This article aims to deeply explore the technical details of the Huawei HarmonyOS Next system (up to API 12 as of now) in developing multilingual e-commerce platforms, and is summarized based on actual development practices. It mainly serves as a vehicle for technical sharing and communication. Mistakes and omissions are inevitable. Colleagues are welcome to put up valuable opinions and questions so that we can make progress together. This article is original content, and any form of reprint must indicate the source and the original author.
In today's digital age, the protection of password data is crucial for the security and user experience of applications. Whether it's logging into accounts, conducting financial transactions, or accessing sensitive information, passwords play a key role. As an advanced operating system, HarmonyOS Next's Asset Store Kit provides a powerful solution for the secure storage and management of password data.(I) Introduction
- Importance of Password Data Protection - In the field of mobile applications, password data is the core credential for user authentication. Once passwords are leaked, the security of users' accounts will be seriously threatened, which may lead to serious consequences such as personal information being stolen and property losses. For example, in financial applications, if a user's login password is leaked, hackers may illegally access the user's account to conduct transfer, consumption, and other operations. Therefore, ensuring the security of password data is the top priority for application developers.
- Key Role of Asset Store Kit - HarmonyOS Next's Asset Store Kit provides storage and management functions specifically for critical assets, including password data. Through a series of security mechanisms and interfaces, it helps developers easily achieve the secure storage of password data, effectively reducing the risk of data leakage. For example, it can ensure that passwords are encrypted during storage, and only authorized users or applications can access and decrypt them. ### (II) Implementation of the "Remember Password" Feature
- Description of Common Scenarios - When users log into accounts in applications or browsers, they often see the option to "Remember Password". For example, in social media applications, users may need to log in multiple times a day to check messages and update their statuses. If they have to manually enter their passwords each time they log in, it will cause inconvenience to them. After choosing "Remember Password", when logging in next time, the application can automatically fill in the password, and users only need to click the "Login" button to quickly enter their accounts, greatly enhancing the user experience.
- Principle of Storing Passwords with ASSET - When an application stores passwords using ASSET, it first converts the password into ciphertext form. ASSET uses the AES256-GCM encryption algorithm to encrypt passwords, which has high-strength encryption characteristics and can effectively prevent passwords from being cracked. For example, here is a simple code example showing how to store passwords using ASSET (assuming the ArkTS language is used):
import { asset } from '@kit.AssetStoreKit';
import { util } from '@kit.ArkTS';
import { BusinessError } from '@kit.BasicServicesKit';
function stringToArray(str: string): Uint8Array {
let textEncoder = new util.TextEncoder();
return textEncoder.encodeInto(str);
}
// Assume the password is "myPassword" and the alias is set to "loginPassword"
let attr: asset.AssetMap = new Map();
attr.set(asset.Tag.SECRET, stringToArray('myPassword'));
attr.set(asset.Tag.ALIAS, stringToArray('loginPassword'));
try {
asset.add(attr).then(() => {
console.info('Password stored successfully.');
}).catch((err: BusinessError) => {
console.error('Failed to store password. Code is ${err.code}, message is ${err.word}');
});
} catch (error) {
let err = error as BusinessError;
console.error('Failed to store password. Code is ${err.code}, message is ${err.word}');
}
(III) Security Enhancement Measures
- Security Assurance Mechanisms of ASSET - The security assurance mechanisms of ASSET are mainly reflected in several aspects. First, it performs password encryption and decryption operations based on the underlying general key store system, and these operations are completed in a secure environment (such as a trusted execution environment). Even if the system is attacked, it can effectively protect passwords from being leaked. Second, ASSET has very strict access control over passwords, adopting multiple access control methods based on ownership, lock screen status, lock screen password setting status, and user authentication. For example, access control based on ownership ensures that only the application that writes the password (i.e., the owner) can access the password, preventing other applications from illegally obtaining password data.
- Comparison with Traditional Storage Methods - Traditional password storage methods often have many security risks. Some applications may simply store passwords in plaintext or weakly encrypted forms in local files or databases, making passwords vulnerable to being stolen by hackers. In contrast, HarmonyOS Next's Asset Store Kit adopts advanced encryption algorithms and strict access control strategies, greatly improving the security of password data. For example, in the traditional storage method, if a device is invaded, hackers can directly obtain the stored password in plaintext; while in HarmonyOS Next, even if the device is breached, hackers cannot easily obtain passwords because passwords are stored in ciphertext form and need to pass through multiple authentication and authorization mechanisms to be accessed. ### (IV) Related Technical Principles
- AES256-GCM Encryption Algorithm - AES256-GCM is an Advanced Encryption Standard algorithm that uses a 256-bit key to encrypt passwords, providing extremely high encryption strength. The GCM (Galois/Counter Mode) mode can also ensure the integrity and authenticity of data while encrypting. During password storage, ASSET uses this algorithm to convert passwords into ciphertext, ensuring the security of passwords during storage and transmission. For example, when a user sets a password, the application encrypts the password using the AES256-GCM algorithm and stores it in ASSET. Only under legitimate access requests will the corresponding key be used to decrypt the ciphertext into the plaintext password for verification.
- Access Control Principles - Access Control Based on Ownership: All critical assets (including passwords) are protected by ownership access control. Each critical asset has its owner, and only the owner application can access the asset. For example, a bank application stores user passwords, and only that bank application can access and manage those passwords, and other applications cannot obtain them. - Access Control Based on Lock Screen Status: It is divided into three levels: accessible after power-on, accessible after the first unlock, and accessible when unlocked. Developers can set different levels according to the security requirements of the application. For example, for some less sensitive applications, it may be set to be accessible after power-on to facilitate users' quick use; while for financial applications, it is usually set to be accessible when unlocked to ensure that passwords can only be accessed when the device is in an unlocked state, further improving security. - Access Control Based on Lock Screen Password Setting Status: It is not enabled by default. Developers can choose to enable it. Once enabled, only when the user has set a lock screen password, critical assets (passwords) are allowed to be accessed. This provides additional security for password data, preventing passwords from being easily obtained when the device does not have a lock screen password set. - Access Control Based on User Authentication: It is not enabled by default. Developers can decide whether to enable it according to their needs. Once enabled, users need to pass identity authentication (such as fingerprint, face, PIN code, etc.) before they can access passwords. And developers can set the authentication validity period, for example, set it to 5 minutes. During these 5 minutes, users can perform multiple password-related operations without repeated authentication, improving the user experience while also ensuring security. ### (V) Example Code Demonstration
- The following is a more complete example code showing how to use the Asset Store Kit to perform password storage, query, and deletion operations (ArkTS language):
import { asset } from '@kit.AssetStoreKit';
import { util } from '@kit.ArkTS';
import { BusinessError } from '@kit.BasicServicesKit';
function stringToArray(str: string): Uint8Array {
let textEncoder = new util.TextEncoder();
return textEncoder.encodeInto(str);
}
function arrayToString(arr: Uint8Array): string {
let textDecoder = util.TextDecoder.create("utf-8", { ignoreBOM: true });
let str = textDecoder.decodeWithStream(arr, { stream: false });
return str;
}
// Store password
async function storePassword(password: string, alias: string) {
let attr: asset.AssetMap = new Map();
attr.set(asset.Tag.SECRET, stringToArray(password));
attr.set(asset.Tag.ALIAS, stringToArray(alias));
try {
await asset.add(attr);
console.info('Password stored successfully.');
} catch (error) {
let err = error as BusinessKit;
console.error('Failed to store password. Code is ${err.code}, message is ${err.message}');
}
}
// Query password
async function queryPassword(alias: string) {
let query: asset.AssetMap = new Map();
query.set(asset.Tag.ALIAS, stringToArray(alias));
try {
let res: Array<asset.AssetMap> = await asset.query(query);
if (res.length > 0) {
let secret: Uint8Array = res[0].get(asset.Tag.SECRET) as Uint8Array;
let password = arrayToString(secret);
console.info('Password retrieved successfully: ', password);
} else {
console.info('Password not found.');
}
} catch (error) {
let err = error as BusinessError;
console.error('Failed to query password. Code is ${err.code}, message is ${err.message}');
}
}
// Delete password
async function deletePassword(alias: string) {
let query: asset.AssetMap = new Map();
query.set(asset.Tag.ALIAS, stringToArray(alias));
try {
await asset.remove(query);
console.info('Password deleted successfully.');
} catch (error) {
let err = error as BusinessError;
console.error('Failed to delete password. Code is ${err.code}, message is ${err.message}');
}
}
// Example usage
storePassword('myNewPassword', 'newLoginPassword');
queryPassword('newLoginPassword');
deletePassword('newLoginPassword');
(VI) Summary and Outlook
- Summary of Key Knowledge Points - In the "Remember Password" scenario, we have learned that HarmonyOS Next's Asset Store Kit provides comprehensive security guarantees for password data through powerful encryption algorithms (such as AES256-GCM) and strict access control mechanisms (based on ownership, lock screen status, lock screen password setting status, and user authentication). Developers can implement operations such as password storage, query, and deletion through simple interface calls, and need to pay attention to constraints such as the uniqueness of critical asset aliases.
- Outlook for Future Development - With the continuous development of technology, HarmonyOS Next may further strengthen password data protection. For example, more advanced encryption algorithms and smarter access control strategies may be introduced. Meanwhile, with the popularization of Internet of Things devices, HarmonyOS Next may better adapt to the password data protection needs of different device types and usage scenarios, providing users with a more secure and convenient application experience. We look forward to HarmonyOS Next's continuous innovation in the field of password data protection and leading the development trend of the industry.
Top comments (0)