Fortnite Skipping Google Play to The Detriment of User Security

Epic is skipping Google’s Android app store (the advertising publisher calls it Google Play as if that meant anything) for their upcoming Android version of the free-to-play Fortnite (which is already on iOS and almost every gaming and computing platform.) There’s a beta signup here and the compatibility situation on Android is already a nightmare, check out the list of supported devices. It is extremely specific and the few Android devices I have aren’t supported.

Epic’s Tim Sweeney was pretty straightforward about why they’re avoiding Google’s app store in this interview with Dean Takahashi:

There’s typically a 30/70 split, and from the 70 percent, the developer pays all the costs of developing the game, operating it, marketing it, acquiring users and everything else. For most developers that eats up the majority of their revenue. We’re trying to make our software available to users in as economically efficient a way as possible. That means distributing the software directly to them, taking payment through Mastercard, Visa, Paypal, and other options, and not having a store take 30 percent.

I’m not sure how well this is going to work out for people playing Fortnite. Google’s app store security is awful and routinely distributes software that compromises user privacy and security already, but at least they can moderate that. To get started with Fortnite on Android users are going to have to disable built-in security functionality that disallows third-party apps. Sideloading applications is useful and should be possible on any computer we use, but there are going to be negative consequences for users who don’t fully understand the risks involved.

Parents and tech savvy folks helping their friends and family are going to be busy when they realize their devices are compromised by installing a phony version of Fortnite, or a version that works but steals their credit card data. Try searching your favorite web search engine for the premium currency in the game, “Fortnite Free V-Bucks”, those scammers are oiled up and ready for anyone who falls into their trap.

Julia Alexander investigated the versions of these “V-Buck” scams that run on YouTube:

Since Fortnite’s meteoric rise, there have been multiple YouTube videos running as ads that pitch Fortnite players easy ways to get free V-Bucks. (V-Bucks are Fortnite’s premium in-game currency, which lets them purchase limited-edition skins, gear and weapons.) Search “free V-Bucks” in YouTube’s search bar, and more than 4.3 million results will populate.

Apple Has a Patch out for the macOS Root Access Security Vulnerability

Go to the Updates tab in the Mac App Store to apply it now, you won’t even need to reboot. Apple has more details about the update at this link.

Here’s the post from yesterday with the details of the vulnerability.

Update:
If you have any trouble with file sharing after applying this security patch Apple has another fix for that, oops.

The macOS Root Access Security Vulnerability

There’s a vulnerability in the latest version of macOS High Sierra (10.13.1) that may let anyone with physical access to a Mac log in and gain system administrator (root) access. Or, if they already have an account, upgrade their access to the system administrator (root) level.

You can work around the issue by setting a root password as described in this support document from Apple. They’re working on fixing it.

The vulnerability works like this:

  1. At any login or a privilege escalation dialog a user types in the username root
  2. The user hits the login button or enter a few times in quick succession
  3. The system enables the root user account and assigns it no password.

This is incredibly bad for Apple to have a vulnerability this easy to exploit, and it’s ridiculous that it was also apparently publicly available on Apple’s developer forums weeks ago.

Uber Hid Hack of Data From 57 Million Users & Drivers

Bloomberg’s Eric Newcomer:

Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.

Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

Android Users’ Location Information Is Always Being Sent to Google

Quartz’ Keith Collins:

Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?

Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed.

Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.

Quartz observed the data collection occur and contacted Google, which confirmed the practice.

Google claimed they weren’t doing anything with the data received from Android devices, and says they’ll stop doing it (at the end of the month) now that they’ve been caught by Quartz.

I’m not sure why anyone should trust Google’s word about what they were doing with this information when they explicitly use location information to target ads and were pulling this shit with no way for a user to disable it.

You can bet that companies like Google (photos), Facebook and their subsidiaries such as Instagram, and Twitter, also scrape location information whenever you upload photos to their services by reading the EXIF data attached to every photo. You can download apps like Metapho on iOS to remove the EXIF information from your photos before you share them.