Days after “Fortnite” said it would launch an Android app but circumvent Alphabet Inc.’s app store, Google found a major security flaw in the Android version of the game and publicly exposed both the flaw and a request to keep it quiet.
The flaw has since been repaired by Tencent Holdings Inc. TCEHY, +2.16% -backed Epic Games Inc., which asked Alphabet GOOGL, +1.28% GOOG, +1.27% not to disclose the information for 90 days. Google engineers refused and published the details of the exploit Friday — a week later — as well as the exchange with Epic’s developers.
When app makers circumvent the Alphabet-owned Google Play Store — or Apple Inc.’s AAPL, +0.31% similar app store — they avoid paying a 30% fee on sales made through their apps, but they do not receive some services included in the fee. “Fortnite” is the most high-profile instance of a developer publicly avoiding the Play Store while launching an Android app, but Friday’s security disclosure is now the most high-profile demonstration of the risks associated with that strategy.
AndroidCentral first reported the news late Friday.
Epic Chief Executive Tim Sweeney has praised open platforms like Android and even said he doesn’t take issue with digital stores for console games. But Google’s control over Android is another story, he has said, because he believes Google isn’t making the same amount of effort to market titles to consumers: So if Epic can avoid it, why not do so?
Instead of offering the app in Google’s Play Store, Epic offered it only as a direct download from the internet. After it was publicly posted on Aug. 9, Google researchers tested it and found the flaw, a serious one that would let any app on an Android phone download and run software without a user knowing.
Epic fixed the bug about a day after learning about it, or six days after “Fornite” officially launched on Android. Users who downloaded the installer for “Fortnite” have likely already received an automatic fix Epic rolled out, but it’s unclear how many people downloaded the flawed Android app or if hackers had made use of the exploit. The Google security team also included a proof-of-concept video demonstrating how people could exploit the bug.
“Fortnite” may need the Android app to re-energize the hugely lucrative free-to-play game. “Fortnite” sales grew at a slower rate in July compared to the prior month, according to research published this week by SuperData, despite the launch of a new season. The free-to-play battle royale game became an outsize success in recent months, and has raked in millions of dollars a month on cosmetic upgrades and subscription sales.
Google and Epic did not immediately respond to a request for additional comment Friday afternoon.