HUAWEI Safety Detect: Ensuring device system integrity for enhanced mobile app security using SysIntegrity API

Opportunity

As more people depend on apps for online banking, electronic commerce, instant messaging, and business-related functions, guarding against security threats becomes an utmost importance from both the developers’ perspective and app users’ perspective. Developers pay thorough attention to app development with the intention of providing their end users with a secure app and best- in-class app usage experience. To ensure app security and best-in-class app usage experience, system integrity of the device running the app must also be ensured.

What is SysIntegrity API of HUAWEI Safety Detect?

HUAWEI Safety Detect builds robust security capabilities into your app to effectively protect it against security threats. One of these capabilities is system integrity check, which checks whether the device running your app is secure. This capability is enabled by the SysIntegrity API, which performs dynamic system integrity evaluation in the secure boot process in a Trusted Execution Environment (TEE). The system integrity evaluation result is signed by the TSMS server using the X.509 digital certificate.

Screenshot from Huawei Developers, Make your apps secure with HUAWEI Safety Detect (0:40), depicting the evaluation of the device system to detect whether it is rooted and unlocked, and to spot privilege escalation

How to use the SysIntegrity API of HUAWEI Safety Detect?

To use the SysIntegrity API, the correct version of HMS Core must be installed on the user’s device. The isHuaweiMobileServicesAvailable() method could be called to check on whether the HMS Core version is compatible with the Safety Detect SDK version.

The app user must be asked to update the HMS version if the installed version is not compatible with the Android SDK version to ensure proper app operation.

To call the SysIntegrity API of Safety Detect

1. Obtain a nonce value.

The nonce value will be used to determine whether the returned result corresponds to the request and did not encounter any replay attacks. The nonce value must contain a minimum of 16 bytes and is intended to be used only once.

2. Request for the SysIntegrity API using the nonce value and the appId as input parameters.

3. Verify the check result on your server.

a. Parse the JSON Web Signature format result to get a header, payload, and signature.

b. Get a certificate chain from the obtained header and verify it using the HUAWEI CBG Root CA certificate.

c. Confirm whether the domain name of the leaf certificate in the certificate chain is sysintegrity.platform.hicloud.com.

d. Verify the signature obtained from the signature.

e. Get the integrity verification result from the obtained payload.

Refer to the following format and example:

Developers can decide on whether to remind users of the risks based on their security requirements if the value of basicIntegrity is false in the check result.

The Benefits

To the developer

Developers could improve the security of their apps by also checking the system integrity of the device running their app, thus increasing app credibility.

To the end users

End users are empowered to evaluate security risks and take appropriate measures by being aware of device vulnerabilities.

Learn More

To know more information on how to maximize the features and advantages of HUAWEI Safety Detect, go to https://developer.huawei.com/consumer/en/hms/huawei-safetydetectkit.

Work cited

HUAWEI Developers. (2020, March 4). Make your apps secure with HUAWEI Safety Detect [Video File], YouTube. Retrieved from https://youtu.be/WFbM63JkvzA.