A vulnerability has been discovered in Huawei’s AppGallery that enables paid apps to be downloaded for free.
Huawei claims that AppGallery is now the third-largest app store in the world—serving over 600 million Huawei device users in over 170 countries/regions.
Dylan Roussel, an Android developer, wanted to know how Huawei’s APIs worked. He figured out that one API took an app’s package name as a parameter and returned a JSON object with the details of the app.
At first, he tested it with the AppGallery app itself—which is obviously free. One of the fields returned was a working URL to download the app’s APK.
“I remember thinking to myself that it would be wild if the field was also available for paid apps,” wrote Roussel in a blog post. “So, my next move was to try using the package name of a paid app.”
The download worked. Roussel then wondered if some license verification would make the app unusable; but he was able to open and use the paid app successfully.
“When publishing an app on the AppGallery, developers expect a certain level of security,” added Roussel. “It shouldn’t be possible to download paid apps for free without any verification or whatsoever.”
Roussel reported the vulnerability and received a response via email just five hours later. The response said the issue would be investigated and requested to provide a disclosure plan. Roussel said he’d give a reasonable five weeks and asked to be kept updated, to which Huawei agreed.
The vulnerability was still not fixed after five weeks. Roussel says he sent two follow-up emails: one a few days before the deadline, and one a few days after. He claims to have received no response to either.
13 weeks after the vulnerability was reported to Huawei; the vulnerability wasn’t fixed, nor did Roussel receive any update from the company. Furthermore, Huawei hasn’t told its developer community about the vulnerability or whether they’ve been affected.
Huawei did respond to an email sent a day before (17 May 2022) Roussel published his post disclosing the vulnerability.
“Huawei acknowledged the vulnerability and gave it an ID,” said Roussel. “They also offered a bounty, which I declined for personal reasons.”
The vulnerability remains unpatched and will be a concern to all developers publishing paid apps on AppGallery.
We’ve reached out to Huawei for a comment on why the vulnerability has remained unpatched for over 13 weeks, why developers haven’t been alerted, and whether Huawei disputes Roussel’s claims of a lack of communication.
We’ll update this post if we receive a response from Huawei giving its side of the story.
(Image Credit: Huawei)
Looking to revamp your digital transformation strategy? Learn more about Digital Transformation Week taking place in Amsterdam, California and London and discover key strategies for making your digital efforts a success.