Epic's First Fortnite Installer Allowed Hackers To Covertly Download and Install Anything on Users' Android Phones, Google Researchers Say (androidcentral.com) 39
Epic decided to ditch Google Play Store for its sleeper hit Fortnite. By doing so, while Epic may have saved some money that it would have had to split with Google, it also ran into an issue that it could have avoided had it not parted ways with Google. AndroidCentral reports: Google has just publicly disclosed that it discovered an extremely serious vulnerability in Epic's first Fortnite installer for Android that allowed any app on your phone to download and install anything in the background, including apps with full permissions granted, without the user's knowledge. Google's security team first disclosed the vulnerability privately to Epic Games on August 15, and has since released the information publicly following confirmation from Epic that the vulnerability was patched.
[...] When you go to download "Fortnite" you don't actually download the whole game, you download the Fortnite Installer first. The Fortnite Installer is a simple app that you download and install, which then subsequently downloads the full Fortnite game directly from Epic. The problem, as Google's security team discovered, was that the Fortnite Installer was very easily exploitable to hijack the request to download Fortnite from Epic and instead download anything when you tap the button to download the game. It's what's known as a "man-in-the-disk" attack.
[...] When you go to download "Fortnite" you don't actually download the whole game, you download the Fortnite Installer first. The Fortnite Installer is a simple app that you download and install, which then subsequently downloads the full Fortnite game directly from Epic. The problem, as Google's security team discovered, was that the Fortnite Installer was very easily exploitable to hijack the request to download Fortnite from Epic and instead download anything when you tap the button to download the game. It's what's known as a "man-in-the-disk" attack.
That's just Epic's stupid way of doing things (Score:2, Insightful)
They have an installer for everything, or a "launcher" which is an repackaged web browser that downloads things for you or lets you access their web store for content.
Epic could let you just download directly from your browser but then the walled garden Apple wanna-be aspirations would be gone.
Comment removed (Score:5, Informative)
Re: (Score:1)
Yeah it is stupid to make sure the apps are safe. It should be a free service. College for all, free medical care, diners that stay open for nostalgia while losing cash, you know the old smash and grab politics of the left. Wave the flag get your head beat in because fascism or whatever they hate today. But it has to be free see.
Gee it's shit like this that makes me think the world has gone downright insane, there is no real left wing movement in america. There is one party, the party of big business with it's two wings republicans and democrats.
Indeed america is filled with raging communists given the bottom 80% of society holds a meager 5% of the total financial wealth of the economy.
https://whorulesamerica.ucsc.e... [ucsc.edu]
If numbers and science were anything to go by, if you are working class or poor and aren't left wing and american,
Re: (Score:2)
it's like a boot disk... (Score:1)
can I say... (Score:2)
Epic Fail?
Re: (Score:2)
Exactly this and my thoughts.
What this says to me is there's no checks on an application calling files belonging to another within Android.
Granted security apps would need this ability, but by default android should block this and only grant by given permission, and in that case it doesn't seem like the Play Store would have helped as there's other Android apps I've downloaded from the Play Store that do similar things (including with purchasing optional add-ons etc)
private Galaxy Apps API (Score:2)
Leave it to Samsung to write code that allows apps to install without asking you to confirm permissions.
Android is open! Android is free! (Score:2)
Android is broken... but you can fix it yourself with the source code!
Color me obvious (Score:2)
If I ever got a mod point I'd probably give that one a funny, though there's an element of insight, too. Other aspects of the problems are too obvious for comment.
Instead, I'll just ask again for solution approaches. Obviously signed code from reliable sources is one, but I'd prefer to see the Google stop abusing everyone and start using some of the information in our favor. In the Android app case, that would involve sharing the financial information to help the potential victims recognize the probably cro
Makes me wonder... (Score:2)