March 30, 2023

SHSU Houstonian Online

Read all latest news headlines from USA, UK and around the world, get today's breaking news and live updates on politics, elections, business, sports, economy,​ …

Huawei AppGallery vulnerability allows downloading paid apps for free – Computer – News

Due to an API vulnerability, users of Huawei’s own app store, AppGallery, can currently download free apps that may actually cost money. Huawei promises to solve the problem before May 25th.

Because of weakness, someone with Discovered by developer Dylan Russell The api has received a report in json format that contains an apk download link for an app of your choice. Since there is no more security by AppGallery over this path, it is not important whether the user has paid for an app or not. Russell was able to successfully install many paid apps thanks to the vulnerability. Only the game that checked the license itself after installation did not work; Thus developers can prevent the vulnerability themselves.

According to Russell, on the other hand, the cause of the problem is categorically due to Huawei; AppGallery will not apply any further security or authentication. Developers may lose a lot of revenue as a result and be vulnerable to software piracy.

So Huawei was immediately informed; Russell discovered the vulnerability in February and initially received a quick response from the Chinese company. After failing to resolve the issue, send follow-up emails that have not been answered for 13 weeks after the initial email. Meanwhile, Huawei has acknowledged the vulnerability and is working on a fix that should be implemented in all regions within a few days.

Because of US government sanctions, Google has stopped providing services to Huawei since the end of 2019, which effectively banned the Chinese brand’s Android and Play Store, among other things. Meanwhile, Huawei has alternatives to most of the services, including AppGallery as its own app store.

See also  Microsoft adds a feature to Defender that prevents passwords from being dumped into LSA - Computer - News