A vulnerability in Huawei’s app store API allows users to download paid apps for free.

Huawei smartphones run on Android, but rarely have access to the Google Play Store. The Chinese organization has been accused of espionage by the United States and several European countries, resulting in various sanctions. For example, Google is not allowed to cooperate with Huawei. To fill the gap, Huawei develops a proprietary app store, AppGallery.

Security researcher Dylan Roussel found a vulnerability in AppGallery’s API. The API allows users to retrieve the metadata apps. The information includes version numbers, descriptions and prices. The API also forwards a download link, making every app freely available.

The download link works for both free and paid apps. The API is accessible to everyone. There’s no need to penetrate a system; a single API call suffices. The solution is just as simple as the problem, but Huawei evidently missed the memo.

Tip: ‘More and more concerns about API security’

Outrageous response

Dylan Roussel informed Huawei on February 17. Five hours later, Huawei acknowledgement the report. The organization promised to investigate the vulnerability, and asked Roussel not to share the find with others until the investigation was completed.

Roussel decided to give the organization five weeks. Five weeks later, the problem was still present. Roussel sent several reminders, but the organization did not respond. Resutingly, the researcher decided to share the vulnerability in a blog.

Huawei’s response is concerning. First of all, the organization fails to provide a secure way for researchers to report vulnerabilities. Huawei did encrypt its confirmation email to Roussel, which violated the researcher’s privacy.

Second, the problem was raised thirteen weeks ago. The API remains vulnerable. The apps of hard-working developers are available for free. Their revenue model is pressured by a vulnerability that is laughably easy to fix.