- Apr 24, 2016
Huawei's AppGallery is a proprietary replacement for the Google Play Store, developed in response to the OEM's blockade from using Android and its ecosystem. The company has been very proactive in wooing developers to make versions of their products for this new market - paid ones included. However, according to 9to5 contributor Dylan Roussel (also known as evowizz), they very nearly shouldn't have bothered.
Roussel - also a developer - became interested in the AppGallery API and how it functioned, eventually finding a parameter to elicit a JSON response from the interface. It contained information such as version numbers, product IDs and permissions, as one might expect - as well as another one might not: a field for a URL.
Not just any old URL, of course, but the one pointing to a (typically working) download link, regardless of whether the app was paid or not and in the absence of any signing or verification in the latter case. Roussel proceeded to contact Huawei and inform it of this potentially severe and revenue-draining bug.
The OEM responded "5 hours later" - albeit reportedly via an "unencrypted" email - assuring Roussel that it would investigate the potential vulnerability without delay and requesting that he not disclose it at that time. However, the developer asserts that it remained unpatched - and still in effect - for the 13 weeks following his initial February 17, 2022 report.
Roussel goes on to report that Huawei let an initial March 25 disclosure deadline pass without doing anything about the problem, finally acknowledging and IDing the vulnerability on May 18. The dev also waited until this date to make it public, asserting at the time that the problem "isn't fixed".
To date, there is no information on the exploit having actually been enacted, or which paid-version apps may have been affected if so.