A French developer reveals a security flaw in Huawei’s AppGallery, the Chinese manufacturer’s application store: it allows paid applications to be downloaded for free.
If the AppGallery is not widely used in France, it is used by millions of other people elsewhere and for good reason: Google services are missing on Huawei smartphones. While the Chinese brand is announcing a whole slew of products today, we learn that the French developer Dylan Roussel (originally from Inware) has just revealed a security flaw on the AppGalley. He managed to download paid apps for free.
A discovery that starts from a simple curiosity
As he tells in the blog post he published, Dylan Roussel wanted to study how the Huawei API works. By making a request to this same API, he was able to receive different information about the requested application: version of the application, logo, images, description, authorizations, release date, price, etc. But there is something else: a URL. This is actually the direct download link of the app. He had initially tested this with the AppGallery itself, so nothing to be alarmed about.
But curiosity is always a bad thing, he wondered if it was possible to download paid applications through Huawei’s API. He tried with a first application and was able to install it successfully and use it without problems. To confirm his intuition, he tried again with two other applications without any problem. When he tested a mobile game, he could not enjoy it since there was a license check at launch.
Is the fault used?
As Dylan Roussel, also a contributor to 9to5Googleit is not known if this vulnerability is actively used, but “if so, developers and Huawei could lose some revenue“. The developer goes even further by saying that hackers “could use the API to download a large amount of paid apps in a relatively short period of time without having to pay for them and without even needing to go through the AppGalery“.
Huawei did not fix the vulnerability in its AppGallery
Also in his blog post, Dylan Roussel tells how he contacted Huawei to inform the company’s developers of his discovery. Huawei told him that they would investigate this issue and asked him “not to disclose the problem before the end of the analysis“. Several weeks after this exchange, nothing has changed: Dylan Roussel writes that he sent two other emails, which remained unanswered.
He had given Huawei five weeks before disclosing this flaw and granted them “a few more weeks» : it has been 90 days since he sent his first email. According to him, “the vulnerability itself is not patched and paid apps can still be downloaded for free“. The most serious thing, according to him, is thatdevelopers using Huawei’s services were also not notified of this vulnerability“.
Dylan Roussel states that “Huawei has acknowledged the vulnerability“: a bonus was offered to him, which he announced to have refused.
Information that falls rather badly for Huawei, since the Chinese manufacturer announced new products today: the Mate Xs2 folding smartphone, the Watch Fit 2, Band 7 and Watch D connected bracelets, the Watch GT 3 Pro watch as well as the S-Tag activity tracker.
To follow us, we invite you to download our Android and iOS application. You can read our articles, files, and watch our latest YouTube videos.