– May. 19th 2022 8:35 am PT
A newly discovered flaw in Huawei’s AppGallery store makes it possible for paid Android apps to be downloaded for free, but a fix is on the way.
Given the ongoing sanctions against Huawei that prevent the phone maker from using Google’s services (among other things), the company’s own suite of apps and services have been critically important. This includes the AppGallery store, which allows for distributing Android apps without the Google Play Store. The AppGallery offers both free applications and premium apps that need to be paid for.
In a new exploit discovered by Android developer (and 9to5Google contributor) Dylan Roussel, the underlying API of Huawei’s AppGallery store offers no protection for paid applications. Without needing to pay for a particular app or even so much as log into an account, it’s reportedly possible to obtain a valid APK download link for premium apps. In effect, this exploit in Huawei’s AppGallery could be used for app piracy.
Huawei has been made aware of the vulnerability and has acknowledged it, but the company has not yet shared any plans or timeline for the issue to be fixed.
Update 5/19: In an update to the vulnerability writeup, Huawei has told Roussel that a fix for this issue should be available for everyone by May 25. It’s not clear if this will require an update to the AppGallery app on Huawei phones or require any work on part of developers.
In the meantime, if you’re an app developer with a paid app in Huawei’s AppGallery, your best bet would be to ensure that you have an additional means of protecting your application through DRM, such as the AppGallery DRM Service. This sort of protection is good practice, anyway, as a paid app without DRM protection could be freely distributed to others after only a single purchase.
FTC: We use income earning auto affiliate links. More.
Check out 9to5Google on YouTube for more news:
Breaking news for Android. Get the latest on apps, carriers, devices, and more!
Kyle is an author and researcher for 9to5Google, with special interests in Made by Google products, Fuchsia, and Stadia.
Got a tip or want to chat? Twitter or Email. Kyle@9to5mac.com
The curious case of a 'Chromecast Audio' successor
Nest Cam Solar Panel review
More on Google Calendar's Reminders to Task migration
July security patch rolling out to Pixel