Huawei App Store Bug Gives Anyone A Free Pass At Paid Apps

It seems that Huawei just can't catch a break. Just when it was about to become the world's top smartphone maker, it was hit with an almost fatal U.S. sanction that brought both its mobile and networking equipment businesses down to their knees. The company has continued making smartphones, of course, using every loophole it could find. It also started building a software and business ecosystem to become more independent of Google and other U.S. products. That has been working so far, at least in markets where Google has very little presence in the first place, but a new vulnerability could cause Huawei issues and cost the developers it is trying to court a lot of money.

Huawei started its Huawei Mobile Services (HMS) as a direct stand-in for Google's equivalent on Android. It includes apps and services that both developers and end-users can access to have a more convenient and more pleasurable mobile experience, including a Huawei ID for tying these services together, cloud storage for app data, an AI-powered assistant, and even Petal Search and Petal Maps to replace Google Search and Maps. Of course, it also has an app store, though the Huawei AppGallery existed long before all this drama started, which is typical of other Chinese smartphone brands like Oppo and Xiaomi.

The strength of an app store, however, relies heavily on the apps available for it. In China, where theĀ Google Play Store is virtually non-existent, people are used to getting their mobile fix from something like Huawei AppGallery. In global markets, however, Huawei has been working hard to get developers onboard another platform when they already have to support Google Play Store and, perhaps, Apple's App Store. A still existing bug, however, might give developers a big reason to stay away from Huawei's offering, especially if they will potentially lose money by investing in the company's ecosystem.

Accidentally getting paid apps for free

Android app developer Dylan Roussel discovered a bug that, while non-trivial to exploit, isn't impossible either. In a nutshell, Huawei's AppGallery exposed certain details about an app, including the download link for the Android package (APK). While that may be normal, the bug is that the same link can be used to directly download a paid app without having to pay for it or even having to verify anything.

This bug has two damaging consequences for Huawei's app marketplace. The first is more obvious in that anyone with a bit of technical know-how can easily bypass restrictions and download paid apps for free. The bigger threat, however, is that the AppGallery makes it too easy to download apps, both paid and free, outside of official channels, which in turn makes it too easy to pirate apps on that platform. This creates a very large deterrent for developers who may not bother putting in the work needed to offer their apps for Huawei's ecosystem.

This vulnerability was discovered and reported back in February 2022, but it took Huawei 90 days to send a response. The company did apologize for the miscommunication and delay, citing logistics problems in fixing AppGallery across different regions since it apparently works very differently, too. A fix is promised to arrive by May 25, but the bug's existence still raises concerns about similar issues that may be lurking in the shadows still undiscovered.