Huawei AppGallery Vulnerability Allows You To Download Paid Apps For Free

Huawei AppGallery Vulnerability is silently reducing the revenue of many app developers!

Share on twitter
Tweet
Share on facebook
Share
Share on whatsapp
WhatsApp
Huawei AppGallery Vulnerability Allows You To Downloaded Paid Apps For Free
Image: Abhishek Mishra/FossBytes

An Android app developer discovered a bug in the Huawei AppGallery. The bug allows users to download paid apps for free without any difficulty. He discovered a loophole in the Huawei AppGallery API, using which he was able to download paid apps from the store.

Huawei is trying to recover from the U.S. ban and has its app store called “Huawei AppGallery.” But this major security loophole is causing damage to the financial earnings of both the store and app developers.

What is the Huawei AppGallery vulnerability?

Android developer Dylan Rousse was curious about how Huawei’s API worked. His developer friend released an app on the Huawei AppGallery, after which he began toying with the API. He noticed that his request returned a URL value which was the download link for the app. He didn’t expect the paid apps to return the download URL, but the response contained the download link.

Huawei AppGallery vulnerability
Image: Huawei

Dylan Rousse was sure that the downloads were working and did not have additional security to prevent paid app downloads. He was also successful in installing the app on his phone. After that, he tried downloading 2 more apps and one game. Dylan was able to install all three of them but could only access two. The game has inbuilt DRM protection, which verifies if he is a paid user or not.

What happened next?

Dylan immediately found the contact page and initiated communication with Huawei. He did receive a response and was assured that they would fix the vulnerability and keep him posted. The brand also asked for a disclosure period, and Dylan offered them five weeks to fix the vulnerability. They also offered a bug bounty, but he didn’t accept it for undisclosed reasons.

Huawei showed negligence and didn’t patch the vulnerability in time. Dylan received no response from the brand about the fix whatsoever and gave them some more time. His patience ran out after 13 weeks, and he decided to publish the news about the vulnerability which Huawei failed to fix.

Find your dream job

Huawei AppGallery’s vulnerability is reducing developers’ profits with each passing day. Those apps which lack a DRM can be used without any worries. This makes the Huawei AppGallery a hot favorite for pirate groups to download all the paid apps. Dylan played the part of a good Samaritan to help fellow developers realize their loss. Huawei hasn’t fixed the vulnerability as of writing this post.

Abhishek Mishra

Abhishek Mishra

I love exploring technology and devote my time to curating detailed posts and supplying credible information to inquisitive users. I wish I had some spare time to play a few RPGs or clean my desk.

Find your dream job

Work at your dream company with Fossbytes Jobs