170 – Breaking News & Latest Updates 2026
Skip to main content
The homepageThe VergeThe Verge logo.
The homepageThe VergeThe Verge logo.

Sean Hollister

Sean Hollister

Senior Editor

Senior Editor

    More From Sean Hollister

    Sean Hollister
    Sean Hollister
    Google is establishing Kleidermacher’s security bonafides.

    “I’ve dedicated my entire career to it — over 30 years,” he says. He was CSO at BlackBerry, is an engineering VP not just for Android but also Google hardware, manages 400 employees at Google, and is walking us through both high-level terms like malware and spyware as well as some specific examples.

    He answers immediately and confidently every time, often addressing the jury when he explains a concept.

    “If we removed those consent screens, more users would be harmed and that would hurt security at Android,” he says of the Unknown Sources sideloading process.

    Sean Hollister
    Sean Hollister
    Psst... want to just read Google’s Fortnite bug report and see a demo video? It’s still right here:

    https://issuetracker.google.com/issues/112630336?pli=1

    Epic v. Google: everything we learned in Fortnite court

    Sean Hollister
    Sean Hollister
    “If there was malware on the device, it could have replaced the Fortnite application entirely — it could replace it with malware.”

    Kleidermacher on how bad actors could have taken advantage of the Fortnite launcher bug.

    From the RAW MEETING NOTES earlier:

    the installation really is a two-part issue - it’s a fortnite problem as well as a Samsung problem - Fortnite downloads to a public storage space, and Samsung has a whitelist that can easily be spoofed.

    Samsung should be doing an actual signature check.

    On why Google disclosed the bug publicly before 90 days:

    “It is common in security research teams to disclose vulnerability information after the vulnerability is fixed,” so that others can learn from it and contribute to security research that protects others later.

    Won’t say I told you so, but then, why did Google move to a 90-days-no-matter-what timeline in 2020?

    Sean Hollister
    Sean Hollister
    It’s Google’s turn to talk Android security.

    Epic has passed along the witness — but not before pointing out that Google tipped off a security reporter for Wired, in addition to Android Central, and that Kleidermacher could not recall another time that Google tipped off a reporter in addition to releasing a blog post about a vulnerability.

    (As a reporter, I can tell you that reporters are tipped off all the time about all sorts of things, but that good reporters only chase worthy stories and don’t let companies steer them.)

    Sean Hollister
    Sean Hollister
    “The 90-day disclosure deadline or time limit is industry standard, yes.”

    Kleidermacher, in an old deposition. After some discussion in a taskforce Google formed to discuss the issue, Google’s Edward Cunningham did indeed give Epic a 90-day disclosure deadline to fix it, according to an email we just saw in court from August 15th, 2018. Epic claims the bug was fixed on August 16th, one day later.

    But in the taskforce’s meeting notes, Google decided to reveal the bug far earlier:

    DECIDED: Ed to flip the bug on 8/24 at early morning LON time (just past the precise 8/23 4:12pm 7 day extension) then Shannon can tip people off on Fri 8am if nobody has picked it up organically.

    They also discussed putting “three friendlies on it” (presumably three reporters or news outlets deemed “friendly” to Google) or passing the story to Lookout (presumably the mobile security company that often publicizes bug disclosures).

    This all sounds shady on its face, but won’t Google just point out that the bug was fixed and the 90 days was no longer required? (In 2020, Google’s Project Zero team decided to start disclosing at 90 days regardless of fix status.)

    Sean Hollister
    Sean Hollister
    Why Google decided to plant the Fortnite bug story, it seems:

    Part of a document labeled RAW MEETING NOTES:

    PR strategy

    DaveK: Users are at risk in several ways, many copycats, it’s just a mess; somebody (Google?) should be telling the world how bad this is. Can we say it? Or will Epic just refuse to work with us?

    Sameer: Ultimately we want Samsung to stop this kind of stuff (enabling the FN installer), we want other developers to realize this is complicated and there’s a lot of ways to mess up, and as a result of those 2 we want FN to feel the pressure and make fixes, and we want the world to know that this is not safe to do this. We need to make it safe and have an aggressive future action for GPP. We need to lay down a case for the reasons why we have to do this. On Samsung - what is the best way to make them feel a tremendous amount of heat?

    JamieK: I should hear back from ES this afternoon, his team is looking into it. A chance he may conclude that they think this is stupid and they should not be doing this - 50/50 chance. If they don’t, then we need to tell them about this and the additional vulnerabilities they are enabling.

    DaveK is Android security head Dave Kleidermacher, Sameer is VP Sameer Samat, and JamieK is Google’s product manager in contact with Epic Games.

    Sean Hollister
    Sean Hollister
    “That would be a clever way for them to avoid the unknown sources friction entirely.”

    Kleidermacher, in a August 2018 email about the “fake Fortnite” bug that Google planted a story about in the press.

    It wasn’t long before a member of the Android security team suggested that perhaps Google should make this public:

    “(A Project Zero style external bug would be the most fun!),” they wrote.

    We’re now seeing notes from the internal meeting where Google discussed what to do about it.

    Sean Hollister
    Sean Hollister
    Epic just showed Google has the technical capability to whitelist “known” apps outside the Play Store.

    One Googler wrote:

    I would appreciate if we could whitelist the official Fortnite before launch. I don’t want to get in a situation where any of the automated scorers (or any human really) flags Fortnite accidentally. HR fallout would be severe

    Kleidermacher says Google doesn’t take such things into account for Unknown Sources, though. Again, it’s an operating system level flag.

    Sean Hollister
    Sean Hollister
    Google admits it could theoretically review and digitally sign sideloaded apps so users could directly download them.

    “That seems possible,” says Kleidermacher. Epic did not ask why Google has not done this — I humbly suspect the answer is that it would be quite an undertaking.

    Now we’re talking about Google Play Protect, which automatically scans apps for malware. It’s recently been getting better at blocking malicious apps but didn’t block predatory loan apps and some knockoff apps in a TechCrunch test.

    Sean Hollister
    Sean Hollister
    The “dumpster fire.”

    We’ve covered bad apps at The Verge for a while, particularly on the Apple side of things, and Epic is now casually suggesting that Google Play is no better than a direct app download from a website because Kleidermacher once called it a dumpster fire and, separately, said, “We’re not particularly good at keeping knockoffs off the store.”

    I don’t know if Epic’s sticking the landing here with so few visceral examples of bad apps (we saw just two user reviews calling out a scam, and the title S-ON Sexual Therapy), but Kleidermacher did amusingly suggest that Google allows users to download the bad apps without warnings because of user consent.

    “There is user consent in one place, there is not user consent in the other place,” he said.

    Epic pounced — how could a user’s decision to download an app from a website not constitute consent? Kleidermacher suggested the consent comes as part of Unknown Sources: “You’d have to authorize the browser to install first.”

    Most Popular

    Most Popular
    1. Hisense aggressively cuts the price of its RGB LED TV on release day
    2. Homebridge 2.0 is here, and it speaks Matter
    3. Tesla hits Musk’s threshold for ‘safe unsupervised’ driving
    4. Amazon’s trying to turn its massive shipping operation into another AWS
    5. Apple raises the Mac Mini’s starting price