exactly. I'd like to add that in this case, it doesn't seem like they should have followed the rules.

Epic's game and installer is a non-essential add-on. Removing a downloaded exploit is a fine and normal solution to cleaning the device. The users should have been notified immediately to implement the obvious solution.

Re:So what's the full story

[Zmobie]

In finding the vulnerability, yes they were concerned. Given how popular the game is though, the disclosure should have been delayed and Google knows it. If they had worked with Epic they probably could have waited until at least a 75% patch rate (which is reasonable) was attained before making the disclosure. Especially given how new this thing is right now. Because of Google's practices on Android, it is more complex for users to patch Epic's installer and Google knows that too, but doesn't care. It looks as it they thought, "we can spin the narrative that if they used our distribution platform they would have had plenty of time," and play innocent that this was policy (regardless of the fact that it is also normal practice to extend the disclosure time for extenuating circumstance, like this).

Meanwhile, if they HAD waited a little bit longer and the saturation was high enough the vulnerability would be nearly useless by that point (and lets be real, the 75% I mentioned wouldn't have taken all that much longer to wait out, they wouldn't have even hit the 90 day policy...), because by the time someone could exploit it their success rate wouldn't be good enough to make it worth their while. The only reason they have the 7 day after patch policy is normally that is enough time to reach the patch rates that make the vulnerability useless.

Re:So what's the full story

they also have an incentive for Android not to be viewed as a less secure mobile operating system

This cannot be taken seriously, considering how few Android phones get updates and security patches. Is their argument that as long as the play store is updating its applications then the device is fine and all is secure? Newsflash, Android IS less secure.

"We're proud of the fact that half of devices received an update in 2016, but that's not sufficient," says Adrian Ludwig, Google's director of Android Security.

That link is old but its not too hard to find more recent articles to shame Android.

Re:So what's the full story

Apple is worse than Google because censorship and fascism are worse than advertising and data collection. Neither one of them deserves any awards for their treatment of consumers.

Re:So what's the full story

[Jerry+Atrick]

You're assuming Epic gave Google that information, that the information was correct and Epic a believable source.

Google make bad judgements but are serious about bugs they didn't deliberately intend. Epic are more often just clueless and slow to acknowledge bugs.

It's hard to take Epic's bleating seriously.

Re:So what's the full story

You're assuming that Google doesn't know what is installed on Android devices.

Even sideloaded apps are checked for malware by default, and I wouldn't be surprised if that involved sending checksums of the apks back to Google.

Re:So what's the full story

It WILL not make them look bad. You don't use Google Play and you don't pay these bloodsuckers 30%.

Re:So what's the full story

[Aighearach]

If Epic didn't give Google the information, then Google doesn't have it and can't act based on it!

Re:So what's the full story

How do you know it wasn't already over 75% patch rate? Google doesn't seem to need to ask Epic how many have updated in any case:

Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.

Re:So what's the full story

[viperidaenz]

If their software was distributed via Google Play, the patch would have been installed automatically for the majority of users after a few days. By default phones are set to auto-update apps when they're on WiFi and charging. Google Play itself always auto-updates. Epic is saying after a week hardly anyone has updated their installer.

Re:So what's the full story

[viperidaenz]

They don't pay tax on the 30% Google took.
They also don't need to run any of their own infrastructure, pay for bandwidth or pay a payment processor, which for very small transactions like in-app purchases, will charge a lot higher than the "normal" 2.5%.
They also don't need to worry about the security implementation of the payment system in their app. Or the security of the installation manager software, which apparently did Epic not worry about, they completely disregarded any attempt at security.

Re:So what's the full story

[viperidaenz]

Of because Google knows about all app installations, because users agreed to let Play Protect scan all installed apps.

Google probably have a better idea than Epic. As the users actually need to run the software for it to notify Epic that it's installed and what version it is. Google already has that software running on virtually every Android phone.

Re:So what's the full story

Some money is appropriate, but 30% is pretty damn excessive. Factor in the taxes and most of the companies are lucky to get half of what they are charging and a bunch of that I'm sure is overhead.

The 30% is part of the overhead. Like every other product you need to factor in all your costs to the price. Google didn't make them release a free to play game. Google didn't want to charge them extra because Fortnite is popular. Google didn't create the vulnerability in the installer. Google didn't force them to release their game outside the ecosystem. Google didn't STOP them from releasing their game outside their ecosystem. Google didn't violate their own vulnerability policy by not releasing the info. I still don't understand what people think Google did here except their job.

I had the installer from the start of beta but I didn't play after the first day or two. Who knows when or if I would have opened their installer again so it could be patched. The only reason the vulnerability was fixed for me was because Google release info about it and I proactively fixed it. Fortnite just wanted to control their own PR at the cost of others. If anything this is another example of a major game publisher being a dick.

Re:So what's the full story

[Zmobie]

That is a fair point if true, but it seems self-defeating for Epic to say anything if that were the case. Perhaps it can then be thrown in the pointless corporate pissing match, but I stand by Google does have ulterior motives.

Re:So what's the full story

[Zmobie]

The 30% is part of the overhead.

Wait, so then you're saying as a consumer you're perfectly fine with having to pay an additional 30% markup because of Google's mainstream distribution monopoly? I guess to each his own, but that seems pretty damn excessive to me still.

I also think the cut they are taking is excessive regardless of it being a game or being popular. They are entitled to some type of servicing fee (I don't expect an OS to be given away for free), but they are not redeveloping the app store every month/year. The damn thing has been largely unchanged for some time now. Yes some of it is to fund Android development and again that is fine, but this is not their only revenue stream. I really can't blame Epic for not wanting to hand over that much money to them. And as I said in another post, no Google did not violate the letter of their policy, but I do feel they violated the spirit depending on what the patch rates were (someone else pointed out they may have been at a decent level, we don't know the real numbers though).

The rest of it, I will 100% give you they assumed the risk creating their own installer and publishing outside the standard distribution channels (I'm just not arguing with their reasoning for doing so). They did fuck up and deserve some PR hit for doing it. Unfortunately what has become clear to me through all of these posts and the volume of people landing on different sides of this, were honestly speculating a lot without more information. Large part of it comes down to which side we're willing to give the benefit of the doubt as to being less dishonest (not going to use honest, neither company is actually honest). I personally have become a bit jaded with Google so I tend to put less faith in them...

Re:So what's the full story

You are wrong. It's 90 days if unpatched but only 7 days after the patch has been made public, whichever comes sooner. In this case Valve asked Google to hold releasing details for full 90 days even though they made patch available within days of being notified.

Google responded fuck you, you know our guidelines.

I'm very anti Google but I'm with them on this one.

Re:So what's the full story

Sorry- not at all reasonable.

Re:So what's the full story

[Shikaku]

https://support.google.com/goo...

You are correct, by default they do.

Re:So what's the full story

[stooo]

>> Epic wanted google to violate its own guidelines for them.
You don't violate a guideline. it's a "Guide" "Line", not a rule.

If the update took more than 7 days to apply, the update mechanism is flawed and needs change fast.

Re:So what's the full story

Google did not follow their own guidelines, and this is obvious.

They don't have information about how many devices are updated. Their guideline is to wait 90 days unless most of the devices have been patched. Which sounds reasonable. But now they're trying to split hairs at the edge of that, and that doesn't work because Google has to rely on Epic Games for information about how widely the patch has been adopted. But they didn't do that; they're arguing about how the hair gets split, but they don't even have the information that would be needed to decide it in their direction. Epic Games is who knows if enough devices have been patched for it to be safe to release technical details.

If Google's security people can't even handle the analysis of the known information, if google can't even tell the difference between information that they have, and information that they don't have, then none of their security analysis should ever be trusted.

Google does have information about what version of fortnight installer people are using. They collect the versions of all the apps you have installed on your phone, no matter where it came from. They and epic explicitly stated this.

Re:So what's the full story

https://en.wikipedia.org/wiki/... . Have fun.

Looks like a bunch of shit phones with specs circa 2013....

Re: So what's the full story

"users agreed"

Hahahahahahahaha! Good one, Googledouche.

Re:So what's the full story

Hence Google's announcement. Epic was effectively trying to delay updates on a compromised installer in order not to lose PR points.

Google was right here

If an application is allowing malware to be sideloaded, the users have damn well a right to know about it.

Zero Days Exist

Not because of disclosure, but because of Trump! Trump and Teh Trump Mob are their own best enemy. God Save America Again!

#GSAA

Hmmmm

I guess what Google is really saying here is if you find any zero-days in Android, publish them right away. Never mind this silly 'responsible disclosure' that companies like Google make noises about supporting.

Re:Hmmmm

This was not an Android zero-day, you moron.

Re:Hmmmm

Nobody said it was, derpstick. Whoosh.

Re:Hmmmm

[squiggleslash]

No, they're saying that if a patch is published for a vulnerability, people should be told that the vulnerability exists and that there's a patch for it.

Re:Hmmmm

[viperidaenz]

They're saying wait until that patches are being deployed before publishing. Like what they did in this case.

Hard to care about either party...

[Austerity+Empowers]

It's not clear what level of ownership Google should be expected to take on this. It seems to me that they technically did more than I'd feel obligated to in their shoes. Epic appears to have been responsible for the bug, Google appears to have found it for them. Honestly I think they already went the extra mile right there.

Of course if Epic used the app store, then I'd expect a more appropriate arrangement of identification, fix and announcement.

Re:Hard to care about either party...

[drinkypoo]

It's not clear what level of ownership Google should be expected to take on this. It seems to me that they technically did more than I'd feel obligated to in their shoes.

That is in fact the nature of Epic's objection. Google did more than they were obligated to do, and the thing they did put users at risk, it did not protect them.

Epic appears to have been responsible for the bug, Google appears to have found it for them. Honestly I think they already went the extra mile right there.

And that's where they should have stopped. If Epic were not addressing the bug, then full and immediate disclosure would have been warranted, but that was not the situation.

Of course if Epic used the app store, then I'd expect a more appropriate arrangement of identification, fix and announcement.

Nice bug you've got there. Shame if someone announced it unnecessarily while you were fixing it. Guess you should have paid the protection money, eh?

Re:Hard to care about either party...

[barc0001]

If Epic used the app store, the vulnerability never would have existed. It's because they're sidestepping the security there that the problem came to be.

Re:Hard to care about either party...

[thaylin]

That is in fact the nature of Epic's objection. Google did more than they were obligated to do, and the thing they did put users at risk, it did not protect them.

I disagree. In order to install the app they had to disable several security mechanisms, and probably not turn them back on. They told epic about the flaw and waited for them to fix it, once it was fixed and released a patch it is best for all people to know they need to immediately patch, since there are no guarantees their loader auto patches.

and that's where they should have stopped. If Epic were not addressing the bug, then full and immediate disclosure would have been warranted, but that was not the situation.

incorrect. Google has an obligation to continue, unless you think flaws should not be disclosed unless they fail to fix them?

Nice bug you've got there. Shame if someone announced it unnecessarily while you were fixing it. Guess you should have paid the protection money, eh?.

Again they did not disclose it during the fix, they disclosed it after a patch had been released. They followed their own guidelines.

Re:Hard to care about either party...

[drinkypoo]

Again they did not disclose it during the fix, they disclosed it after a patch had been released. They followed their own guidelines.

It's pathetic to see people justify abuse under the law, but it's even more pathetic to see people justify abuse under corporate policy.

Re:Hard to care about either party...

[thaylin]

So you are saying Google should have put users in danger by holding on to the discloser, for what reason?

Re:Hard to care about either party...

Nice bug you've got there. Shame if someone announced it unnecessarily while you were fixing it. Guess you should have paid the protection money, eh?

The fix was already made available. As per Google's guidelines, they either announce the issue 90 days after reporting it, or a week after the fix is made broadly available. From the article, the fix was made available on Aug 17, and Google announced the flaw Aug 24 (a week after it was made available).

Now, whether a week is enough time or not is another question... Epic wanted the full 90 days, Google said nope. How much time would be sufficient? Will everyone who downloaded it update, without knowing there's a major security flaw in their installed version? From the article, the installer is only updated when it or the game is run. So if a user downloads it and tries it once, then doesn't look at it again and also doesn't uninstall it, they are now vulnerable.

Re:Hard to care about either party...

[StormReaver]

I find it hard to care about either party when two evil companies are battling it out for the evil crown that only hurts the two evil companies.

They both suck, just in different ways.

Re:Hard to care about either party...

[spire3661]

So you honestly think that getting software from only on place is the best possible future? Android NEEDS to get programs from places other than google. Why are you cheering this crap on. The faster we break people's complete dependance on Google Play, the better off we will all be.

Re:Hard to care about either party...

Well obviously Epic didn't tell their users to go and update, they were just relying on people to play within N days and get updated that way. Without Google saying something none of the Fortnite users even knew they were at risk.

Re:Hard to care about either party...

[bluefoxlucid]

It's pathetic to see people justify abuse under the law, but it's even more pathetic to see people justify abuse under corporate policy.

It looks more like you said they shouldn't have published a vulnerability before the patch was ready, and GP pointed out Google published the vulnerability after the patch was already released and being installed by users for a week.

Most of us get the advisory that a patch fixes a critical vulnerability the second the patch is released. It's right there in the release notes, right up front.

Google did more than they were obligated: they kept quiet a week longer than required to let Epic make the announcement and let users catch up. They only had an obligation to go 90 days without a patch or one second after the patch was released.

Re:Hard to care about either party...

Wrong. If Epic has used the App Store, Google would have pushed the update to everyone within a day or two of it being delivered to them by Epic, after another day they'd have published the vulnerability because everyone (exept people who prevent app auto-update manually) would have been updated.

What they're realy saying is that their distribution method also sucks.

Re:Hard to care about either party...

And you just said that only Google Apps are available in Google's App Store.... Go fuck yourself. Hell, even Microsoft, Apple, Dell and IBM have their apps in the Google App Store.

Re:Hard to care about either party...

[barc0001]

> So you honestly think that getting software from only on place is the best possible future?

So you honestly think an army of millions of 12 year olds can properly vet and secure their Android device? Like it or not, Android, IOS and similar mobile OSs operate on a walled-garden approach to the average user. Half of the reason we have massive malware problems on Windows is due to anyone and anything installing any application any time without proper vetting. Your Grandma gets a scary popup? She does what it says and bang! she's now mining crypto for some Russian. At least Android out of the box has a fairly decent defense against the the most basic vector of infection, and now Epic is telling people to disable that deliberately.

> Android NEEDS to get programs from places other than google.

Why? Serious question. You knew what you were buying into when you got a smartphone, and that was a curated ecosystem. Even this curated ecosystem is way more open than what came before smartphones, remember the days of running an "app" on an old Nokia or Motorola? How about PalmOS or Symbian apps?

So to your question - for a PHONE? Yes, it's best that the average person on the street gets their software from a centralized location where there is at least some quality control and attempts to head off malware. At the end of the day, the main reason you have a PHONE is to call people and communicate with them, and it already does all of that out of the box.

To be perfectly honest, I would like to see it restricted even more. In my ideal world if you want to install an .APK on your Android phone, you would have to physically load it from a PC over a USB cable. That would eliminate much of the risk IMO. That way everyone who wants to use non-Play store software can still do so, but a clueless end user can't easily be tricked into sideloading something malicious.

Re:Hard to care about either party...

The only abuse here is being done by Epic for using their own flawed distribution mechanism and expecting Google to bend over backwards to change their long-standing policies regarding exploit notification.

Re:Hard to care about either party...

[Aighearach]

When you think you're going the "extra mile" for somebody else, but you're not actually part of their team, and they tell you to stop... That means you weren't helping.

Re: Hard to care about either party...

You idiot, google put users in danger by ANNOUCING the bug.

Re: Hard to care about either party...

My generation did it in the 80/90/00s and we had no problem. Maybe we are holding peoples hands too much. Give them some freedom to learn and fail and try again.

Re: Hard to care about either party...

[thaylin]

AFTER it has been patched so uses can patch? That is not how it works dude. If they announced the bug BEFORE a patch was made available then sure, but after a patch is released it is more irresponsible to NOT release the details because people wont know they need to patch, but exploiters will know there was a patch and can seek it out.

Re:Hard to care about either party...

You need to learn how "time" works.

That is in fact the nature of Epic's objection. Google did more than they were obligated to do, and the thing they did put users at risk, it did not protect them.

Epic released all the details how to exploit this a full 24 hours before Google released anything.
Epic put their users as risk. For 24 hours. Nothing Google or anyone else could say about it 24 hours later would have ANY effect on risk.

And that's where they should have stopped. If Epic were not addressing the bug, then full and immediate disclosure would have been warranted, but that was not the situation.

Why? What difference does it make if google repeats or does not repeat what Epic told the world 24 hours earlier?

Hackers world wide know exactly how to exploit this due to Epic telling them.
This was true both before and after google said anything.
So what difference does it make that google repeats that same info?

It's sad you say if google disclosed how to exploit this before epic did, it would be warranted, but when epic discloses how to exploit it before google does, it's somehow abuse?

At least if google disclosed it first, they would actually be enabling more hackers to use that information.
But Epic disclosed it first, more hackers then knew how to use it. Repeating old news a day later doesn't change anything.

Re:Hard to care about either party...

[tlhIngan]

How about PalmOS or Symbian apps?

Actually, PalmOS and Symbian apps were open - there was no app store or anything. You downloaded the files and installed them on your phone.

Of course, it meant that every app had to implement some sort of demoware thing, and not everyone took a credit card so paying for your software was a PITA (especially if you were outside the US). And you often had the trouble of upgrades so you had to hunt down your registration codes again.

Yes, things are better now since everyone's pretty much has the ability to accept credit cards - either by opening a real merchant account, or by using something like Paypal. And that didn't stop some rather interesting DRM schemes from being implemented.

One of the most dangerous ones was a PalmOS app called Liberty that was a game boy emulator. If pirated it would destroy your data. Due to a bug, it inadvertently was a bit too aggressive and destroyed not only the data, but the device itself (erasing critical flash memory blocks). There was a fixed version after a couple of hours of getting discovered, but the author spent a few bucks having to replace devices.

Re: Hard to care about either party...

[barc0001]

> My generation did it in the 80/90/00s and we had no problem.

I'm part of "that generation" as well, and I can recall massive problems that started back then which we still live with today. Except back in the olden days the vector was a floppy disk. These days it's wireless and OTA. Back then you fed a stupid prompt a cookie, these days your gran's phone gets locked out while it mines crypto or has its file system encrypted and held for ransom.

Walled garden ecosystems exist for a reason and that reason is the average user has proven time and again to be anywhere from mostly to completely incompetent at handling security threats.

Re:Hard to care about either party...

It's pathetic to see people justify abuse under the law, but it's even more pathetic to see people justify abuse under corporate policy.

That's a cool non-argument based around a logical fallacy, bro, but it just demonstrates that you don't really have anything further to contribute to the discussion.

Re:Hard to care about either party...

Google weren't going the extra mile for Epic, they were going the extra mile for Android users. Fuck Epic thinking they know best when their users should be informed.

A week was sufficient for most users to update, the ones that hadn't updated in that time most likely would be those who tried it once and decided not to go back to it, and those were the ones who needed to be informed.

Re:Hard to care about either party...

Helping them do what, exactly? I would think that to be a rather important question. If an attempting murderer asks you to stop trying to save their indented victim, does that mean you should stop?

In this case, Google's reaction can simultaneously be validly seen as an anti-competitive move against a rival while still being the pro-consumer (and thereby morally correct) action of alerting the consumers to a vulnerability and how to fix it.

That is to say it is very much possible for the right decision to be made for the wrong reason and the wrong decision to be made for the right reason. I'd actually argue the majority of human civilization can be explained as such...

The fundamental underlying principle of capitalism is that the grocer doesn't want to feed you, they just want your money. Feeding you is only a means to that end.

It doesn't make Google good, or even OK...but it doesn't make them wrong either.

Re:Hard to care about either party...

[barc0001]

> Actually, PalmOS and Symbian apps were open - there was no app store or anything. You downloaded the files and installed them on your phone.

I remember well, and the thing about it was you had to use your PC to download them and then go to the trouble of purposely uploading them to your device. Which, as I mentioned I think is a great idea and is exactly how sideload .apk files should have to work because that would dramatically reduce the chances of someone tricking the average user into running something unintended.

Re: Hard to care about either party...

[astrofurter]

"pathetic"

I think the preferred term is "little Eichmanns".

Re: Hard to care about either party...

Down with freedom! Walled garden prison state forever! Heil Hitlary!

Epic just went full retard

Dumbtard Epic... the method is known (man in the disk type of attack) and it should have been a major concern of everyone at least since this years DefCon when it was shown on several applications... two weeks past and Epic is crying that Google didn't give them more time? Sod Epic, bunch of incompetent fools.

Google didn't create the risk

you did

why did you release software with that flaw in the first place Epic?

Re:Google didn't create the risk

Seriously. Why don't companies just release with no security flaws.

Re:Google didn't create the risk

Yeah, it is almost like security is hard and expensive to implement. Epic should've found a company long experienced in this to release their game, with some competent content delivery system for Android...

It ceratinly makes sense.

[nimbius]

Google has nothing to lose by delaying disclosure of an exploit that isnt even in its ecosystem...
however...google has everything to lose if the idea of operating outside its walled garden catches on.

Re:It ceratinly makes sense.

[colonslash]

> Google has nothing to lose by delaying disclosure of an exploit that isnt even in its ecosystem...
They do have something to lose, the security of and confidence in Android. Disclosing this bug lets users know about it so they can make sure the vulnerability is closed (like by updating the installer).

Re:It ceratinly makes sense.

[celeb8]

Google has plenty to lose when people add exploitable installers to "its ecosystem", to use your term. "Their ecosystem" (to use your term) has a reputation already for being lax security-wise, and mostly for just this sort of issue, the fact that they don't wall off their garden as strenuously as some others (evidence for this: side-loading still exists). They also would obviously prefer that people use their methods for install, since they get money and are able to police the security better. So, three separate motives, but unless you're distorting things for the purpose of rhetoric all three point to Google being open and honest and letting their users know of a vulnerability. Sunshine isn't a bad thing unless you're trying to hide something.

Re:It ceratinly makes sense.

> google has everything to lose

Google has SOME to lose, not everything. People willing to switch from one to another aren't going to magically stay on one side.

Re:It ceratinly makes sense.

[Dagmar+d'Surreal]

Exactly how is something meant to run on Android NOT "in its ecosystem"?

Google is not to blame here.

[thaylin]

Google followed its own guidelines. Their guidelines are that they will release the details when the first of 2 things happens, either 90 days has expired OR a general availability patch has been released. The second happened, but Epic wanted google to violate its own guidelines for them.

The problems is in bypassing the play store they did open themselves up some and now they want google to change, not them.

Re:Google is not to blame here.

[drinkypoo]

Google followed its own guidelines. Their guidelines are that they will release the details when the first of 2 things happens, either 90 days has expired OR a general availability patch has been released. The second happened, but Epic wanted google to violate its own guidelines for them.

Google's guidelines are garbage designed to justify abuse. And here you are, attempting to justify abuse with them.

Re:Google is not to blame here.

> The second happened

they are arguing that it didn't happen, why should we believe you instead?

Re:Google is not to blame here.

[thaylin]

No they are not. They released the patch to the general public patch. Google waited 7 days more and released the vulnerability.

Re:Google is not to blame here.

[thaylin]

What abuse? The patch was released in a matter of a day or so..

What happens if a hacker finds the vulnerability and targets the users who dont know they need to patch? Well Epic and Google would have put those people in jeopardy by holding it. This way people know they need to patch.

Re:Google is not to blame here.

Google's guidelines are garbage designed to justify abuse. And here you are, attempting to justify abuse with them.

I suppose something "not abusive" would involve letting the Fortnite Android community bare asses showing through the window for X more days... X being any number Epic would judge reasonable. In the mean time Google would have to season the problems arising, like people wondering how insecure a open and non walled-garden platform can be.

There's no way to paint it where Epic emerges as a security conscious part in the story and Google just a big mean bully.

Re:Google is not to blame here.

You might want to discuss WHY the guidelines are garbage. Then there can actually be a discussion. If you don't present a position that you consider more reasonable, you don't sound reasonable, and sound like you just want to complain. I am not saying that that is what you are trying to do. Just that it comes across that way.

Re:Google is not to blame here.

Yeah the point of disclosing it to the public is to let people know they need to update, and give them a heads up to investigate if they've been compromised. Waiting 90 days is just giving malicious parties 90 days to do whatever they want while users are blissfully unaware. Like let's someone was able to make a duplicate of your house key, by comprising a key making kiosk (real thing). You'd want to know that ASAP, so you can change your locks, not 90 days from now.

Or if Equifax had of told people 7 days after they detected the hack, instead of months, it would have saved countless people from having their identities stolen.

Re:Google is not to blame here.

[Luthair]

The guidelines are reasonable, once a patched version is available interested attackers can compare binaries and discover the vulnerability. All hiding the disclosure does is give these attackers more time to exploit the vulnerability by making it less likely users will know to upgrade.

Re:Google is not to blame here.

[bluefoxlucid]

That actually sounds like a good strategy: let them have rope enough to hang themselves, then blame Epic for the sudden rush of malware-laden Android phones after their sideload software gets everything hacked to hell. Frighten the world into running as far away as possible from anything you haven't blessed.

Re:Google is not to blame here.

How is notifying users of a vulnerability when there is a patch available abuse?

"Google's security team first disclosed the vulnerability privately to Epic Games on August 15, and has since released the information publicly following confirmation from Epic that the vulnerability was patched. "

Re:Google is not to blame here.

[amicusNYCL]

Why does Google have any role in this at all? Their role is to develop Android and run their own store. Why are they policing independent developers not using the Google store? Isn't it only Epic's responsibility to communicate with their own customers?

Re:Google is not to blame here.

It's actually 90 days since vendor notification OR 7 days since patch has been made public whichever comes first. A very reasonable policy. What is the fuss about?

Google petty AF

[volodymyrbiryuk]

creating an unnecessary risk for Android users

This shitty installer is the actual risk. Hilarious how the companies that produce shitty code always blame the ones who discover their flaws.

Re:Google petty AF

[Big+Boss]

Google's policy seems reasonable. There's a fixed version, so disclose the info.

Not only is it a shitty installer, the whole idea of an installer app on Android is shitty. Just have people download the APK and use the built in package installer. If it's about download size, use the same trick most big games do and have the app load data files on first launch into its own protected data directory. All of that is built in and is quite safe and audited.

Not that Google never does anything shitty, but this one is on Epic.

Re:Google petty AF

[drinkypoo]

Not only is it a shitty installer, the whole idea of an installer app on Android is shitty. Just have people download the APK and use the built in package installer.

That's not a fully working solution because it leaves out people who get confused during the download process. If you download an APK then it appears in your downloads list and as a notification. If you clear that notification and your downloads list then there is no way whatsoever to install that APK without installing additional software, like a file manager, unless you download it again. Many people are probably not even aware of the downloads list, and if someone has a lot of notifications they might not be able to figure out how to install the APK they just downloaded. This is Google's fault; they should have included a file manager with their OS, but they didn't.

Re:Google petty AF

[Orphis]

There are file managers with recent Android.
Maybe older ones as well, it probably depends on the phone maker too (my Galaxy S4 had one bundled from Samsung for example).

Admittedly, the issue with large APKs is that you need double the space. First to download and then to install the files. That's why so many games are using installers (though usually done downloading private files in the main game, not as a separate app).

Re:Google petty AF

[volodymyrbiryuk]

Don't clear the notifications then. It's not that difficult. Epic could have made an instruction how to install an APK. Doesn't Android have a built-in file manager anyway?

Re:Google petty AF

As far as I remember, every Android phone I've used has a "Downloads" icon in its app drawer which lists your downloads. If you clear the download notification, you can just go there to click on it there.

Irresponsible developer cut corner.

So they bypass the App Store to avoid paying Google, then they fail to spend the money they saved to provide one of the most important benefits of going through App Store. Oh.

Lock vulnerable app, can update, can not run

[perpenso]

"We asked Google to hold the disclosure until the update was more widely installed," tweeted Tim Sweeney. "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."

Allowing the unpatched game to continue running also unnecessarily risks Android users. Doesn't google have the ability to delete an app in Android? If so perhaps they should have deleted the unpatched game versions?

Looking forward maybe google should have the ability to lock out a vulnerable version of an app. Don't delete it, just prevent it from running, only allow it to be updated to a newer version.

Re:Lock vulnerable app, can update, can not run

[EndlessNameless]

Google can do that for Play apps. This whole pissing match started because Epic decided NOT to publish Fortnite on the Play Store.

Re:Lock vulnerable app, can update, can not run

You want google to be able to lock side-loaded apps? You realize the whole point of the article was the app was not installed via the play store right?

Re:Lock vulnerable app, can update, can not run

If google started deleting or blocking the apps that I choose to sideload onto my android, I would ditch them ASAP and join the class action lawsuit which would surely follow.

Re:Lock vulnerable app, can update, can not run

"Derp derp derpy derp."

Google can't do anything with Fortnite because Epic doesn't distribute it through Google's Play Store.

Re:Lock vulnerable app, can update, can not run

The app is not distributed through Play, so Google has no saying in deleting/updating it.

Re:Lock vulnerable app, can update, can not run

Doesn't google have the ability to delete an app in Android? If so perhaps they should have deleted the unpatched game versions?

Hey, you forgot the part where the Epic game app isn't in the store. Google can't do anything, and by the way, shouldn't be able to do anything.

Re:Lock vulnerable app, can update, can not run

[Dagmar+d'Surreal]

"They refused, creating an unnecessary risk for Android users in order to score cheap PR points."

...amazing how that can be obverted to say "Tim Sweeney refused to prioritize publishing the update and an apology because it would cost Epic PR points".

...although seriously, I'm not carping on you about that. You're totally right that Google could have simply dropped a signature for Epic's installer into their vulnerability monitor and instantly yanked it off every Android device if they'd wanted to, but Epic would have really thrown a tantrum about that.

Re:Lock vulnerable app, can update, can not run

[perpenso]

True, I'm just making the point that if we are to judge actions by Epic's "creating an unnecessary risk for Android users" criteria then there may be appropriate actions Epic is not considering.

Re:Lock vulnerable app, can update, can not run

[perpenso]

You want google to be able to lock side-loaded apps? You realize the whole point of the article was the app was not installed via the play store right?

With respect to malware or a serious infection vector for malware, why not? Play or non-Play is irrelevant. Its little different than anti-virus software quarantining or deleting detected malware.

Re:Lock vulnerable app, can update, can not run

[perpenso]

If google started deleting or blocking the apps that I choose to sideload onto my android, I would ditch them ASAP and join the class action lawsuit which would surely follow.

If they were doing so only in cases of genuine malware, you would lose. And the terms of service could easily be updated to permit this if not already allowed to further weaken your actions.

Google's fault

"Google is irresponsible and at fault that we have a vulnerability in our installer. Clearly this vulnerability is someone else's fault and not ours. Google announced it too early, therefore we're not responsible for our own vulnerability."

Do No Evil

Except when it is in our best interest.

Which is usually.

Reverse Engineer

[Luthair]

The moment a patch is released attackers have the opportunity to reverse engineer the patch to find the vulnerability regardless of whether there is a subsequent disclosure or not. By this vulnerability being widely circulated in the press its more likely users will upgrade or uninstall than hoping users launch fortnite in the next 90-days. I imagine the real issue Epic has here is that they do not want the bad press leading to users who downloaded Fortnite to try uninstalling.

Re:Reverse Engineer

[thaylin]

You would think most slashdot readers would understand this, apparently not.

Re:Reverse Engineer

[Tough+Love]

Most Slashdot readers also understand that if upstream requests that disclosure be delayed because mitigation procedures are in process, then it is normal to respect such a request.

Re:Reverse Engineer

[locopuyo]

I don't think you even understand it. The vulnerability is that if you connect to a compromised wifi connection and attempt to manually update the app (there is no automatic update) they can spoof the update with their own malicious update.

If someone uninstalls then searches the web to re-download it using compromised wifi they could be taken to a fake site serving malware. So if someone is naive enough to trust a malicious wifi connection they're even more at risk with this exploit being made public. This doesn't really help anyone, it's just a PR attack by Google.

Re:Reverse Engineer

[thaylin]

Except there were no mitigating procedures in process, and google had already identified that nearly all downloads had patched.

Re:Reverse Engineer

[Tough+Love]

Rubbish, a patched downloader was being distributed, this is a mitigation procedure. Weasel word "nearly" does not save your argument.

Re:Reverse Engineer

[thaylin]

My god you really went around the neighborhood to try and attack google.

the exploit was vulnerable to any APP with WRITE_EXTERNAL_STORAGE permission. Any app with the name com.epicgames.fortnite could have been downloaded an installed via that. It did not have to come from a hijacked access point. It was mostly a glorified permissions issue.

Again, no PR attack, just them following their procedures and being responsible.

Re:Reverse Engineer

[thaylin]

The patch downloader had ALREADY been distributed, not *being*. and that is not what is meant by "mitigating procedures" I dont know of a reporting company in the world who would say, "well you released a patch, no need to release the details", they all do, all that holding it does is lead to more exploits by people who figure the issue out.

Re:Reverse Engineer

[Tough+Love]

The patch downloader had ALREADY been distributed, not *being*

Where did anybody say that the patched downloader had been completely distributed. Oh right, you made that up. You do understand that the more Google apologists spin this pout with their lame deflections, the longer is stays in view and the worse it looks for Google. don't you? Of course you do. Carry on.

Re:Reverse Engineer

[Luthair]

What mitigation procedure was that, hoping users launch Fortnite at some point? The active player base of fortnite assuredly launches the game more than once a week, disclosing the vulnerability protects the people who have it on their phone and never launch it as they don't have, and may never have the patch installed otherwise.

Re:Reverse Engineer

[thaylin]

Actually from a security standpoint it makes them look good. I am anot a Google apologist, but I am also not a google hater. just because you dont understand how security works does not mean I have to be just as ignorant.

You're confusing facts vs wishes

[raymorris]

Gp stated correctly that this serious vulnerability would not have existed had Epic not insisted that users disable security protections. That's a fact. Not a wish, not a "best possible future", but a simple fact.

Kinda like the fact that all your money you've been paying into Social Security is gone. It's been spent. It's not sitting there waiting for you to get it when you're older. Wishing things were different doesn't change the facts.

Spite

[Tough+Love]

Google jumped at the chance to punish out of spite, because Epic chose to operate its own store. This is how it looks.

Re:Spite

Google was very spiteful by informing Epic of the vulnerability, and then waiting a full week after Epic had actually released the patch, by which point most users had actually updated.

If Google was being spiteful, they wouldn't have informed Epic about the vulnerability at all, let alone wait until a week after Epic had released a patch to fix it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

We need standards for this

[MobyDisk]

Everybody has their own rules and guidelines around responsible disclosure. We need an organization like like the IEEE or ACM or CERT to make standard practices for this. This is important because there is always a question of liability. I'd like to know that if I followed the IEEE rules for responsible disclosure that I can be reasonably sure that someone can't sue me.

There are no right sides here.

[Dagmar+d'Surreal]

It's very simple, and it's not what this headline says.

Epic decided to forgo the Play Store for releasing Fortnite.

Google said "Okay, but this sort of thing can make our platform less secure. Be careful out there."

Epic releasesd an installer for Fortnite that could install Fortnite without the Play Store.

Google looks at it, and sees that it can be used to install more than just Fortnite, because it contains some stupidCode that can be used to install all sorts of malicious things because someone at Epic was very careless.

Google tells Epic about this lame bit of coding, and tells them they've got seven days to fix it because it would be really, really bad if this were exploited by someone who wanted a whole lotta phones on their DDoS botnet (for example).

Epic says "We believe we have 90 days to fix it" and releases a new installer without the stupidCode in it.

Seven days goes by, Google releases details of the stupidCode so that other people can learn from and not make this same foolish mistake.

Epic throws a tantrum.

The TL;DR is that this wouldn't have been a problem if someone at Epic hadn't decided to just throw an installer out there without looking at it carefully first, and Google probably should have given them 30 days instead of 7, but probably gave them only seven days because it lets them reinforce their point that poorly-written third-party installers are bad. Epic gave them reason to do that when they started talking to the press and basically whining about the Play Store cut as if Google did nothing to deserve any money (because it's so obviously both easy and free to build and maintain a giant marketplace with some semblance of standards), and Google appears to have noticed that if they ignore the tall tales "web reporters" spin, they eventually wind up having to explain complex concepts to state Senators and that tends to be very expensive.

Re:There are no right sides here.

As per Google's guidelines. Epic had 90 days to fix it before disclosure. After a fix is released Google can disclose the vulnerability, even if it is less than 90 days from Epic being notified. This makes sense because the update can be reverse engineered and the "bad guys" can figure out the vulnerability from what was changed. Google still waited 7 days after the fix was released (which they didn't have to do), by which point most users had already updated anyway.

Pay/Non-play, a choice not a technical issue

[perpenso]

Google can do that for Play apps. This whole pissing match started because Epic decided NOT to publish Fortnite on the Play Store.

If they can remove a Play app then they can remove a non-Play app. They may not do so currently but that is a choice not a technical issue.

Re: Pay/Non-play, a choice not a technical issue

They can't. Android yields Google no control whatsoever under user-installed APKs.

Re: Pay/Non-play, a choice not a technical issue

They can't. Android yields Google no control whatsoever under user-installed APKs.

Even if correct, they certainly could add such control as an AV feature.

Re: Pay/Non-play, a choice not a technical issue

They also could add a switch so every widget is a LOLCat, yet they didn't. perpenso is wrong.

In Other Words . . .

"Boy, that's a nice independent game distribution model you have going there. It would be a shame if something happened to it . . . "

childish of google

[SuperDre]

That's really childish of google, especially as Google is only using the 7 day deadline when it's due to a security risk if it's already being actively misused, but it isn't. Normally they have 90 days (or sooner if they notice it being actively being misused).
So why did they release it with the 7 day deadline? well we all know why...

Re:childish of google

[thaylin]

Actually the policy says 7 days after a patch has been released, not if being misused, that is their policy.

Literally

[cigawoot]

> we worked around the clock (literally) to fix it

So they put a clock in the middle of the room and arranged their desks around it?

What goes around comes around.

My phone is already insecure: the OS has received 0 patches. Microsoft does not leave it to Dell or ASUS to patch Windows and nor do FREE Linux distributions. Apple does not demand that Foxconn distribute iOS patches. As the only OS vendor to require hardware vendors to patch their OS, Google is unreasonable, irresponsible and arrogant. Google monetizes my data and targets me with ads, while refusing to patch the software they use to do it.

Google has never done this to Amazon.

[emil]

Lots of people install the Amazon App Store and pay for games through that source.

It does appear that Google wanted to make an example of Epic specifically, in the hopes that more app developers will be cautious to follow.

Detail how it is excessive.

You obviously know how much it costs to run the play store, so break it down.

Epic done fucked up

[mykro76]

Whoops Tim. Only a few weeks ago you told Forbes:

Avoiding the 30% “store tax” is a part of Epic’s motivation. It’s a high cost in a world where game developers’ 70% must cover all the cost of developing, operating, and supporting their games. And it’s disproportionate to the cost of the services these stores perform, such as payment processing, download bandwidth, and customer service. We’re intimately familiar with these costs from our experience operating Fortnite as a direct-to-customer service on PC and Mac.

You forgot about some other services performed by the Play Store. Automated analysis of your code for security issues. Automated roll-out of your updates to users. And in some cases - for very serious bugs - even forcing your updates onto users.

And now you're crying foul because you got greedy, forced your users to bypass Android's security mechanisms and now you don't have a way to get a fix to them within seven days. LOL.

Shifting the Blame?

"We decided to use our own launcher instead of the Play Store, and accidentally made all of our users' devices vulnerable. Google discovered this, informed us, gave us time to develop a fix, and then informed users of their devices of the vulnerability we made and the patch available for it. What villains! Ignore that we created this problem, the person that made you aware of it after giving us time to fix it is the one that screwed up, not us!" - Epic