It’s easy to say that thousands of Fortnite fans are now even happier to play the popular battle royale shooter on their Android phones. But that happiness hasn’t extended to the relationship between Fortnite developer Epic Games and Google, especially after Epic opted to let players install a third-party app to play the game rather than download it from the Android app store, thus giving Google a 30 percent cut of profits. Now the ensuing issues with player data safety have caused some sharp words to be exchanged between the two companies.
Even though the company has no legal or financial stake in the matter, Google recently discovered an exploit in Fortnite’s mobile version code that could be hacked. Since the game isn’t released through the Android store, it doesn’t go through the same quality check process that every submitted app must before being listed, though Epic certainly has its own checks in place. If properly executed, the exploit could install a different, far more malicious software instead of Fortnite on a user’s phone.
Google said it discovered the exploit on Aug. 15 and immediately informed Epic. Within 48 hours, Epic had patched the app installer. This didn’t mean that every person who had Fortnite installed on their phone would have the proper updates in place to protect their Android devices. To that end, Epic asked Google to wait the full 90 days that Google’s policy allows before a bug report must be made public.
The reason that report window is so big is so app developers have as much time as possible to make sure users have the proper updates, protecting them from intrusion, and not giving hackers a chance to jump on the ship before it’s properly plugged up.
However, despite this (and still within the rules of its own guidelines), Google made the report public on an Issue Tracker thread of the exploit one week after the patch was issued.
Epic was, understandably, about as pissed as you can be in a formal corporate statement from CEO Tim Sweeney, given to Mashable:
“Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered. However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable. An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336. Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”
The spat between Google and Epic has been nothing short of tense. One can’t blame Epic for wanting to keep 100 percent of its profits, especially since it recently crested more than $1.2 billion dollars in revenue, with estimates that Epic will close out 2018 with $2 billion. That’s a big chunk of money for Google to lose out on (iPhones don’t have this issue, given that Apple’s closed format requires literally everything to go through the app store), and moves like these can be seen as Google trying to imply that Fortnite’s customers, public image, and profits are at risk without the security platform that Google offers. Epic Games’ overall value sits somewhere between $5-$8 billion.
Of course, Google also has to maintain an image of safety for its users, and it’s not unlikely that Google would take a large portion of the blame if numerous users had their phones and information hacked. That said, announcing the security threat more than two months before it was absolutely necessary does very little for consumers.
This could also spell some trouble for Google in the future, however, both from future games that decide to hoard their profits and from companies that hope they’ll do free security audits of their games. Don’t put it past a smaller company to lay blame on Google for not protecting their users if an independently installed game is hacked.