Epic Games has patched a critical man-in-the-disk (MiTD) flaw for the Android version of the wildly popular Fortnite game – although controversy has swirled after Google decided to ignore a 90-day disclosure request from the gaming company.
The issue exists in the Fortnite Installer, which downloads the Fortnite APK to external storage on an Android device. According to the Google team that reported the flaw, any app with the WRITE_EXTERNAL_STORAGE permission can substitute a malicious APK immediately after the download is completed and the fingerprint is verified.
The Man-in-the-Disk Vector
The MiTD issue arises from the way the Android OS is designed, as was revealed by Check Point at DEF CON 2018. The problem lies in the fact that Android’s OS makes use of two types of storage: Internal storage, which provides every app with its own sandbox; and an external storage mechanism that uses a removable SD card. This latter storage is shared across the OS and all apps, because it’s designed to enable data to transfer from one app to another. So, if a user takes a picture and then wants to send it to someone using a messaging app, the external storage is the platform that allows this to happen.
There are loads of legitimate uses for this capability – but developers need to be careful not to expose critical information to external storage. In some applications, including Fortnite, this kind of developer oversight allows critical data that the application writes to the external storage to be accessed and replaced by interlopers. That results in malware being silently downloaded to the device.
“Apps monitor what’s being written to the shared external storage component – and an attacker can use this fact to ultimately replace that data to cause any number of results,” Check Point’s Orli Gan, head of threat prevention product management, explained in an interview with Threatpost. “The way an attacker uses this is that he would convince a user to download a conceivably naïve app – a flashlight, a game, something trivial. Once that app is installed, then the attacker has a way to continuously monitor that external storage – because all Android apps have visibility to it. He can see when apps are writing to that storage – and can simply replace its data with his own data.”
In the case of Fortnite, an attacker can replace the APK downloaded by the Fortnight installer with his or her own malicious application.
“This is easily done using a FileObserver,” Google noted in its issue tracker and report to Epic Games, on August 15. It added that “On Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently the fake APK with a matching package name can be silently installed.”
Also, if the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at the time of installation, the team said: “This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.”
As Google’s Android developer guidelines point out, using a private internal storage directory for the installation rather than external storage patches the vulnerability. Epic Games quickly issued just such a fix for the problem, only one day after the flaw was reported.
“The patched launcher is version 2.1.0, and all existing installs should upgrade in place,” an Epic Games security manager said in the issue tracker.
An Epic Controversy
Subsequent to the patch being issued August 16, controversy has bubbled over regarding disclosure of the vulnerability. At issue is the fact that Google made the issue public after seven days, on August 24 – despite Epic Games asking for a 90-day timeline to complete its automatic update process.
“We asked Google to hold the disclosure until the update was more widely installed,” tweeted Tim Sweeney, CEO at Epic Games. “They refused, creating an unnecessary risk for Android users in order to score cheap PR points.”
He also elaborated on why the company requested 90 days: “There’s a technical detail here that’s important. The Fortnite installer only updates when you run it or run the game. So if a user only runs it every N days, then the update won’t be installed for N days. We felt N=90 would be much safer than N=7.”
Google has declined to comment on the accusation of irresponsibility, but third-party researchers have weighed in:
“I love how Epic are claiming that Google put Android users at risk, when it as Epic’s app that had a critical security flaw 🤔,” said security researcher Scott Helme, in a tweet. He later added, “Epic are perhaps missing the important point that this was found and responsibly disclosed rather than being found and weaponised against their users. They got free research, support and a heads up, and here they are complaining and trying to point fingers at them!!”
Some say that Google’s quick disclosure essentially serves Epic Games right for not listing the app in Google Play; rather, the app is only available on the Fortnite site. This would allow Epic Games to avoid the 30-percent commission on app sales that Google imposes.
The decision to bypass Google Play sparked controversy when the app was released in early August– Installing Android apps from sources other than Google Play means Android users need to disable default security settings to allow third-party installations; assuming not everyone would remember to turn those settings back on, it could open up users to malicious code down the road.
However, the MiTD flaw would not have been prevented by listing the app in Google Play. As Check Point’s Gan explained to us, the issue lies with how developers build their applications – there are no built-in protections against MiTD in the Android OS. In fact, roughly half of the Android apps in Google Play that Check Point examined did not comply with the guidelines and were open to MiTD flaws such as the one found in Fortnite. This even included Google-developed apps (since fixed), like Google Translate (see video embedded, below), Google Voice Typing and Google Text-to-Speech.
In any event, the controversy is unlikely to be settled anytime soon. “People will argue until the cows come home the a period is either too long or not long enough depending on which side you’re on,” tweeted Pen Test Partners security researcher Troy Hunt. “I’m still surprised Epic didn’t put it in the Play store to begin with (and yes, I get the financial incentive).”