How does HarmonyOS prevent packet capture?

Read the original article：How does HarmonyOS prevent packet capture?

Context

To ensure secure data transmission, both Android and iOS have implemented anti-sniffing measures to prevent users from stealing sensitive information using packet capture tools. HarmonyOS applications should adopt similar strategies to protect data integrity and confidentiality during communication with servers.
When an app communicates with cloud servers, third parties may use proxy tools like Fiddler or Charles to perform man-in-the-middle attacks—intercepting or tampering with requests and responses. Developers must implement anti-sniffing techniques to safeguard user and app data.

Description

To protect data during transmission, Android and iOS platforms have adopted anti-sniffing strategies to prevent users from stealing sensitive information via packet capture tools. HarmonyOS applications should also implement such measures. Applications exchange data with servers over the network. Ensuring the confidentiality and integrity of this data is crucial to prevent theft or tampering.
When accessing cloud servers, third-party tools like Fiddler and Charles can intercept and manipulate network traffic, posing security risks. Developers must implement anti-sniffing strategies to mitigate these threats.

Solution

1. Ensure all network requests use the HTTPS protocol. HTTPS combines HTTP with SSL/TLS to provide encryption, certificate authentication, and data integrity. Compared to HTTP, HTTPS significantly enhances security and protects user privacy.
2. Improve transmission security by disabling proxy usage and enabling certificate pinning to prevent packet sniffing.

• Disable Proxy UsageUsing NetworkKit, set usingProxy: false

import { http } from '@kit.NetworkKit';
import { BusinessError } from '@kit.BasicServicesKit';

let httpRequest = http.createHttp();
httpRequest.request("EXAMPLE_URL", {
  method: http.RequestMethod.POST,
  header: {
    'Content-Type': 'application/json'
  },
  extraData: "data to send",
  usingProxy: false, // Optional; by default, no network proxy is used. This property has been supported since API 10.
}, (err: BusinessError, data: http.HttpResponse) => {
  httpRequest.destroy();
});

Using RemoteCommunicationKit, set proxy: 'no-proxy':

import { rcp } from '@kit.RemoteCommunicationKit';
import { BusinessError } from '@kit.BasicServicesKit';

const session = rcp.createSession();
const requestURL = 'https://example.com';
// The proxy method configured for the request is 'no-proxy'.
const configuration: rcp.Configuration = {
  proxy: 'no-proxy'
}
// Define the request and add the configuration to the request.
const request = new rcp.Request(requestURL, "GET");
request.configuration = configuration;

session.fetch(request).then((response: rcp.Response) => {
  console.info(`Response success, ${response}`);
  session.close();
}).catch((err: BusinessError) => {
  console.error(`The error code is ${err.code}, error message is ${err.message}`);
  session.close();
})

• Certificate Pinning By default, NetworkKitand RemoteCommunicationKittrust system and user-installed CA certificates. To enhance security, configure the app to distrust user-installed CA certificates by creating src/main/resources/base/profile/network_config.json:

  {
    "network-security-config": {
      // To do sth.
    },
    "trust-global-user-ca": false, // Whether to trust the CA certificate manually installed by the enterprise MDM system or device administrator user, default is true.
    "trust-current-user-ca": false // Whether to trust the CA certificate installed by the current user, default is true.
  }

To pin certificates, only allow developer-specified certificates to establish HTTPS connections. Configure in network_config.json:

  // For example, application-level trusted CA certificates are pre-installed in the /res/appCaCert directory,
  // while domain-specific trusted CA certificates are pre-installed in the /res/domainCaCert directory.
    "network-security-config": {
      "base-config": {
        "trust-anchors": [
          {
            "certificates": "/res/appCaCert"
          }
        ]
      },
      "domain-config": [
        {
          "domains": [
            {
              "include-subdomains": true,
              "name": "example.com"
            }
          ],
          "trust-anchors": [
            {
              "certificates": "/res/domainCaCert"
            }
          ]
        }
      ]
    }
  }

NetworkKit also supports specifying trusted CA certificate paths in code:

  httpRequest.request( "EXAMPLE_URL",  {
    method: http.RequestMethod.POST, 
    header: {
      'Content-Type': 'application/json'
    },
    extraData: "data to send",
    expectDataType: http.HttpDataType.STRING, 
    connectTimeout: 60000, 
    caPath:'/res/domainCaCert', // Specify the trusted CA certificate path
  }, (err: BusinessError, data: http.HttpResponse) => {})

RemoteCommunicationKit supports the same:

  const caPath: rcp.CertificateAuthority = {
    folderPath: '/res/appCaCert', // Specify the trusted CA certificate path
  const securityConfig: rcp.SecurityConfiguration = {
    remoteValidation: caPath
  };
  // Use the security configuration in the session creation
  const sessionWithSecurityConfig = rcp.createSession({ requestConfiguration: { security: securityConfig } });

- Common FAQs
Q: How to prevent packet sniffing when SSL certificates are about to expire and using axios for network requests?
A: SSL certificates are essential for anti-sniffing. Update them promptly to avoid expiration-related vulnerabilities.

Q: How to prevent tools like Fiddler or Charles from capturing HTTPS traffic and exposing plaintext responses?
A: Configure the app to distrust user-installed CA certificates by setting up network_config.json. Reference:
https://developer.huawei.com/consumer/en/doc/best-practices/bpta-network-ca-security#section11935814273

  {
    "trust-current-user-ca": false  // Configure whether to trust the CA certificate installed by the current user.The default value is true
  }

Q: How to prevent packet sniffing for WebView HTTPS interfaces?
A: Use static SSL pinning via network_config.json, and set domain names like *.xxx.com in the configuration.

  {
    "network-security-config": {
      "domain-config": [
        {
          "domains": [
            {
              "include-subdomains": true,
              "name": "*.server.com"
            }
          ],
          "pin-set": {
            "expiration": "2024-11-08",
            "pin": [
              {
                "digest-algorithm": "sha256",
                "digest": "g8CsdcpyAKxmLoWFvMd2hC7ZDUy7L4E2NYOi1i8qEtE=" // Hash of the server certificate public key
              }
            ]
          }
        }
      ]
    }
  }

Key Takeaways

• Always use HTTPS for secure data transmission
• Disable proxy usage to prevent interception
• Implement certificate pinning to restrict trusted certificates
• Distrust user-installed CA certificates to block unauthorized access
• Update SSL certificates regularly to maintain security
• Use static SSL pinning for WebView interfaces

Reference Link

• https://developer.huawei.com/consumer/en/doc/harmonyos-guides/http-request
• https://developer.huawei.com/consumer/en/doc/harmonyos-guides/remote-communication-customproxyconfig#section322018718215
• https://developer.huawei.com/consumer/en/doc/best-practices/bpta-network-ca-security#section11935814273

Written by Taskhyn Maksim