Android app developer Dylan Roussel discovered a bug that, while non-trivial to exploit, isn’t impossible either. In a nutshell, Huawei’s AppGallery exposed certain details about an app, including the download link for the Android package (APK). While that may be normal, the bug is that the same link can be used to directly download a paid app without having to pay for it or even having to verify anything.
This bug has two damaging consequences for Huawei’s app marketplace. The first is more obvious in that anyone with a bit of technical know-how can easily bypass restrictions and download paid apps for free. The bigger threat, however, is that the AppGallery makes it too easy to download apps, both paid and free, outside of official channels, which in turn makes it too easy to pirate apps on that platform. This creates a very large deterrent for developers who may not bother putting in the work needed to offer their apps for Huawei’s ecosystem.
This vulnerability was discovered and reported back in February 2022, but it took Huawei 90 days to send a response. The company did apologize for the miscommunication and delay, citing logistics problems in fixing AppGallery across different regions since it apparently works very differently, too. A fix is promised to arrive by May 25, but the bug’s existence still raises concerns about similar issues that may be lurking in the shadows still undiscovered.