[UncleMeat]

Poppycock.

There are two ways to fix this. One is to not permit dynamic code loading or app installs off the Play Store. This is Apple territory and pisses people the hell off. The other is to not have any world writable filesystem at all. I guess you could do this, but this messes with features surrounding music and pictures that you do want to share between apps.

Epic literally could have used the private filesystem that is right there just for the purpose of having files that are protected from other apps.

[xigma]

No, this is a permissions problem. Reading and writing to an application directory does not cause any issues until some code in that directory starts running with privileges it shouldn't have.

It should not be possible for an application that happens to install other applications to bypass the user for specific permissions. The user must be asked explicitly.

This has nothing to do with being able to "sideload" apps or not. Sideloading apps is actually possible on iOS, it's just such an effort (getting a developer account) that it's rarely done in practice.

[HillaryBriss]

Yep. If I might add a footnote for HN reader convenience: Epic actually fixed it by following the second approach you mentioned.

According to Google issue tracker: "This patch changes the default APK storage directory from external to internal storage, which should prevent MITD attacks during the install flow."

https://issuetracker.google.com/issues/112630336#comment5