Huawei AppGallery is an app store to distribute Android apps on Google-developed Android operating system, Huawei's HarmonyOS and Microsoft's Windows 11.
While it isn't as large as Google Play Store, and is still regarded a "third-party app store" considering that it isn't Google's app store, the AppGallery is among the most popular app store out there.
It has more than 500 million active users on about 700 million Huawei devices in over 170 countries and regions, and about 1.6 million developers.
In total, it has reached 350 billion installs in 2020.
AppGallery has had an 83% yearly increase in-app distribution, thanks to it being preinstalled on all new Huawei mobile devices that have lost access to Google Mobile Services (GMS) and other Google apps due to China-U.S. trade sanction imposed in 2019.
Because Huawei couldn't use Google services in some of its newer devices, the company started promoting the pre-installed AppGallery extensively.
But there are issues.
First, since Huawei is forced to use its own proprietary Huawei Mobile Services (HMS), without GMS and other Google product, Huawei is on its own to protect its ecosystem.
Second, Huawei has the utmost control. What this means, Huawei is totally responsible to update and patch its products regularly, especially when security is a concern.
And this is where it failed.
A severe bug was found in Huawei’s AppGallery store that makes it possible for people to download paid Android apps without having to spend any money.
In other words, all apps in the app store can be downloaded for free, no strings attached.
The flaw happens to be found by Android security researcher Dylan Roussel, who said in a report, that the underlying API of Huawei’s AppGallery store offers no protection for paid applications.
Roussel himself was able to download and use multiple paid apps by exploiting this vulnerability.
Because of this, without needing to pay for a particular app or even so much as log into an account, it’s reportedly possible to obtain a valid APK download link for paid apps.
What makes it concerning is not all about the flaw being uncovered, but also because of Huawei's response.
The company that has been made aware of the vulnerability and has acknowledged it, has didn't provide its plan or timeline to solve the issue.
According to Roussel:
"After 5 weeks, the issue was still not fixed. I sent them 2 emails: one a few days before the final day, and one a few days after. They didn't reply to either of them. At this point I could have posted the issue publicly, but I decided to keep it private and wait a few more weeks as I realized that 5 weeks may not have been enough."
This issue was a whole lot of trouble to developers who wish to earn money for their hard work.
Because of this, some had made a temporary workaround, like ensuring that they have an additional means of protecting their apps through DRM, such as the AppGallery DRM Service.
Later in an update, Roussel said that Huawei finally contacted him with a timeline to fix the AppGallery. The Chinese tech giant also apologized for the miscommunication and the late reply, simply because the AppGallery works differently depending on the regions and due to various other factors, it's taking Huawei a few weeks to fix it.
The vulnerability should be fixed for everyone by May 25th.