On the afternoon of September 11, the security and privacy sub forum of Huawei developer conference was successfully held in Songshan Lake,Senior security technology expert of Huawei consumer business cloud service departmentLiu Deqian made a detailed analysis on the HMS security architecture and data protection. He not only introduced the whole process security mechanism of HMS core from developer access to service processing, but also listed the security and data protection technologies of typical HMS distribution capabilities, which was impressive.
Liu Deqian introduced that developers need to go through the following three steps to access the HMS core open capability: registration of developer alliance portal - Application for access and obtaining certification certificate - Developer integration of HMS SDK (HMS software development work package) to use open capability, and HMS to conduct access authentication.
Among them, 5 major security technology pillars are as follows:
AuthenticationUser authentication, access authentication and equipment authentication;
Data security and privacy protectionData security storage, data use security, data transmission security, key management, privacy protection;
Content protection: copyright protection, digital watermarking, anti-theft chain;
Application Security: quadruple detection, download and installation guarantee, operation protection mechanism;
Business risk control: account risk control, transaction risk control, content risk control, advertising anti cheating;
HMS core access authentication
He pointed out that the security guarantee of HMS core access authentication includesAuthentication credentials,Access constraintsandAuthority controlThree measures. When developers access the open capability of HMS core, they need to create authentication credentials in the developer alliance website, and the developer applications access the HMS open capabilities through the authentication credentials carried by them. Currently, the supported credentials are API key, oauth2.0 ClientID and service account key. These credentials are generated by secure random number, and stored after encryption by aes-gcm acceleration algorithm on the server to prevent the disclosure of authentication credentials.
In addition to the security measures at the developer level, Liu added that at the application market level, HMS core implements a four fold detection, download and installation guarantee, and operation protection mechanism.
Data protection of several typical open capabilities of HMS core
In terms of account security,Account kitProvide secure and convenient login capabilities for applications, such as using the current mainstreamFido password free authentication loginTo ensure the security of account data. In addition to integrating Fido kit, Huawei account service has set up active risk control monitoring mechanism in login, password reset and other linksPrevent account embezzlementIn addition, many risk identification methods, such as abnormal operation, are combined with expert rules and machine learning to identify false accountsPrevent spam registration。 In this way, Huawei terminal cloud risk control platform can quickly and accurately identify risks, so as to protect the legitimate rights and interests of users.
Liu then used PKI (public key infrastructure) basedFingerprint and face payment, and transaction paymentIn vivo detectionThis more powerful risk control measures as an example, introducedIAP kitHow to provide a safe and convenient payment service in the application, under the PKI system, online payment is more secure. These keys or certificates are effectively managed to establish a secure network environment for customers.
Another example is the common push service in life,Push kitBased on push Token access authentication app allocates a unique token for each application in different devices, encrypts and caches push messages and automatically audits sensitive information, which makes cross platform push service more accurate and reliable. In terms of transmission security, Liu Deqian introduces that using session key to encrypt push messages, supplemented by subscription message integrity protection measures, makes information transmission more secure !
Every detail: the whole process of security and privacy quality assurance
We're in action: silverneedle silver needle Lab
Finally, Liu Deqian introduced the guardian plan currently implemented by HMS. In the face of foreign blue army attack, HMSSelf built blue armySilverneedle lab, which focuses on the prevention of foreign blue army attacks. Not long ago, silverneedle lab held an attack defense penetration themed salon in Songshan Lake, bringing together 60 front-line security researchers with rich experience in attack and defense to discuss hot topics such as penetration tools, biometrics, oauth2, HMS security attack and defense.
In addition to building its own blue army, HMS also cooperates with NCC, a well-known security company in the industry, to conduct security testing. Current phase 1 HMSSafety public testing
In the second phase (January August 2020), HMS core is in progressEuropean special testWe have purchased professional services from NCC, a European Security manufacturer, to conduct special online penetration test on HMS core. This time, we have covered all 24 kits in the current network, and the penetration test activities of 11 kits in one stage have been completed.
The third phase HMS core is under planningHMS security challenge, invite global application developers and security researchers to launch penetration testing for HMS products, and compete for developers and security researchers around the world. And setMillion prize pool, which is used to reward high-value loopholes found in the competition, with a maximum reward of 420000 for a single vulnerability.
In a word, HMS core has never stopped its steps in security assurance and testing. With the constant updating and improvement of HMS core functions, it is self-evident that the importance of HMS strict security work in the future global market is self-evident. After more testers and development investment, the HMS core security system will be more perfect!