Dylan Roussel has found a new vulnerability in the Huawei AppGallery app. He discovered that the API Huawei is using offers no protection at all for the Paid Apps. In other words, anyone can download paid apps for free from Huawei App Gallery. In case you have some technical knowledge, you can easily obtain an APK link for any premium apps and download the app for free of cost.
Things haven’t turned out to be the best for the company for some time now. First, the US ban meant it cannot access the Google Play Store. As a result, the company had to launch its own app store, which is also becoming a headache for Huawei.
Also Read: Netflix Might Roll Out Ad-supported Subscription Plans by Year-end.
Roussel demonstrated the Huawei AppGallery vulnerability by downloading and using multiple paid apps
Dylan downloaded multiple paid apps and used them for free by exploiting the vulnerability. On top of that, he also mentioned that this is not a problem from the developers’ end. On the contrary, this is an issue from Huawei’s end, which it needs to resolve quickly. Though it has been many days since the knowledge of this vulnerability is out in the public for quite a while.
This is a serious issue considering the consequence. First, it will have a direct impact on developers’ potential earnings, secondly, it will also increase the chances of app piracy. More importantly, it will also impact the belief developer have in Huawei, not because of this vulnerability but because the company hasn’t done anything to resolve it for long. You will find more details about the issue here.
What’s more, attackers don’t even need to use AppGallery to download the app. Instead, they can use the API and download a large number of paid apps.
Roussel informed Huawei about the vulnerability in February
Dylan sent the first mail about the flaw to Huawei in February. However, the company neither replied to his email nor fixed the flaw. People could still download paid apps for free even after 13 weeks. However, the issue has become a hot topic. Now, we believe that a fix is not long away. The company has acknowledged the flaw and assigned an ID to the vulnerability. In fact, the company even offered Dylan a bug bounty, but he didn’t accept it.
Also Read: Apple To Drop iPhone Lighting Port to Support USB-C in 2023.