Epic Games provided the following comment from CEO Tim Sweeney:
"Epic genuinely appreciated Google's effort to perform an in-depth security audit [...]
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google's security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play."
I like when "following standard practice, literally listed in the bug report and used 100's of times" is suddenly "counter-pr efforts"
I like when "following standard practice, literally listed in the bug report and used 100's of times" is suddenly "counter-pr efforts"
type: vulnerability is new, but if you search the public bug tracker for the phrase "This bug is subject to a 90-day disclosure deadline",
It looks like they have been pretty darn consistent about unrestricting once the patch is available. Usually faster than 7 days!
They have also held people to the 90 day requirement, and the 14 day grace extension they offer This is true even when the reporter is a googler or it affects only google software.
While it'd be good for Android to have an option to trust a certain source once rather than leaving "unknown sources" open all the time, I'm glad companies are bypassing the Play Store. One company shouldn't be able to dictate the terms for all software distribution on a certain OS. That's not the way it's ever been on the desktop, and I don't want it to become the new norm in computing.
The Play Store is full of malware. The claim you are safer with it is marketing FUD that makes Google billions of dollars. Google runs a relatively poor malware scanner that is industry-worst (see below), and its easy for people to make fake listings on it that look legitimate to the untrained eye, since anyone can submit there. (Meanwhile, the only game you can install from Fortnite.com is official.)
The Play Store has plenty of malware in it already! I'd prefer a feature where one can download and whitelist apps (from any source) and have other things blocked.
"Epic genuinely appreciated Google's effort to perform an in-depth security audit [...]
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google's security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play."