Epic And Google Clash Over Fortnite Vulnerability

(Image credit: Epic Games)

When it comes to mobile gaming there's a lot of money at stake. Big studios pump a lot of money into trying to lure about a billion people who are eye-deep in their handset's touchscreen. However, just because you toss out a mobile app for iOS or Android devices doesn't mean that it's going to be free of issues. Recently, Epic Games and Google have been clashing over the mobile version of Fortnite. More specifically, the companies are going at it over the issue of a perceived vulnerability within the mobile app.

Ars Technica is reporting that Google has supposedly identified a "Man-in-the-disk" or MITD vulnerability within the installer for Fortnite. This is despite the fact that Fortnite is not available on Google Play's distribution store. Why? Well, Epic Games decided to bypass the Google Play store because CEO Tim Sweeney believed that the studio and the game was big enough to do without a distribution platform like Google Play. Gamers are well enough aware of Fortnite that Epic could afford to distribute it directly from their own website instead of going through other third-party distribution outlets.

Forfeiting going through third-party conduits means that Epic Games does not have to pay a 30% distributors fee to sell its game through Google Play. It's the same as Epic avoiding having Fortnite on Steam, wherein the company would have to pay a 30% distributors fee to Valve. Instead, Epic has refrained from these distribution pipelines in order to connect directly with users.

However, Google has hounded the Fortnite client to check for security vulnerabilities. The company noted that the vulnerability wasn't picked up by the Samsung security API, and that this could lead to security problems. Specifically, it was a bug that could be exploited in the APK when installing the program, and it was brought to the attention of Epic via a filing on August 15th.

The next day Epic took note of the vulnerability and issued a hotfix to address the issue in the Fortnite installer for mobile devices.

Things got a little hairy between the two because Epic requested that Google not share the bug report with the public until 90 days later, which would give gamers enough time to update the installer. Google, however, decided to publish the report findings seven days after Epic fixed the bug for the Battle Royale game. And while the bug is fixed, making the vulnerability public means that some nefarious individual could technically use that as a means to compromise installers that have not been updated.

Epic Games' Tim Sweeney told the media that Google publishing the findings so soon after the bug was fixed was "irresponsible."

Essentially there's a moral quandary at play here between Epic not finding what could have been a potentially dangerous Fortnite vulnerability for mobile users, and Google publicly sharing the information before the patched installer was thoroughly saturated.

Some are arguing that Google did this as a way to nudge Epic to put Fortnite on the Google Play store so that the installer could regularly be checked for updates through Google's distribution platform, while others argue that Epic not wanting to pay the distribution fee has potentially put mobile users of Fortnite at risk. It's a tricky scenario, no doubt.

Will Usher

Staff Writer at CinemaBlend.