- A flaw in Huawei’s AppGallery can be exploited to download paid Android apps for free.
- The issue remains unresolved weeks after a developer brought it to Huawei’s attention.
A newfound vulnerability in the Huawei AppGallery makes it possible for anyone to download paid apps for free.
Since the US Ban, Huawei phones haven’t had access to the Google Play Store to download apps. The Chinese OEM offers its own AppGallery, which is part of its Huawei Mobile Services suite.
The latest flaw in Huawei’s app store was discovered by Android developer Dylan Roussel. Essentially, the API of the AppGallery doesn’t offer any protection for paid apps. It takes a bit of work and some technical know-how, but if you have that, you can easily obtain an APK link for premium apps and download them without paying anything.
Roussel was able to download and use multiple paid apps by exploiting the vulnerability. He notes that the problem does not lie with app developers not enabling license verification on their apps. It’s an issue that Huawei needs to resolve at its end.
Not only does this rob developers of their potential earnings, but it’s also an accessible doorway for app piracy. Attackers could use the API to download a large number of paid apps without even needing to go through the AppGallery.
Roussel informed Huawei about the flaw in February. He gave them five weeks to fix the problem. However, weeks later, the issue persists. Paid apps can still be downloaded freely from the AppGallery. However, we assume it won’t be long before the company fixes things. It recently acknowledged Roussel’s email and assigned an ID to the vulnerability. They also offered him a bug bounty, but he declined for personal reasons.