
Epic's Fortnite Installer allowed to install anything on your Android phone - kerng
https://m.androidcentral.com/epic-games-first-fortnite-installer-allowed-hackers-download-install-silently
======
0xfffff
Epic Games provided the following comment from CEO Tim Sweeney:

"Epic genuinely appreciated Google's effort to perform an in-depth security
audit [...]

However, it was irresponsible of Google to publicly disclose the technical
details of the flaw so quickly, while many installations had not yet been
updated and were still vulnerable.

An Epic security engineer, at my urging, requested Google delay public
disclosure for the typical 90 days to allow time for the update to be more
widely installed. Google refused. You can read it all at
[https://issuetracker.google.com/issues/112630336](https://issuetracker.google.com/issues/112630336)

Google's security analysis efforts are appreciated and benefit the Android
platform, however a company as powerful as Google should practice more
responsible disclosure timing than this, and not endanger users in the course
of its counter-PR efforts against Epic's distribution of Fortnite outside of
Google Play."

~~~
DannyBee
I like when "following standard practice, literally listed in the bug report
and used 100's of times" is suddenly "counter-pr efforts" I like when
"following standard practice, literally listed in the bug report and used
100's of times" is suddenly "counter-pr efforts"

type: vulnerability is new, but if you search the public bug tracker for the
phrase "This bug is subject to a 90-day disclosure deadline",

It looks like they have been pretty darn consistent about unrestricting once
the patch is available. Usually faster than 7 days! They have also held people
to the 90 day requirement, and the 14 day grace extension they offer This is
true even when the reporter is a googler or it affects only google software.

------
ryanlol
This isn't a very serious bug, this cannot be exploited unless your phone
already has malware on it.

------
matthberg
This was posted previously here, for further discussions:
[https://news.ycombinator.com/item?id=17838887](https://news.ycombinator.com/item?id=17838887)

------
everdev
Dupe:
[https://news.ycombinator.com/item?id=17838887](https://news.ycombinator.com/item?id=17838887)

------
Rotdhizon
Comment by MBCook in an earlier version of this post

>> "It wouldn’t surprise me if google did this as a sort of backhanded way of
saying “see what happens when you don’t use our App Store?“

I don't disagree with Googles decision here. Epic is being incredibly reckless
with their bypassing the play store.

~~~
binomialxenon
While it'd be good for Android to have an option to trust a certain source
once rather than leaving "unknown sources" open all the time, I'm _glad_
companies are bypassing the Play Store. One company shouldn't be able to
dictate the terms for all software distribution on a certain OS. That's not
the way it's ever been on the desktop, and I don't want it to become the new
norm in computing.

------
dplgk
It's a cute PR move from Google.

