Following the US ban, Huawei lost access to Google services. As a result, it had to invest more resources into its own software, Huawei Mobile Services (HMS), for use on its smartphones. Part of that is the Huawei AppGallery, the company’s alternative to the Google Play Store. Now, the whole point of an app store is to distribute software, and that includes collecting money for paid titles. Unfortunately for Huawei, a flaw seems to allow users to download paid apps for free.

Android developer Dylan Roussel was poking his way around the app store’s API when he found a vulnerability that caused it to return APK download links for free and paid applications (via 9to5Google). He was able to download the said apps through the links, install, and use them without any hassle.

To ensure it wasn’t a license verification issue with one app, he repeated the process with multiple apps — the results were the same, confirming that the flaw was indeed on Huawei's end. Further substantiating the discovery, one game he tested had a license check that did manage to prevent him from using it — the exception that proves the rule.

The vulnerability is huge for several reasons. Aside from Huawei and developers possibly losing revenue, app pirates could exploit the flaw to access premium titles for dubious purposes. Roussel initially contacted Huawei soon after finding the flaw back in February. He offered them 5 weeks to sort this out, but after what was basically radio silence for 13 weeks, he's finally making his findings public.

If you’re a developer with a paid app on the Huawei AppGallery, you should definitely think about adding an extra means of protection to your software, like the AppGallery DRM Service SDK. That checks whether a user has purchased your app as soon as they open it, and if they haven’t, prompts them to do so. It’s also a good way to ensure the app isn’t freely distributed to others after a single purchase.