A vulnerability has been discovered in Huawei Application Gallery which allows you to download paid applications for free.
Huawei says AppGallery is now the third largest app store worldwide, serving more than 600 million Huawei device users in more than 170 countries/regions.
Dylan Roussel, an Android developer, wanted to know how Huawei’s APIs worked. He discovered that an API took an app’s package name as a parameter and returned a JSON object with app details.
At first, he tested it with the AppGallery app itself, which is obviously free. One of the fields returned was a working URL to download the app’s APK.
“I remember thinking how crazy it would be if the field was also available for paid apps,” Roussel wrote in a blog post. “So my next step was to try to use the package name of a paid app.”
The download worked. Roussel then wondered if a license check would render the application unusable; but he was able to open and use the paid app successfully.
“When publishing an app on the AppGallery, developers expect a certain level of security,” Roussel added. “It shouldn’t be possible to download paid apps for free without any verification or anything.”
Roussel reported the vulnerability and received an email response five hours later. The response indicated that the matter would be investigated and asked to provide a disclosure plan. Roussel said he would allow a reasonable five weeks and asked to be kept informed, which Huawei agreed to.
The vulnerability was still not fixed after five weeks. Roussel says he sent two follow-up emails: one a few days before the deadline and one a few days after. He claims to have received no response to either.
13 weeks after the vulnerability was reported to Huawei; the vulnerability has not been patched and Roussel has not received any updates from the company. Additionally, Huawei has not informed its developer community about the vulnerability or whether they have been affected.
Huawei responded to an email sent a day before (May 17, 2022) Roussel published his message disclosing the vulnerability.
“Huawei has recognized the vulnerability and given it an identifier,” Roussel said. “They also offered a bounty, which I declined for personal reasons.”
The vulnerability remains unpatched and will be of concern to all developers publishing paid apps on AppGallery.
We reached out to Huawei to find out why the vulnerability hasn’t been patched in over 13 weeks, why developers haven’t been alerted, and whether Huawei disputes Roussel’s claims of a miscommunication.
We’ll update this post if we receive a response from Huawei giving their side of the story.
(Image credit: Huawei)
Related: Huawei’s AppGallery has nearly doubled its distributions in the past year
Do you want to rethink your digital transformation strategy? Learn more about Digital Transformation Week taking place in Amsterdam, California and London and learn about key strategies to make your digital efforts a success.