A vulnerability in Huawei’s App Gallery currently allows paid Android apps to be obtained free of charge, reports Dylan Roussel, who discovered the flaw. Among other things, Roussel works for the 9to5Google portal. Huawei confirmed the error and intends to fix it by May 25, 2022. The App Gallery is the official way to install Android apps on current Huawei smartphones, because Huawei is still banned from using Google services – including the Play Store.

The App Gallery offers paid and free apps. A Huawei billing system is used to purchase paid apps.

According to Roussel, he discovered a vulnerability in the API of the App Gallery Store that allows download links for paid Android apps to be obtained without having to pay for them. Roussel was able to do this successfully with various apps. In one case, the app had its own check routine to determine whether it had been purchased correctly. This could be installed, but not used.

This is how Huawei dealt with the error

Roussel states that he reported the bug to Huawei back in mid-February 2022. As requested by the company, he pointed out the error to Huawei in a PGP-encrypted email. Five hours later, Huawei reported and said it would investigate the error.

Golem Academy
  1. Elastic Stack Fundamentals – Elasticsearch, Logstash, Kibana, Beats: 3-day virtual workshop
    06/14-16/2022, Virtual
  2. Linux system administration basics: virtual five-day workshop
    May 16-20, 2022, virtual

More IT training

To Roussel’s amazement, the Huawei email in question was not PGP-encrypted. The company asked not to make the error public before the analysis at Huawei was completed. Huawei asked Roussel for a plan on when the vulnerability would be made public.

He gave Huawei five weeks and asked to be informed about further developments – Huawei had promised that. Roussel noted that five weeks later, the bug hasn’t been fixed and he hasn’t received any communications from Huawei. He then sent two more emails to which there was no response from Huawei.

No response from Huawei after 13 weeks

Roussel decided to give Huawei more than the five weeks it had planned. He ended up waiting 13 weeks without Huawei responding. He then informed Huawei that he would publish the vulnerability shortly. As far as he is aware, Huawei has not informed app providers about the vulnerability in the App Gallery.

Huawei reacted only one day before the planned announcement of the vulnerability in the App Gallery, but did not provide a fix. The company only confirmed the error. Only after the vulnerability became public did Huawei announce when the bug would be fixed – and that should happen by May 25, 2022.