SL;DR
- A flaw in Huawei’s AppGallery can be exploited to download paid Android apps for free.
- The problem remains unresolved weeks after the developer brought it up with Huawei.
A newly discovered vulnerability in Huawei AppGallery allowed anyone to download paid apps for free.
Since the US Ban, Huawei phones do not have access to Google Play Store to download apps. The Chinese OEM offers its own AppGallery, which is part of Huawei’s Mobile Services suite.
The latest flaw in Huawei’s app store was spotted by Android developer Dylan Roussel. Basically, the AppGallery API doesn’t offer any protection for paid apps. It requires a little work and some technical know-how, but if you have it, you can easily get APK links for premium apps and download them without paying anything.
Roussel was able to download and use some of the paid apps by exploiting vulnerabilities. He notes that the problem is not with app developers not enabling license verification on their apps. This is a problem that Huawei will have to solve eventually.
This not only robs developers of potential revenue, but is also an accessible entry point for app piracy. Attackers can use the API to download a large number of paid applications without even having to go through the AppGallery.
Roussel notified Huawei of the flaw in February. He gave them five weeks to fix the problem. However, weeks later, the problem persists. Paid apps can still be downloaded for free from the AppGallery. However, we reckon it won’t be long before the company fixes things. It recently acknowledged Roussel’s email and assigned an ID for the vulnerability. They also offered him a bug bounty, but he declined for personal reasons.
