Epic and Google are Having a Row Over the Android Fortnite Launcher

Epic calls Google's decision to reveal a vulnerability in the Fortnite launcher "irresponsible."

News by Matt Kim, .

Epic made waves when it announced that it will be releasing the mega popular Fortnite: Battle Royale Android version through its own launcher, ditching the Google Play Store. The launch would have been a success had it not been for the revelation that there was a serious security vulnerability in the Fortnite Android launcher that has since been patched. But it turns out Epic boss Tim Sweeney isn't too happy with the way Google revealed information about the security vulnerability.

It began last Friday when Google published a report regarding the Fortnite launcher for Android. Google's security team discovered a vulnerability in the launcher that could potentially allow unauthorized third-parties install apps to Android phones through the Fortnite launcher, without needing permission.

Epic decided to release a launcher instead of releasing Fortnite Battle Royale directly on the Google Play Store to avoid paying the 30 percent fee to Google on in-game purchases. A move Epic defends as necessary since Google's store tax cuts into funds that could be used towards development.

Fortnite Galaxy skin exclusive to Samsung Fortnite Android players.

Google disclosed to Epic the vulnerability on August 15 and has a policy to publicly disclose vulnerabilities seven days after the initial disclosure, so users can patch their apps in time. Epic however apparently wanted 90 days before Google publicly disclosed the vulnerability and called Google's decision "irresponsible."

In a series of tweets, Epic boss Tim Sweeney wrote, "We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points."

Sweeney argues that since the launcher only updates when users run the launcher or game, 90 days is a bigger window for users to have a chance to open the launcher and have their software updated. With a smaller window, it becomes more vulnerable to hackers who learned about the hack through Google's public statement.

Fortnite has encountered problems with potential hacks before. Due to its large and young playerbase, Fortnite is often the lure used for scams, and Epic accounts are quite vulnerable to hacks. So much so Epic recently rewarded players for two-factor authenticating their Epic accounts with a free emote.

Fortnite Season 6 is here. We've got all the info, including the Fortnite Week 1 challenges, Streetlight Spotlight Locations, and Season 6 skins. We've also got the Fortnite week 2 challenges, and where to find the corrupted areas.

This article may contain links to online retail stores. If you click on one and buy the product we may receive a small commission. For more information, go here.

Comments 4

  • Avatar for nimzy #1 nimzy A month ago
    Vulnerability disclosure is a huge deal in the software world. And it's truly a damned-if-you-do-damned if you don't kind of deal: if nobody knows about the vulnerability then people can't exploit it -- but then people don't know that they need to update their software.
    Sign in to Reply
  • Avatar for WiIIyTheAntelope #2 WiIIyTheAntelope A month ago Epic is mad because Google didn't go against their own policy and give them special treatment, after not even submitting their game to the play store so that they could keep even more of those sweet microtransaction bucks?

    Sorry Epic but that really isn't how it works. As much as I enjoy crapping on Google (and boy do I) they did nothing wrong here. Epic dun goofed and want somebody else to blame for it.
    Sign in to Reply
  • Avatar for BulkSlash #3 BulkSlash A month ago
    I think Epic are probably in the wrong here. By bypassing the Google Play Store their app is left with no means of auto-updating or even prompting users to update (maybe they could write some sort of background service but even that might not be running after a reboot). So while I can see some logic in the way Sweeney is thinking, it’s probably better to publicise the flaw so people know they need to update.

    In actual fact, Epic having an argument with Google about this has probably done more to notify people to update that would have happened if they’d just waited 90 days and hoped not hackers discovered the flaw!
    Sign in to Reply
  • Avatar for scottygrayskull #4 scottygrayskull A month ago
    Fuck Epic! Higher risk? The higher risk is them wanting to bury this issue and not inform their users. The people who can and will exploit it likely know about it anyways, so you're just endangering your userbase to avoid some bad PR. Sure Google might have some sour grapes, but they have a responsibility to Android users to inform them of these issues, and I'm happy they didn't give Epic special treatment.
    Sign in to Reply