DEV Community

SameX
SameX

Posted on

Practical Implementation of Secure Login and Password Management in HarmonyOS Next Social Applications

This article aims to deeply explore the technical details of the Huawei HarmonyOS Next system (up to API 12 as of now) in developing multilingual e-commerce platforms, and is summarized based on actual development practices. It mainly serves as a vehicle for technical sharing and communication. Mistakes and omissions are inevitable. Colleagues are welcome to put forward valuable opinions and questions so that we can make progress together. This article is original content, and any form of reprint must indicate the source and the original author.

In the development of social applications, secure login and password management are crucial aspects that are directly related to users' privacy and data security. This article will take a HarmonyOS Next social application as an example to elaborate on how to implement the functions of secure login and password management, covering the whole process from project background to optimization and testing.

I. Project Background and Objectives

(I) Analysis of Social Application Requirements

Social applications aim to provide users with a convenient social platform where they can create personal profiles, add friends, post updates, and conduct chats, etc. To achieve these functions, users need to register and log in. When registering, users are required to provide personal information such as usernames, passwords, email addresses or mobile phone numbers, etc.; when logging in, users need to enter the correct account and password to access their personal profiles and social functions.

(II) Importance of Secure Login and Password Management

In social applications, users' personal information and social data are very sensitive, such as chat records, photos, friend lists, etc. If there are security vulnerabilities in the login and password management processes, it may lead to risks such as users' accounts being hijacked, personal information being leaked, and even suffering from fraud. Therefore, ensuring secure login and password management is the key to protecting users' rights and interests and maintaining the reputation of the application.

II. Architecture Design and Technology Selection

(I) Architecture Design Based on Clean Architecture

  1. Presentation Layer Responsible for interacting with users, displaying user views such as the login interface, registration interface, and main interface. Use ArkUI components to build the interfaces to ensure their aesthetics and ease of use. For example, on the login interface, use the Text component to display the title and prompt information, the TextInput component to receive users' input of accounts and passwords, and the Button component to trigger login and registration operations.
  2. Application Layer Acts as a bridge between the Presentation Layer and the Domain Layer, coordinating the execution of business logic. Handles users' login and registration requests, calls the corresponding methods in the Domain Layer for business processing, and returns the processing results to the Presentation Layer. For example, when a user clicks the login button, the Application Layer is responsible for collecting the account and password entered by the user, validating the input format, and then calling the login method in the Domain Layer for actual login verification.
  3. Domain Layer Contains the core business logic of the social application, such as user authentication, password management, and friend relationship processing. In terms of password management, it implements the logic of password encryption, verification, saving, and updating. The Domain Layer does not depend on specific technical implementations but focuses only on the realization of business rules to ensure the independence and testability of the business logic.
  4. Domain Layer Responsible for data storage and retrieval, interacting with databases, network services, etc. In this case, the Data Layer is responsible for storing users' account passwords, personal profiles, friend lists, etc. Use the secure storage API of HarmonyOS Next to encrypt and store sensitive data such as passwords to ensure data security.

(II) Selection of HarmonyOS Next Security Functional Components

  1. Password Autofill Service Utilize the password autofill service to provide users with a convenient login experience. On the login and registration interfaces, automatically identify and fill in the saved account passwords according to the types of input boxes (USER_NAME, PASSWORD, NEW_PASSWORD), while ensuring the security of the filling process by preventing illegal filling through the system's identity authentication mechanism.
  2. Application Encryption The application encryption feature is used to protect the security of application code and data. When the application is listed, select encryption to ensure that the code files and data files are in an encrypted state when the application is installed and runs on the device, preventing the application from being decompiled and data from being stolen. The decryption key is stored in the system's Trusted Execution Environment (TEE), increasing the security of the key.

III. Implementation of the Login Module

(I) Interface Design and Layout (Using ArkUI Components)

  1. The overall layout of the login interface adopts the Column component to vertically arrange elements.
    • At the top, use the Text component to display the application's logo and application name to attract users' attention and enhance brand recognition.
    • The middle part contains two TextInput components, which are used to input usernames and passwords respectively. Set the placeholder property to prompt information, such as "Please enter username" and "Please enter password". To improve the user experience, set the showPasswordIcon property of the password input box to true to display the password visibility toggle icon.
    • At the bottom, use the Button component as the login button, set the text of the button to "Login", and add appropriate styles such as background color and border radius to make it stand out on the interface.
    • Below the login button, add a Text component to display the login error message. It is initially hidden and will show the corresponding error prompt when the login fails.

(II) Integration of the Password Autofill Service

  1. In the property settings of the username and password input boxes, ensure that the type property is set to InputType.USER_NAME and InputType.PASSWORD respectively, and the enableAutoFill property is true. This enables the system to identify the input boxes and automatically fill in the account passwords at the appropriate time.
  2. Listen to the click events of the input boxes. When the user clicks an input box for the first time, check whether the account password of this application is saved in the password vault. If it is saved, the system will automatically pop up a filling prompt. After the user selects to fill, the corresponding account password will be filled into the input box.
  3. In the login logic processing, if the password autofill is successful, directly use the filled password for login verification without requiring the user to manually input the password again, improving the login efficiency.

(III) Handling of Login Logic and Verification

  1. When the user clicks the login button, first obtain the values in the username and password input boxes.
  2. Validate the format of the username and password, checking whether they are empty values, whether the length meets the requirements, etc. If the format is incorrect, display the corresponding error prompt information on the interface to prevent the login process from continuing.
  3. Call the login method in the Domain Layer and pass the username and password to the Domain Layer for verification. In the Domain Layer, use the password autofill service to obtain the password saved in the password vault (if any), and compare it with the password entered by the user. If the password matches, further communicate with the server to verify the validity of the account (for example, checking whether the account is blocked, whether it exists, etc.).
  4. According to the verification result returned by the server, if the login is successful, jump to the main interface of the application; if the login fails, display the error information on the interface, prompting the user to check the account password and try again.

IV. Implementation of the Registration Module

(I) Generation and Recommendation of Strong Passwords

  1. In the new password input box on the registration interface, set the passwordRules property to specify the rules for generating strong passwords according to the rules of the password autofill service. For example, set "begin:[upper],special:[yes],len:[maxlen:32,minlen:12]" to require that the generated strong password starts with a capital letter, contains special characters, and has a length between 12 and 32 digits.
  2. When the user clicks the new password input box, the system will automatically generate a strong password according to the specified rules and display the recommended strong password below the input box. The user can choose to use the recommended password or enter a password that meets the requirements by themselves.

(II) Password Saving and Updating Logic

  1. When the user completes filling in the registration information and clicks the registration button, first validate the format of the username, password, etc., to ensure the integrity and correctness of the information.
  2. Encrypt the password, using the encryption API of HarmonyOS Next (such as the hash function) to convert the password into ciphertext form.
  3. Save the encrypted password and username, etc., into the password vault so that they can be automatically filled in when logging in next time. At the same time, send the user information to the server for registration, and the server stores the user's registration information in the database.
  4. When the user modifies the password later, follow a similar process. First, verify the user's identity (such as by entering the old password for verification), then generate a new encrypted password, update the password record in the password vault, and synchronize the updated password information to the server-side database.

V. Password Encryption and Secure Storage

(I) Use of the Application Encryption Feature

  1. After the application development is completed and when preparing to list the application, select the application encryption option in the release settings of the application market. The application market will perform code encryption processing on the listed application to ensure that the code files (.abc files) of the application are in an encrypted state after being installed on the device.
  2. When the application starts, the system kernel will decrypt the encrypted code files as needed. The decrypted plaintext code only exists in the memory and will not be stored on the device, effectively preventing the application from being decompiled and the code from being stolen.

(II) Ensuring the Security of Password Data

  1. Besides application encryption, perform separate encrypted storage of password data in the data layer. Use the secure storage API to store the password in ciphertext form in the local database or file system. When storing the password, combine the user's unique identifier (such as the username or user ID) as part of the encryption key to increase the security of the password and prevent different users' passwords from being cracked simultaneously.
  2. During the password transmission process, use a secure network protocol (such as HTTPS) to ensure that the password is not stolen by a man-in-the-middle during the transmission between the client and the server. Also, implement strict security measures for the password storage on the server side, such as using salted hashing to store the password to increase the difficulty of password cracking.

VI. Optimization and Testing

(I) Performance Optimization Strategies

  1. Reducing Unnecessary Computations and Resource Consumption In the password verification and encryption processes, select efficient algorithms and data structures to avoid repeated computations and memory waste. For example, in password verification, use a hash function to compare passwords instead of directly comparing plaintext passwords to reduce the amount of computation.
  2. Optimizing Interface Rendering Optimize the login and registration interfaces to reduce unnecessary component redrawing and layout calculations. For example, use lazy loading technology to load and display interface elements only when needed, improving the initial loading speed of the interface.
  3. Network Optimization When communicating with the server, reasonably set the timeout time and retry strategy of network requests to reduce the waiting time of users due to network problems. At the same time, optimize the data transmission format to reduce the amount of data and improve the network transmission efficiency.

(II) Security Testing and Vulnerability Repair

  1. Functional Testing Conduct comprehensive testing on functions such as login, registration, and password modification, including normal processes and boundary cases. For example, test the maximum length limit of usernames and passwords, the handling of special characters, the accuracy of password autofill, etc. Ensure that each function can work normally in various situations without any abnormalities or errors.
  2. Security Vulnerability Scanning Use professional security scanning tools to scan the application to check for common security vulnerabilities such as SQL injection, cross-site scripting attacks (XSS), buffer overflow, etc. Repair the vulnerabilities found by the scan in a time, ensuring the security of the application.
  3. Simulating Attack Testing Simulate various attack scenarios such as password brute-force cracking, man-in-the-middle attacks, and malicious software injection to test whether the security protection mechanisms of the application are effective. For example, use a brute-force cracking tool to try to log in to different accounts to check whether the application can detect and prevent the attack, such as limiting the password attempt times and locking the account.
  4. Permission Testing Check whether the application obtains system permissions reasonably and whether there is an excessive acquisition of permissions. Ensure that the password management-related functions obtain the necessary permissions without threatening users' privacy and device security. For example, check whether the application only obtains the permission to read the clipboard when necessary and releases the permission in a timely manner after use.

Through the above practical case, we have demonstrated how to implement the functions of secure login and password management in a HarmonyOS Next social application. From architecture design to function implementation, and then to optimization and testing。In actual development, we can further expand and perfect these functions according to specific needs to meet the increasing security and user experience requirements of social applications.

Top comments (0)