Fortnite developer 和 谷歌 have an 史诗 spat over vulnerability​​​​​​​

Fortnite developer  和  谷歌 have an 史诗 spat over vulnerability​​​​​​​
科技类 Forge媒体的编辑。在全球技术会议上经常看到一只手握着咖啡,另一只手握着笔记本电脑。如果它令人讨厌,我可能会喜欢上它。

Fortnite developer 史诗 is not too pleased with the way in which 谷歌 publicly disclosed a security vulnerability with the game’s 安卓 installer.

Rather than pay the 30 percent cut which 谷歌 takes from distributing games through its Play Store, 史诗 decided 绕过官方应用商店 支持自己的安装程序。

Sideloading games poses an increased risk to consumers as it bypasses many of 谷歌’的保护。实际上,在Android允许安装来自第三方来源的应用程序之前,用户必须手动同意风险。

Many security experts warned of the potential dangers of 史诗 distributing Fortnite in this way, especially since many of its players are young 和 potentially more susceptible to installing fake copies of the game.

谷歌 highlighted a vulnerability that affected the official installer whereby a ‘Man-In-The-Disk’可以进行攻击。该文件看似合法,但APK会被替换为修改后的软件,这会在文件即将发布之前带来风险’s installed.

When it discovers a bug, 谷歌’我们的政策是提醒相关各方,并给予他们90天的时间修复相关问题’与国防界共享。如果它’s fixed sooner, 谷歌 will also share the vulnerability sooner.

史诗 fixed the problem the very next day 和 so 谷歌 shared details of its findings. It’s likely 谷歌 was eager to share its findings to warn others of the dangers of bypassing the Play Store.

However, 史诗 was not happy with the disclosure as older – still vulnerable –Android版Fortnite安装程序的版本仍将存在。

In a comment to Mashable, 史诗 CEO Tim Sweeney wrote:

“Epic genuinely appreciated 谷歌's effort to perform an in-depth security audit of Fortnite immediately following our release on 安卓, 和 share the results with 史诗 so we could speedily issue an update to fix the flaw they discovered.

However, it was irresponsible of 谷歌 to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated 和 were still vulnerable.

An 史诗 security engineer, at my urging, requested 谷歌 delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. 谷歌 refused. You can read it all at //issuetracker.google.com/issues/112630336

谷歌's security analysis efforts are appreciated 和 benefit the 安卓 platform, however, a company as powerful as 谷歌 should practice more responsible disclosure timing than this, 和 not endanger users in the course of its counter-PR efforts against 史诗's distribution of Fortnite outside of 谷歌 Play.”

The vulnerability specifically affected devices by 史诗’是Fortnite在Android上的发布合作伙伴,三星。

史诗’s installer uses a "私人Galaxy Apps API "在三星上,将下载的文件存储在Android中's publicly-accessible external storage. In its bug report, 谷歌 notes that “使用私有内部存储目录而不是外部存储将有助于避免此漏洞。"

鉴于三星's API 仅检查安装的APK是否与软件包名称匹配‘com.epicgames.fortnite’,则可以交换修改后的副本。更糟糕的是,如果假APK的targetSdkVersion为22(Android 5.1 Lollipop)或更低,那么在安装时要求的所有权限都将被授予,而无需用户's knowledge.

Earlier this month, 开发者 reported on a measure implemented by 谷歌 警告用户不要假冒Play商店的应用 像Fortnite。

What are your thoughts on the spat between 谷歌 和 史诗 Games regarding Fortnite on 安卓? Let us know in the comments.

 

有兴趣听行业领导者讨论这样的话题并分享用例吗? 参加同居 物联网技术博览会, 区块链博览会, 人工智能 & 大数据 Expo网络安全& 云 Expo 即将在硅谷,伦敦和阿姆斯特丹举行的世界大赛,探讨企业技术的未来。​​​​​​​

查看评论
发表评论

发表评论

您的电子邮件地址不会被公开。 必需的地方已做标记 *