DEV Community

SameX
SameX

Posted on

In-depth Analysis of the Security Assurance Mechanisms for Critical Asset Storage in HarmonyOS Next

This article aims to deeply explore the technical details of the Huawei HarmonyOS Next system (up to API 12 as of now) in developing multilingual e-commerce platforms, and is summarized based on actual development practices. It mainly serves as a vehicle for technical sharing and communication. Mistakes and omissions are inevitable. Colleagues are welcome to put forward valuable opinions and questions so that we can make progress together. This article is original content, and any form of reprint must indicate the source and the original author.

(I) Introduction

In today's digital age, the security of critical assets is as vital to applications as a lifeline. Whether it's users' personal privacy information such as account passwords and bank card numbers, or enterprises' core data, once leaked or damaged, it can lead to serious consequences, including users' property losses, damage to enterprises' reputations, and legal risks. HarmonyOS Next deeply recognizes this importance and takes security as one of its core design concepts, committing to providing comprehensive and multi-level security assurance mechanisms for critical assets to ensure the security and integrity of users' data in various scenarios.

(II) Encryption Algorithms and Key Management

  1. Application of the AES256-GCM Encryption Algorithm     - The AES256-GCM algorithm plays a crucial role in the storage of critical assets in HarmonyOS Next. AES (Advanced Encryption Standard), as a widely recognized symmetric encryption algorithm, provides extremely high encryption strength with its 256-bit key length. When storing critical assets such as user passwords, the system uses this algorithm to convert the plaintext passwords into ciphertext form. For example, when a user sets a new password in an application, the password is first input into the encryption module and processed by the AES256-GCM algorithm to generate a seemingly random string of ciphertext. This ciphertext will be stored in a secure storage area, making it difficult for attackers to directly crack the password content even if they obtain the storage medium.     - The GCM (Galois/Counter Mode) mode adds guarantees of data integrity and authenticity to the encryption process. It generates a Message Authentication Code (MAC) while encrypting the data to ensure that the data has not been tampered with during storage and transmission. For example, during password verification, the system not only decrypts the stored ciphertext password but also verifies its attached MAC value. If the MAC value does not match, it indicates that the data may have been tampered with, and the system will reject the verification request, effectively preventing security threats such as man-in-the-middle attacks.
  2. Key Generation, Storage, and Usage Methods     - The generation of keys is a complex and secure process. The HarmonyOS Next system uses a hardware-supported random number generator to generate high-strength keys. These random numbers have extremely high randomness and unpredictability, ensuring the security of the keys. The generated keys are securely stored in the Trusted Execution Environment (TEE). The TEE is a secure area independent of the main operating system environment, with hardware isolation and software protection mechanisms, which can effectively prevent the keys from being illegally obtained.     - When using the keys, the system strictly adheres to security principles. Only authorized operations can access the keys, and the use of keys in memory is short-lived. After use, the keys are immediately cleared to reduce the risk of key exposure. For example, when an application needs to verify a user's password, the system retrieves the corresponding key from the TEE, performs the decryption operation in memory, and once the verification is completed, the key is immediately deleted from memory to ensure that the key does not remain in memory for a long time and be stolen by attackers. ### (III) Detailed Explanation of Access Control Strategies
  3. Access Control Based on Ownership     - Access control based on ownership is the cornerstone of the HarmonyOS Next security system. Each critical asset is associated with a specific owner, and the owner is the business or application that writes the asset. This mechanism ensures that only the legitimate owner can access its affiliated critical assets. For example, on a device with multiple third-party applications, the critical assets (such as user login credentials) stored by each application can only be accessed by the application itself, and other applications cannot break through this restriction to obtain others' critical assets. This effectively prevents cross-leakage of data between different applications, protecting users' privacy and data security in each application.     - From a practical scenario, suppose a user installs a bank application and a social application on their mobile phone. Even if the social application is maliciously attacked, attackers cannot use the social application to obtain the critical assets in the bank application because they belong to different owners and the access rights are strictly limited.
  4. Access Control Based on Lock Screen State     - Accessible After Power-On: This access control level is suitable for some application scenarios with high requirements for real-time performance but relatively low security requirements. For example, for some news and information applications, users hope to quickly obtain the latest information without unlocking the device after power-on. The application can set the relevant critical assets (such as users' browsing preference settings, etc.) to be accessible after power-on to enhance the user experience. However, for applications involving sensitive information, such as financial applications, this access control level is generally not adopted because the device may be in an unprotected state after power-on, making it easy for others to illegally access critical assets.     - Accessible After the First Unlock: This is a relatively balanced access control strategy and is widely used in most ordinary applications. For example, the chat records, contact information, and other critical assets in social applications can be accessed after the user first unlocks the device. This ensures the security of critical assets when the device is not unlocked and also conveniently provides services when the user normally uses the device. For users, unlocking the device is a natural operation process, and the setting of being accessible after the first unlock improves convenience while meeting certain security requirements.     - Accessible When Unlocked: For applications with extremely high security requirements, such as online banking and mobile payment applications, being accessible when unlocked is the ideal choice. Taking online banking as an example, users' account balances, transaction details, transfer and remittance functions, and other critical assets can only be accessed when the device is in an unlocked state and the user has passed identity verification (such as password, fingerprint, face, etc.). Even if the device is lost or stolen, as long as it is not unlocked, attackers cannot obtain these critical assets, maximizing the protection of users' funds safety and privacy.
  5. Access Control Based on Lock Screen Password Setting Status     - This access control strategy is defaulted to be off, and developers can decide whether to enable it according to the specific requirements of the application. When this strategy is enabled, the access to critical assets is closely related to the setting of the device's lock screen password. For example, in an application that stores users' personal documents and photos, developers can choose to enable the access control based on the lock screen password setting status. Thus, only when the user has set a lock screen password, indicating that the device has a certain level of security foundation, are the critical assets in the application allowed to be accessed. If the device is not set with a lock screen password, the application will reject the access to critical assets, preventing others from easily obtaining users' personal materials when the device is unprotected.
  6. Access Control Based on User Authentication     - This access control strategy is defaulted to be off, and developers can enable it according to the sensitivity of the application and security requirements. Once enabled, users need to pass identity authentication before accessing critical assets, and the authentication methods include fingerprint, face, PIN code, etc. For example, in a confidential file management application used within an enterprise, when employees need to access the company's important files (critical assets), they must first pass fingerprint or PIN code authentication. Moreover, developers can set the authentication validity period, such as setting it to 5 minutes. During these 5 minutes, employees do not need to repeat the authentication when performing multiple file access operations, improving work efficiency. However, once the authentication validity period expires, they need to re-perform the authentication when accessing critical assets again to ensure that even if the device is unoccupied for a certain period of time, the security of critical assets will not be threatened. ### (IV) Data Integrity Protection
  7. Methods to Ensure Data Integrity     - During the storage and transmission of critical assets, HarmonyOS Next employs various technical means to ensure data integrity. Besides the Message Authentication Code (MAC) in the AES256-GCM algorithm used to verify data integrity, hash algorithms also play an important role. Hash algorithms convert critical asset data into a fixed-length hash value, which is unique and irreversible. For example, when storing a user's configuration file (critical asset), the system calculates the hash value of the file content and stores it together with the file. When reading the file later, the system recalculates the hash value of the file and compares it with the stored hash value. If they are the same, it indicates that the file has not been tampered with during storage; if they are different, it indicates that the data may have been damaged or tampered with, and the system will take corresponding measures such as rejecting the use of the data or prompting the user that the data may be at risk.
  8. Application Examples of Hash Algorithms     - Taking software update packages (critical assets) as an example, when downloading update packages, the system calculates the hash value of the update packages during the download process and compares it with the officially released hash value. If the hash value matches, it indicates that the downloaded update package is complete and has not been tampered with, and it can be safely installed. If the hash value does not match, it may be that there was an error during the download process or the update package was maliciously tampered with, and the system will block the installation operation to prevent malicious software from invading the device through tampering with the update package, ensuring the security of the device and users' data. ### (V) Security Audit and Monitoring
  9. Introduction to Audit and Monitoring Mechanisms     - The HarmonyOS Next system has a built-in powerful security audit and monitoring mechanism that comprehensively records and real-time monitors the operations of critical assets. Each creation, reading, updating, and deletion operation of critical assets is detailedly recorded in the system log, and these logs contain information such as the operation time, operation type, operation source (such as the application's identifier), and the critical asset information involved in the operation. For example, when a user modifies a password (a critical asset update operation) in an application, the system records the modification time, application name, and the hash value of the new password (to protect password security, the plaintext password is not recorded) and other information.     - At the same time, the system real-time monitors the operation situation of critical assets. By analyzing the operation patterns and behavior characteristics, it can timely discover abnormal behaviors. For example, if the same application performs a large number of abnormal reading operations on critical assets within a short time, the system will regard it as suspicious behavior and trigger the corresponding security alarm.
  10. Ways of Log Recording and Analysis to Ensure Security     - System administrators or security personnel can regularly review these logs. By analyzing the operation records, they can track potential security problems. For example, if it is found that an application frequently accesses critical assets without any user operation, it may indicate that the application has a security vulnerability or is being maliciously utilized. Administrators can take measures such as suspending the application's running, updating the application, or notifying the developer to repair it. In addition, after a security event occurs, the log recording can be used as important evidence to help analyze the occurrence process and cause of the event so that effective countermeasures can be taken to prevent similar events from occurring again. ### (VI) Summary and Security Best Practices
  11. Summary of the Key Points of Security Assurance Mechanisms     - The security assurance mechanisms for critical asset storage in HarmonyOS Next cover multiple aspects such as encryption algorithms and key management, various access control strategies, data integrity protection, and security audit and monitoring. The AES256-GCM encryption algorithm ensures the confidentiality of critical assets, and the secure management of keys guarantees the reliability of the encryption process. The access control strategies based on ownership, lock screen state, lock screen password, and user authentication limit the access rights of critical assets from different angles, enhancing security. The data integrity protection measures prevent critical assets from being tampered with during storage and transmission through technical means such as hash algorithms. The security audit and monitoring mechanisms provide strong support for timely discovering and handling security problems.
  12. Suggestions for Security Best Practices     - For us developers, we should make full use of the security assurance mechanisms provided by HarmonyOS Next during the application development process. First, according to the nature of the application and the sensitivity of users' data, we should reasonably select and configure access control strategies. For example, for applications involving users' financial information, we should enable strict access control such as being accessible when unlocked and based on user authentication, and set a shorter authentication validity period. Second, when handling critical assets, we should always ensure the correct use of encryption algorithms, update keys in a timely manner, and avoid using weak passwords or insecure encryption methods. Third, we should attach importance to the security audit and monitoring functions, regularly check the system log, and timely discover and handle abnormal behaviors. At the same time, we should also pay attention to the security updates of the HarmonyOS Next system, timely adapt to new security features and repair possible security vulnerabilities to continuously improve the security of the application. For users, they should develop good device usage habits such as setting complex lock screen passwords, regularly updating passwords, and not randomly downloading applications from unknown sources to jointly maintain the security of critical assets.

Top comments (0)