More from Epic v. Google: everything we learned in Fortnite court
Google CEO Sundar Pichai passed the buck to him. Will the buck stop with Walker? We’re about to find out:
In an internal Google document introduced by Google’s own attorneys on Wednesday, Android security boss Dave Kleidermacher showed that at one point Android was deemed to be at “-18 percent” on privacy and security compared to iOS.
“The result of their scoring shows iOS has an 18 percent advantage,” he explained.
A passage from the same presentation read:
The Google Play vetting process is less thorough than Apple’s app review so more malicious apps are allowed onto the platform. While Google Play Protect should mitigate this problem, it is not always successful.
Most of the attorneys for both sides have already returned to the courtroom. I’ve got my trusty blue squishy laptop holder thingy. And Google chief legal officer Kent Walker should be on the way.
We’ll be back covering the Epic v. Google trial at 2PM PT / 5PM ET today for Google chief legal officer Kent Walker, who will not appear before the jury — but may be key to what the jury eventually hears.
Protesters shut down all Bay Bridge lanes coming into San Francisco:
Courtroom personnel just told attorneys in Epic v. Google that it’s still not clear when we’ll begin due to the delay. Nor is it clear when we should expect an update, they say.
So for now, I’ll drop in some other tidbits I’ve learned during the trial.
Judge James Donato himself summoned Google’s chief legal officer to explain himself at 3PM PT — and Google spox Dan Jackson confirms to The Verge that he will show.
Walker will be grilled (sans jury) about a controversial issue surrounding the case — how Google appears to have systematically destroyed evidence by setting internal chats to auto-delete after 24 hours, did nothing to change that after being put on legal hold, and used “fake privilege” to keep internal conversations from being forwarded.
“I don’t want any buck passing,” said Donato.
Epic spokesperson Natalie Muñoz confirms to The Verge (and Epic confirmed earlier to WRAL TechWire) that Epic will call CEO Tim Sweeney as a witness today — subject to change.
It’s almost inconceivable that he would not appear if called: he has been sitting in the courtroom galley all day every day, save day 2, in the best seat in the house — the first seat in the front row on Epic’s side, where you get a clear view of the jury, the judge, the witness, and the faces of Google’s lawyers.
Three sources in the courtroom confirm to The Verge that the court has announced a juror is running late. I heard, but have not confirmed, it’s because the San Francisco Bay Bridge has been shut down by protesters during the APEC summit going on today.
On the way to the courthouse this morning, I passed barricades near City Hall, reportedly for an APEC event being held at the next-door Asian Art Museum.
We’re looking at this article from Check Point Research, titled “Man-in-the-Disk: A New Attack Surface for Android Apps,” published August 12, 2018, which suggests that several Google apps — including Google Translate and Google Voice Typing — had the same vulnerability.
“We found that the developers failed to validate the integrity of data read from the External Storage. As such, our team was able to compromise certain files required by these apps, resulting in the crash of each of these applications,” wrote Check Point.
Epic suggests Google didn’t bother to publicize these issues the way it publicized the Epic flaw, instead just quietly fixing those apps.
And with that, we’re done for the day.
It’s Epic’s turn with the witness again, and its attorney is pointing out that Google’s sideloading screens still look like they’re designed to scare:
“Your phone and personal data are more vulnerable to attack by unknown apps. By installing apps from this source, you agree that you are responsible for any damage to your phone or loss of data that may result from their use.”
He suggests this makes it sound like Google Play comes with some kind of warranty that you’re waiving — but that Google Play doesn’t keep him from downloading bad apps, and Google won’t buy him a new phone if those bad apps damage it.
No, Kleidermacher didn’t whip out a phone in court — he came with a pair of videos he prerecorded. I started the stopwatch on my laptop as they fired up the video, and it took well under 30 seconds to sideload apps with just a few screens to click through — not 14 or 17 steps like Epic suggested. Google also pointed out that one warning screen came from the browser, not Android.
“Are these screens designed to keep users from sideloading?” asks Google’s lawyer.
No, Kleidermacher replies. He says it would make Android security harder to remove them: “The user doesn’t have a moment to reflect on the risk they’re taking and make an informed decision.”
Google asked the question that Epic knew it shouldn’t:
“As the head of Android security, do you think it would be feasible to provide the same level of protection to apps outside the app store as inside the app store?”
Kleidermacher’s answer: “We can’t make the internet safe.” I’m surprised he didn’t go further, honestly.
“I’ve dedicated my entire career to it — over 30 years,” he says. He was CSO at BlackBerry, is an engineering VP not just for Android but also Google hardware, manages 400 employees at Google, and is walking us through both high-level terms like malware and spyware as well as some specific examples.
He answers immediately and confidently every time, often addressing the jury when he explains a concept.
“If we removed those consent screens, more users would be harmed and that would hurt security at Android,” he says of the Unknown Sources sideloading process.
Kleidermacher on how bad actors could have taken advantage of the Fortnite launcher bug.
From the RAW MEETING NOTES earlier:
the installation really is a two-part issue - it’s a fortnite problem as well as a Samsung problem - Fortnite downloads to a public storage space, and Samsung has a whitelist that can easily be spoofed.
Samsung should be doing an actual signature check.
On why Google disclosed the bug publicly before 90 days:
“It is common in security research teams to disclose vulnerability information after the vulnerability is fixed,” so that others can learn from it and contribute to security research that protects others later.
Won’t say I told you so, but then, why did Google move to a 90-days-no-matter-what timeline in 2020?
Epic has passed along the witness — but not before pointing out that Google tipped off a security reporter for Wired, in addition to Android Central, and that Kleidermacher could not recall another time that Google tipped off a reporter in addition to releasing a blog post about a vulnerability.
(As a reporter, I can tell you that reporters are tipped off all the time about all sorts of things, but that good reporters only chase worthy stories and don’t let companies steer them.)
Kleidermacher, in an old deposition. After some discussion in a taskforce Google formed to discuss the issue, Google’s Edward Cunningham did indeed give Epic a 90-day disclosure deadline to fix it, according to an email we just saw in court from August 15th, 2018. Epic claims the bug was fixed on August 16th, one day later.
But in the taskforce’s meeting notes, Google decided to reveal the bug far earlier:
DECIDED: Ed to flip the bug on 8/24 at early morning LON time (just past the precise 8/23 4:12pm 7 day extension) then Shannon can tip people off on Fri 8am if nobody has picked it up organically.
They also discussed putting “three friendlies on it” (presumably three reporters or news outlets deemed “friendly” to Google) or passing the story to Lookout (presumably the mobile security company that often publicizes bug disclosures).
This all sounds shady on its face, but won’t Google just point out that the bug was fixed and the 90 days was no longer required? (In 2020, Google’s Project Zero team decided to start disclosing at 90 days regardless of fix status.)
Part of a document labeled RAW MEETING NOTES:
PR strategy
DaveK: Users are at risk in several ways, many copycats, it’s just a mess; somebody (Google?) should be telling the world how bad this is. Can we say it? Or will Epic just refuse to work with us?
Sameer: Ultimately we want Samsung to stop this kind of stuff (enabling the FN installer), we want other developers to realize this is complicated and there’s a lot of ways to mess up, and as a result of those 2 we want FN to feel the pressure and make fixes, and we want the world to know that this is not safe to do this. We need to make it safe and have an aggressive future action for GPP. We need to lay down a case for the reasons why we have to do this. On Samsung - what is the best way to make them feel a tremendous amount of heat?
JamieK: I should hear back from ES this afternoon, his team is looking into it. A chance he may conclude that they think this is stupid and they should not be doing this - 50/50 chance. If they don’t, then we need to tell them about this and the additional vulnerabilities they are enabling.
DaveK is Android security head Dave Kleidermacher, Sameer is VP Sameer Samat, and JamieK is Google’s product manager in contact with Epic Games.
Kleidermacher, in a August 2018 email about the “fake Fortnite” bug that Google planted a story about in the press.
It wasn’t long before a member of the Android security team suggested that perhaps Google should make this public:
“(A Project Zero style external bug would be the most fun!),” they wrote.
We’re now seeing notes from the internal meeting where Google discussed what to do about it.
One Googler wrote:
I would appreciate if we could whitelist the official Fortnite before launch. I don’t want to get in a situation where any of the automated scorers (or any human really) flags Fortnite accidentally. HR fallout would be severe
Kleidermacher says Google doesn’t take such things into account for Unknown Sources, though. Again, it’s an operating system level flag.
“That seems possible,” says Kleidermacher. Epic did not ask why Google has not done this — I humbly suspect the answer is that it would be quite an undertaking.
Now we’re talking about Google Play Protect, which automatically scans apps for malware. It’s recently been getting better at blocking malicious apps but didn’t block predatory loan apps and some knockoff apps in a TechCrunch test.
We’ve covered bad apps at The Verge for a while, particularly on the Apple side of things, and Epic is now casually suggesting that Google Play is no better than a direct app download from a website because Kleidermacher once called it a dumpster fire and, separately, said, “We’re not particularly good at keeping knockoffs off the store.”
I don’t know if Epic’s sticking the landing here with so few visceral examples of bad apps (we saw just two user reviews calling out a scam, and the title S-ON Sexual Therapy), but Kleidermacher did amusingly suggest that Google allows users to download the bad apps without warnings because of user consent.
“There is user consent in one place, there is not user consent in the other place,” he said.
Epic pounced — how could a user’s decision to download an app from a website not constitute consent? Kleidermacher suggested the consent comes as part of Unknown Sources: “You’d have to authorize the browser to install first.”
Epic is pointing out that though Google does create risk assessments of different developers on the Play Store, it chose (Epic’s words) not to use those systems to assess app downloads from websites.
“We have risk measurements for developers on the Play Store,” says Kleidermacher. (They’re explained here.)
“Generally speaking, the operating system views internet downloads as coming from an unknown source,” he said later.
Well, this wasn’t on my bingo card: Google’s VP of Android security once proposed “Project Cake,” a plan where there would be two classes of Android apps — a smaller number of “more curated” thoroughly vetted apps, representing as much as 90 percent of the downloads on the store, and a second set that would be less curated and vetted and might warn users about risk.
It never happened. “My proposal has not launched in that form,” says Kleidermacher.
Epic attorney Yonatan Even seems to be trying to suggest it was the genesis of the Unknown Sources idea that adds friction when users sideload apps — but hasn’t yet made a firm link.
It’s time to dig into the security argument. But Epic gets to dig into it first.
Is Google justified in charging its fees because it protects Android users?
Before the break, we saw Google present an internal slide that included the phrase: “75% of Android Owners say Google Play is a safe place to get apps even while less than half are aware of Google Play Protect.”