Limitations of Huawei HarmonyOS Safety Detect: What You Need to Know

This overview outlines the development and adoption of Huawei HarmonyOS and the associated security solution Safety Detect, highlighting some limitations with the approach. As regulations such as the EU DMA force the use of alternative app stores, the dependence of Huawei security features on the use of the Huawei AppGallery app store and ecosystem will also prove to be problematic for developers. We also compare and contrast Huawei HarmonyOS Safety Detect with the comprehensive mobile security offered by Approov. 

The History and Adoption of HarmonyOS

HarmonyOS was launched in 2019 – initially as an OS for IoT devices, but later adapted to run on smartphones and other hardware. Huawei intends that the OS will offer a unified experience across wearables, tablet computers, smartphones, and smart TVs.

HarmonyOS 2.0 was launched in September 2020 and rolled out during 2021. In 2022, Huawei launched HarmonyOS 3 providing an improved experience across multiple devices such as smartphones, tablets, printers, cars and TVs. Release 4 came in 2023.

Initially HarmonyOS was compatible with Android but in early 2024 Huawei launched HarmonyOS Next, claiming that the whole stack is now Android-free and includes a kernel that can outperform Android.

Ecosystem adoption will of course be critical and this seems to also be on track. Huawei says it is in the process of training millions of developers and claims to have secured thousands of native apps to run on the OS, including some of the most popular apps in China.

Huawei has also created an "open" version of HarmonyOS Next so that third parties can use the OS to power their own devices. If this is successful, it could create a viable alternative to the Android/iOS duopoly.

Huawei's revived smartphone range is positioned as a patriotic alternative for Chinese buyers and is achieving significant penetration in China. It is also getting significant traction in other markets and HarmonyOS is already the third largest mobile operating system in terms of market share.

It is increasingly looking like support of HarmonyOS will be a requirement for any app developers who have global ambitions.

The Importance of Mobile App Security and Attestation

There are two fundamental problems with mobile apps: The first is that they can be reverse engineered, even if attempts have been made to obfuscate code. The second is that they run in a client environment which is neither owned nor controlled by the app owner. 

This means that unless steps are taken, apps themselves can be analyzed, understood, cloned or copied, and the environments they run in can be hacked, rooted, instrumented and manipulated to interfere with the operation of an app. 

Using these attack surfaces, hackers can directly intercept or tamper with data transferred between the app and its servers, intercept or manipulate financial transactions, or simply interfere with or stop the operation of the service. 

Manipulated apps can be repackaged and redistributed with malware. Repackaged apps can be turned into automated tools (i.e. bots) to be used to attack APIs and backend servers. Secrets can also be lifted from apps then used in scripts to create bots. Bad actors use these techniques to carry out brute-force attacks, exploiting API vulnerabilities to steal data, or mount DDoS attacks. 

So it's no surprise that trying to prevent apps and devices from being tampered with must be at the heart of any security strategy designed to protect mobile apps. However, this is only a fraction of the whole story, as we discuss below. App and device attestation are an essential piece of the puzzle but not sufficient in themselves. 

Different services are available to provide app attestation. Huawei provides some app attestation and client integrity checks via Safety Detect. Approov provides an end-to-end mobile app security solution which includes app and device integrity checking. The rest of this paper compares the two solutions.

History of HarmonyOS Safety Detect

Huawei's Safety Detect was officially launched in 2019 as part of Huawei Mobile Services (HMS) Core, designed to provide a range of security features to app developers. Huawei’s device checking SysIntegrity closely resembles Android SafetyNet, both in terms of the API and the attestation process.

The launch timeline includes several updates and enhancements over the years:

1. 2019: Introduction of Safety Detect, offering basic security features such as SysIntegrity, AppsCheck, URLCheck, and UserDetect. These functions help in verifying system integrity, detecting malicious apps, checking URLs for potential threats, and distinguishing between human users and bots.
2. 2019-2020: Continuous updates to enhance the security features, making it more robust and integrating deeper with HMS Core to provide comprehensive security solutions for developers.
3. 2021-2022: Further improvements and expansions in functionality, including enhanced API capabilities and better integration with other Huawei services (Huawei Developer - Safety Detect) (Huawei Developer - Safety Detect (Android)).

In parallel, including an app in the Huawei AppGallery requires developers to undertake a comprehensive validation with Huawei which checks for malware, malicious code and other issues before the app is accepted for release.

What Problem Does HarmonyOS Safety Detect Aim to Address?

HMS Core Safety Detect Kit is intended to provide safety features which allow developers to focus on app development. It is a multi-feature security detection service which uses the Trusted Execution Environment (TEE) on Huawei phones.

Separately, if your app needs to be released to AppGallery, it must pass a series of validation tests which inspect for malware and other threats. Huawei uses signing information such as the digital certificate (in .cer format) and profile (in .p7b format) to ensure app integrity. certificate and release profile to sign the app before releasing it.

Currently, Safety Detect offers four features: SysIntegrity (system integrity check), UserDetect (fake user detection), AppsCheck (app security check), and URLCheck (malicious URL check).

SysIntegrity

SysIntegrity can check whether the user’s device is rooted, unlocked, or has escalated privileges, and thus help developers evaluate whether to restrict their apps’ behavior to avoid information leakage or financial loss of the user during user actions such as making an online payment or sending an email. The TEE allows apps with SysIntegrity integrated to be run in an isolated environment.

UserDetect

UserDetect can identify fake users based on screen touch and sensor behavior, as well as prevent batch registration, credential stuffing attacks, bonus hunting, and content crawlers through the use of CAPTCHA. 

AppsCheck

AppsCheck is intended as anti virus protection. It can obtain a list of malicious apps on the user’s device. The developer can then evaluate the risks and either warn the user about such risks or prompt the user to exit the app.

URLCheck

Intended to provide users with a secure Internet browsing experience, URLCheck allows apps to quickly check whether a URL that a user wants to visit is a malicious one.

There is a fifth API Wifi Detect which is intended to detect possible attacks from malicious Wi-Fi to your app but this is currently only available in mainland China.

How Does Safety Detect Work?

You integrate the Core HMS SDK into your app and set up API calls in your app code for each of the services - SysIntegrity, AppsCheck, URLCheck and UserDetect. Your application interprets the returned result and decides what action to take.

What Problems Does HarmonyOS Safety Detect Not Address?

Safety Detect is limited to the Huawei ecosystem. In addition, it does not provide runtime app attestation and we will also see in the next section that there are some limitations in the way that Huawei Harmony Safety Detect checks device integrity. In order to be effective, it must be part of a broader security effort. 

If we use, for example, the OWASP MASVS (Mobile Application Security Verification Standard) framework in order to assess end-to-end mobile app security, Huawei Harmony Safety Detect partially addresses the guidelines in the category MASVS-RESILIENCE which is only one of seven categories in the guidelines. MASVS-RESILIENCE aims to ensure that the app is running on a trusted platform, prevent tampering at runtime and ensure the integrity of the app’s intended functionality.

In particular these are two other things you will need to take care of:

• Network and Channel Security: The APIs and the communication channel between apps and APIs must also be protected.
  
  
• Management and Security of API Keys and Secrets: The secrets used to authenticate and authorize access to backend services from mobile apps must be protected from being stolen and abused.

Now we understand the scope, let's look specifically at the app attestation and device integrity checks provided by Huawei and compare them with Approov Mobile Security.

What are the Limitations of HarmonyOS Safety Detect versus Approov?

• HarmonyOS Safety Detect only works in the Huawei ecosystem

• • Obviously the Huawei solution only works with Huawei devices and does not work with iOS or other client/app ecosystems. Safety Detect features only work if the HarmonyOS SDK is installed in your app. Implementing diverging security solutions for HarmonyOS, Android and iOS does not align well with efforts to save development and maintenance costs by using cross-platform development tools such as Flutter and React Native. 
  • Approov covers all the devices that could be accessing your APIs, including Android, iOS, WatchOS and HarmonyOS. Approov also integrates easily with a number of cross-platform solutions including Flutter and React Native.

• It Needs HarmonyOS to Work
   
  • Safety Detect requires HMS Core Services and the HarmonyOS TEE. 
  • Approov works with any mobile environment and does not depend on native services.

• Limited Runtime App Attestation
   
  • To be available on the Huawei AppGallery your app has to pass a 4 step validation process outlined here, which does issue a signature key for your app. Safety Detect SysIntegrity can return the SHA256 of the app package but it is not clear from the documentation how to use this to verify the app accessing your APIs is genuine since the SysIntegrity API is called by the app itself.
  • Approov provides a patented and unique remote attestation approach, where the running app must prove itself to be genuine through a sequence of integrity measurements. These results are then sent to the Approov cloud service using a patented challenge-response protocol, immune from replay attacks. The Approov service decides if an app is genuine or not.

• Client Issues are as Defined by the Safety Detect SysIntegrity API (Not by You)
   
  • A client environment is defined as problematic by Huawei, not by the app developer - Only the following integrity check results are reported:
    • unlocked: indicates that the device is unlocked
    • root: indicates that the device is rooted 
    • emulator: an emulator is in use
    • attack: indicates that the device

As with Google PlayIntegrity, details of the inner workings are not disclosed and information on how to interpret the results is limited. This lack of granularity and visibility over what is checked could be an issue.

• • Approov provides a rich set of device attestation checks which are regularly updated as new threats emerge. Rooted and jailbroken phones are detected. Frameworks and hooking environments such as Cycript, Cydia, Xposed, Frida, Magisk, Zygisk are all detected. What is acceptable can be controlled with a high level of granularity via over the air policy updates.

• Safety Detect Doesn't Prevent Man-in-the-Middle (MitM) Attacks
   
  • Mobile phones are particularly prone to Man-in-the-Middle attacks on the channel between the app and the API, even if the traffic is encrypted. HarmonyOS Safety Detect does not prevent this type of attack.
  • Approov Dynamic Certificate Pinning protects the channel from mobile Man-in-the-Middle attacks and makes it easy to manage certificates over the air, without needing code changes or forcing users to update their app version as a result. 

• Regional Restrictions
   
  • Some features of Huawei HarmonyOS Safety Detect are restricted or less effective in certain regions due to regulatory and compatibility issues. Some features are implemented differently in different regions, for example in mainland China. This can impact the global applicability of the security measures provided as well as making life complicated for developers.
  • Approov is deployed worldwide and works consistently while also conforming with local regulations.
    
    
• User Privacy Concerns
  
  
  • As with any security tool that collects and analyzes user data to detect threats, there are potential privacy concerns. Users and developers must be aware of data handling practices and ensure compliance with privacy regulations.
  • Approov complies with GPDR and other privacy regulations and never collects and stores any personal information. 

• Performance Overhead and Protection from DDoS Attacks
   
  • Implementing comprehensive security checks can introduce performance overhead, potentially affecting app performance and user experience, leaving services prone to DDoS attacks. Developers need to balance security with usability to maintain optimal app functionality. Google and Apple both provide information on the limitations on the number and frequency of integrity checks which can be performed but Huawei currently does not discuss this topic.
  • Approov has no quotas or thresholds on traffic and can easily scale to support millions of active mobile apps, always providing a consistently high performance. Because of this, Approov is always ready to sign up to stringent performance SLAs with our enterprise customers.

• HarmonyOS Safety Detect Doesn't Stop API Secrets From Being Stolen and Abused
   
  • Huawei HarmonyOS currently does nothing to get secrets out of your app code. It also does not provide any help in keeping your apps running when secrets are compromised, e.g. allowing you to dynamically rotate stolen API keys. Huawei does separately offer a cloud secrets management service but it doesn't work with HarmonyOS to validate integrity checks before delivering secrets to an app. 
  • Approov provides a separate secrets management solution that manages API keys and certificates securely in the cloud, delivering them “just-in-time” only when app and device integrity checks are passed. It also allows them to be easily rotated via over-the-air updates if they are compromised elsewhere. 

• Development Challenges
   
  • The Implementation of Safety Detect requires app developers to defend API calls at a function level, meaning nothing is protected out of the box. Developers need to review/audit all of the API call points and make modifications to many of them. Each API request that should be secured, needs to be secured explicitly. Developer documentation is currently limited. 
  • Approov deployment is easy and operation is also made easy via over the air updates. Approov quickstarts exist for all major mobile development platforms, providing fast integration. A networking interceptor model automatically adds an Approov token or secured API key to the required API requests without the developer needing to do much on the mobile client, the SDK handles this for you. Approov’s multi-platform approach also means a single and simple backend check can reject invalid traffic for any clients, e.g. Android, iOS, AppleOS, HarmonyOS: with HarmonyOS you would need to identify and handle HarmonyOS traffic separately within your server side code. 

Summary

Huawei HarmonyOS Safety Detect provides a suite of security features for mobile apps, particularly within the Huawei ecosystem. However, its limitations in integration, regional applicability, dependency on Huawei infrastructure, potential privacy concerns, performance impact, and occasional detection inaccuracies must be carefully considered and addressed by developers to ensure robust and reliable app security.

Approov Mobile App Protection ensures that all mobile API traffic does indeed come from a genuine and untampered mobile app, running in a safe environment. Doing this blocks all scripts, bots and modified or repackaged mobile apps from abusing an API. Approov supports any apps running on Android, iOS, WatchOS and HarmonyOS, providing comprehensive and powerful security with easy and consistent management across all supported platforms.