How to download paid applications for free from Huawei AppGallery: New vulnerability found

Since then-U.S. President Donald Trump signed an executive order to apply restrictions on Chinese technology companies, Huawei has seen its aspirations to become one of the world’s largest smartphone makers cut short. Still, millions of people still use Huawei phones, which facing with the impossibility of using the Google Play Store, include a set of services instead.

The main attraction of these services is Huawei AppGallery, the company’s own app store that works essentially in the same way as the Play Store. Specialist Dylan Roussel has investigated the operation of the Huawei app, discovering an API that takes the name of a package as a parameter and returns a JSON object with the details of the application. This finding aroused Roussel’s curiosity, so he decided to continue investigating until he knew what else he could find.

For his tests, the researcher tested the API with the app package name AppGallery:

  "app": {
    "name": "AppGallery",
    "openCount": 0,
    "openCountDesc": "",
    "openurl": "",
    "permissions": [],
    "pkgName": "com.huawei.appmarket",
    "price": "0",
    "productId": "",
    "rateNum": "0",
    "recommImg": "",
    "releaseDate": "2022-04-20 17:03:53",
    "sha256": "2e1a1ce4e86cbfc87f05411a2585e557af78b893f6be85f8f6cb93f889faee05",
    "size": "50347219",
    "tagName": "",
    "updateDesc": "",
    "url": "",
    "version": "",
    "versionCode": 120101302

The API returns various details, including some IDs, app version, logos and other images, descriptions, system permissions, and pricing. In addition, the API also returns a URL to the app in AppGallery, from where it is possible to download the app.

After trying this search on a free app, it was time to try a paid app. Roussel used the package name of a paid app, also getting the download link with the same type of sign parameter at the end; at the conclusion of the test, the researcher was able to download the application and use it normally.

The researcher decided to continue with his tests to prove that this was not just a mistake. By using the package names of two apps and a mobile game, Russel was able to download and use these tools; It is worth mentioning that the game had a license check, which could not prevent the researcher from using the game without paying.

For Roussel, it is hard to believe that AppGallery is affected by such a simple error, considering that in repository stores the work of dozens of developers who seek profit through this medium.

The good news is that Huawei is already aware of this bug, although it will take a few more days to complete a functional solution. Everything is expected to be fixed by May 25.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.