Huawei AppGallery Vulnerability Allows Free Download Paid Apps

Due to an API vulnerability, users of Huawei’s own app store, AppGallery, can currently download free apps that would actually cost money. Huawei promises to solve the problem before May 25.

Due to the vulnerability, someone with the discovered by developer Dylan Roussel api received a json report containing an apk download link of an application of your choice. Due to a lack of further security by the AppGallery via this route, it is irrelevant whether a user has paid for an application or not. Roussel successfully installed several paid apps thanks to the vulnerability. Only a game that itself did a license check after installation did not work; developers can therefore prevent the vulnerability themselves.

According to Roussel, on the other hand, the cause of the problem is emphatically with Huawei; the AppGallery would no longer apply any further security or authentication. Developers could lose a lot of revenue as a result and are vulnerable to software piracy.

Huawei would therefore have been informed immediately; Roussel discovered the vulnerability in February and initially received a prompt response from the Chinese company. After failing to resolve the issue, he sent follow-up emails that went unanswered for 13 weeks after the initial email. Meanwhile, Huawei has acknowledged the vulnerability and is working on a fix that should be implemented in all regions in a few days.

Due to sanctions from the US government, Google has been banned from providing services to Huawei since the end of 2019, effectively blocking Android and the Play Store for the Chinese brand, among other things. Meanwhile, Huawei has alternatives for most services, including the AppGallery as its own app store.