Epic Games says Google overstated Fortnite security flaw in effort to hurt company
In August 2018, Google sent out the warning as far and wide as it could.
A major security flaw had appeared inside of Epic Games’ popular app Fortnite, which at the time could only be downloaded outside of the Google Play store, as Google and Epic Games argued over the Android developer’s 30% fee on in-app purchases.
Dozens of articles soon appeared online about the major flaw, warning people that had sideloaded Fortnite onto their Android phone that it could put their phone’s security in danger.
Now, more than two years later, Epic is claiming Google overstated the potential security flaw in an attempt to hurt Epic’s ability to get around the 30% fee on in-app purchases.
The claim, filed Monday, was redacted in previous filings. It comes in the latest counter claim in Epic’s antitrust lawsuit against Google, part of a twin antitrust crusade against Google and Apple’s mobile phone operating systems.
Google, for its part, stands behind its warning to customers.
“Epic released Fortnite on Android with security vulnerabilities that could compromise consumers’ data,” a Google spokesperson said in an email. “Safety and security are our top priorities, so of course we took steps to warn our users about this security flaw, in accordance with our App Security policy. We’ll continue to fight Epic’s claims in court.”
Epic declined to comment beyond what it filed in court.
A judge ruled earlier this year that Apple no longer can block developers from adding links to alternative payment systems within apps, but stopped short of labeling Apple a monopolist. Apple is appealing that ruling, but the judge’s decision is going into place next month.
The Google case is slightly different from the one against Apple. While Apple only allows companies to download apps from the App Store, Google does let Android users download apps directly from the Internet. However, in its lawsuit, Epic has tried to show that Google takes various steps to disadvantage developers who choose that option, as Epic did for nearly two years with Fortnite.
Google’s ‘Fortnite Task Force’
In Monday’s filing, Epic said it found documents in discovery that Google had assembled an internal “Fortnite Task Force” that met daily to discuss strategies to limit the success of Fortnite on Android. One note from the task force, which met in August 2018, states: “Ultimately we want Samsung to stop this kind of stuff (enabling the [Fortnite] installer).”
Epic added that Google rushed to get the news out about Fortnite’s potential security flaw, ignoring custom that traditionally let developers create a fix for a security flaw before announcing it. The potential flaw, Google warned, could have exposed a user’s data or helped bad actors launch rogue apps onto an Android phone.
“Google did this despite knowing that many users were still exposed to the vulnerability,” Epic’s lawyers write. “Epic had promptly remedied the vulnerability with a patch that took effect the next time a user launched the Fortnite app, so consistent with typical industry practice, Google should have waited up to 90 days to allow more users to launch the app and become protected before making the bug public.”
Instead, Epic claims, Google wanted to rush to get the word out about the potential bug “in order to deter developers from launching outside of Google Play and maintain Google’s monopoly over Android app distribution.”
‘Not a critical security vulnerability’
Beyond using the bug as a chance to hit Epic in public — the new filing claims Google pushed news of the security bug to friendly news outlets — Epic claims the security flaw didn’t warrant loud alarms in the first place.
Citing emails and documents turned over in discovery, Epic said that Google employees said internally that “[t]he Fortnite example is also not a critical security (or even high) vulnerability.”
Rather, Google personnel observed that the Fortnite vulnerability posed zero risk to a user unless their device had already been compromised by a different app.
One Google engineer at that time is quoted as saying, “I’m OK with showing a ... vulnerability warning on apps opportunistically but I don’t think we’re actually protecting users with it,” the engineer said.
“Exploitation of app-level vulnerabilities has been basically non-existent in 10 years of Android security history,” the engineer added.
Epic also highlighted an internal message from Android’s head of security that seemed to indicate the security concerns were overblown.
“I looked at our typical (security) warning and it really does seem inappropriately dire for many of the kinds of (vulnerabilities) we’re seeing from OEMs and other developers,” the individual wrote.
This story was produced with financial support from a coalition of partners led by Innovate Raleigh as part of an independent journalism fellowship program. The N&O maintains full editorial control of the work. Learn more; go to bit.ly/newsinnovate.
This story was originally published November 15, 2021 at 5:23 PM with the headline "Epic Games says Google overstated Fortnite security flaw in effort to hurt company."
