FORUMS

Getting Started with Huawei's Safety Detect SDK

1,049 posts
Thanks Meter: 1,125
 
By XDARoni, XDA Community Manager on 12th June 2020, 11:46 PM
Post Reply Email Thread
Today we're going to go through getting started with Huawei's Safety Detect SDK. We'll talk about how to get set up, as well as some basic examples of how to use it.

What is Huawei Safety Detect?
Safety Detect builds robust security capabilities, including system integrity check (SysIntegrity), app security check (AppsCheck), malicious URL check (URLCheck), fake user detection (UserDetect), and malicious Wi-Fi detection (WifiDetect), into your app, effectively protecting it against security threats.

Preparation
First up, make sure you have a Huawei Developer Account. This process can take a couple days, and you'll need one to use this SDK, so be sure to start that as soon as possible. You can sign up at https://developer.huawei.com.

Next, you'll want to obtain the SHA-256 representation of your app's signing key. If you don't have a signing key yet, be sure to create one before continuing. To obtain your signing key's SHA-256, you'll need to use Keytool which is part of the JDK installation. Keytool is a command-line program. If you're on Windows, open CMD. If you're on Linux, open Terminal.
On Windows, you'll need to "cd" into the directory containing the Keytool executable. For example, if you have JDK 1.8 v231 installed, Keytool will be located at the following path:
Code:
Select Code
C:\Program Files\Java\jdk1.8.0_231\bin\
Once you find the directory, "cd" into it:
Code:
Select Code
C: #Make sure you're in the right drive
cd C:\Program Files\Java\jdk1.8.0_231\bin\
Next, you need to find the location of your keystore. Using Android's debug keystore as an example, where the Android SDK is hosted on the "E:" drive in Windows, the path will be as follows:
Code:
Select Code
E:\AndroidSDK\.android\debug.keystore
(Keytool also supports JKS-format keystores.)

Now you're ready to run the command. On Windows, it'll look something like this:
Code:
Select Code
keytool -list -v -keystore E:\AndroidSDK\.android\debug.keystore
On Linux, the command should be similar, just using UNIX-style paths instead.
Enter the keystore password, and the key name (if applicable), and you'll be presented with something similar to the following:


Make note of the SHA256 field.

SDK Setup
Now we're ready to add the Safety Detect SDK to your Android Studio project. Go to your Huawei Developer Console and click the HUAWEI AppGallery tile. Agree to the terms of use if prompted.
Click the "My projects" tile here. If you haven't already added your project to the AppGallery, add it now. You'll be asked for a project name. Make it something descriptive so you know what it's for.


Now, you should be on a screen that looks something like the following:


Click the "Add app" button. Here, you'll need to provide some details about your app, like its name and package name.


Once you click OK, some SDK setup instructions will be displayed. Follow them to get everything added to your project. You'll also need to add the following to the "dependencies" section of your app-level build.gradle file:
Code:
Select Code
implementation 'com.huawei.hms:safetydetect:4.0.3.300'


If you ever need to come back to these instructions, you can always click the "Add SDK" button after "App information" on the "Project setting" page.


Now you should be back on the "Project setting" page. Find the "SHA-256 certificate fingerprint" field under "App information," click the "+" button, and paste your SHA-256.


Now, go to the Manage APIs tab on the "Project setting" page. Scroll down until you find "Safety Detect" and make sure it's enabled.



Now, if you're using obfuscation in your app, you'll need to whitelist a few things for HMS to work properly.
For ProGuard:
Code:
Select Code
-ignorewarnings
-keepattributes *Annotation*
-keepattributes Exceptions
-keepattributes InnerClasses
-keepattributes Signature
-keepattributes SourceFile,LineNumberTable
-keep class com.hianalytics.android.**{*;}
-keep class com.huawei.updatesdk.**{*;}
-keep class com.huawei.hms.**{*;}
For AndResGuard:
Code:
Select Code
"R.string.hms*",
"R.string.agc*",
"R.string.connect_server_fail_prompt_toast",
"R.string.getting_message_fail_prompt_toast",
"R.string.no_available_network_prompt_toast",
"R.string.third_app_*",
"R.string.upsdk_*",
"R.layout.hms*",
"R.layout.upsdk_*",
"R.drawable.upsdk*",
"R.color.upsdk*",
"R.dimen.upsdk*",
"R.style.upsdk*
That's it! The Safety Detect SDK should now be available in your project.

Basic Usage
Now that the SDK is set up, it's time to actually use it. Safety Detect currently has 5 APIs you can use: SysIntegrity, AppsCheck, URLCheck, UserDetect, and WifiDetect.

The first thing you'll want to do when using any of these APIs is to check whether HMS is actually available:
Code:
Select Code
if (HuaweiApiAvailability.getInstance().isHuaweiMobileServicesAvailable(context) == ConnectionResult.SUCCESS) {
    //HMS is available
} else {
    //HMS isn't available. Act accordingly
}
Without HMS, these APIs won't work. Prompt the user to update/install HMS, or simply silently fail, depending on your needs.

SysIntegrity
The SysIntegrity API is similar to Google's SafetyNet. You can use it to check if the current device is insecure (e.g. is rooted). If your app relies heavily on running in a secure environment, you can use this check and refuse to run if it fails.

To use SysIntegrity, you need a few things: a nonce value, your app ID, and an active internet connection. The nonce value should be a secret, needs to be at least 16 bytes long, and can only be used once. It'll be contained in the SysIntegrity check result, so you can verify that the result is genuine.

You can find your app ID under the "App information" section on the "Project Setting" page.

Here's a quick example in Kotlin of how to set up the integrity check request:

Code:
Select Code
 fun checkSysIntegrity() {
    val client = SafetyDetect.getClient(context)

    //Ideally, you'd use a better nonce generation method, either from your own server
    //or some other secure environment.
    val nonce = "NONCE_${System.currentTimeMillis()}".toByteArray()

    //You can find your APP_ID under "App information" in your project's settings on the AppGallery Developer Console.
    val task = client.sysIntegrity(nonce, "APP_ID")
    task.addOnSuccessListener {
        val result = it.result

        //Process the result. It will be in the JWS (JSON Web Signature) format, containing a header, payload, and signature.
        //The header contains a certificate chain that should be verified against the HUAWEI CGB Root CA.
        //Make sure the domain name of the leaf certificate in the certificate chain is `sysintegrity.platform.hicloud.com`.
        //Verify the signature.
        //Next, check the payload for the nonce and result. The payload format is something like the following:
        /*
        {
            "advice":"RESTORE_TO_FACTORY_ROM",
            "apkCertificateDigestSha256":[
                "yT5JtXRgeIgXssx1gQTsMA9GzM9ER4xAgCsCC69Fz3I="
            ],
            "apkDigestSha256":"6Ihk8Wcv1MLm0O5KUCEVYCI/0KWzAHn9DyN38R3WYu8=",
            "apkPackageName":"com.huawei.hms.safetydetectsample",
            "basicIntegrity":false,
            "nonce":"R2Rra24fVm5xa2Mg",
            "timestampMs":1571708929141
        }
         */
        //If basicIntegrity is false, then the check failed and you should handle it appropriately.
        //You can use the following library to parse the JWS string: https://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt
    }
    task.addOnFailureListener {
        //The request failed. If `it is ApiException`, you might be able to get more details about why the failure occurred.
        //Note that this doesn't imply that the device has failed an integrity check. It merely means the check itself has failed.
        //You can choose to retry, or simply ignore the error.
    }
}
Put that code in a helper Class, and call it as needed. It is an asynchronous API, so make sure you account for that.

AppsCheck
The functionality of AppsCheck is pretty simple. It'll return a list of apps installed on the current device that are potentially malicious. You can use the result to decide on whether or not you want to restrict features, or prevent your app from running.

To get you up and running, a basic example is provided below. You can use it as the base for your implementation.

Code:
Select Code
fun checkApps() {
    val client = SafetyDetect.getClient(context)
    val task = client.maliciousAppsList

    task.addOnSuccessListener {
        if (it.rtnCode == CommonCode.OK) {
            //The request truly succeeded
           
            //An ArrayList<MaliciousAppsData>
            val apps = it.maliciousAppsList

            if (apps.isEmpty()) {
                //No malicious apps were found
            } else {
                //HMS found at least one potentially malicious app
                apps.forEach {
                    //The package name of the potentially malicious app
                    val packageName = it.apkPackageName

                    //The SHA-256 of the potentially malicious app
                    val sha256 = it.apkSha256

                    //The category of the potentially malicious app
                    //Constants are defined in the AppsCheckConstants class
                    //Currently, this can return either VIRUS_LEVEL_RISK (1)
                    //or VIRUS_LEVEL_VIRUS (2)
                    val category = it.apkCategory
                }
            }
        } else {
            //Something went wrong with the request
            //Use `it.getErrorReason()` to see why
        }
    }
    task.addOnFailureListener {
        //A communication error occurred.
        //If `it is ApiException`, you may be able to get more details about why
        //the failure occurred.
    }
}
URLCheck
If your app allows users to visit URLs you aren't able to verify (forum app, social media app, etc), URLCheck can help you screen links that users click. If the URL is detected as malicious, you can prompt the user.

If you want to implement this for yourself, start with the example code below:

Code:
Select Code
fun checkUrl(url: String) {
    val client = SafetyDetect.getClient(context)

    //Ensure the URLCheck API is initialized
    val initTask = client.initUrlCheck()
    initTask.addOnSuccessListener {
        //Initialization was successful.
       
        //Make sure to remove any query parameters from the URL before checking it.
        //For example, if the full URL is https://google.com/home?someKey=true, you need to pass
        //https://google.com/home.
        //...
        //UrlCheckThreat can either be MALWARE or PHISHING.
        //Each category is fairly self-explanatory.
        //The threat argument is a vararg, so you can pass one or both.
        //...
        //You can find your APP_ID under "App information" in your project's settings on the AppGallery Developer Console.
        val task = client.urlCheck(url, "APP_ID", UrlCheckThreat.MALWARE, UrlCheckThreat.PHISHING)

        task.addOnSuccessListener {
            //API call succeeded.

            if (it.urlCheckResponse.isEmpty()) {
                //URL is safe, continue
            } else {
                //URL matches either MALWARE or PHISHING category or both. Notify user or refuse to visit
                //as is appropriate.

                //Get the first threat type. Will match one of the UrlCheckThreat values you pass to
                //the urlCheck() method.
                val type = it.urlCheckResponse[0].urlCheckResult
            }
        }

        task.addOnFailureListener {
            //A communication error occurred.
            //If `it is ApiException`, you may be able to get more details about why
            //the failure occurred.
        }
    }
    initTask.addOnFailureListener {
        //Initialization failed.
    }
}
UserDetect
UserDetect is essentially a realtime Captcha service. If there are parts of your app that you don't want to be used by bots (i.e. a clicker game), you can trigger a detection request to determine if the user is a bot or a person.

This one is a bit more complicated to implement, as it requires that you use HMS' cloud API to make the final request (i.e. a web server).

An example implementation in Kotlin is shown below:

Code:
Select Code
fun checkUser() {
    val client = SafetyDetect.getClient(context)

    val initTask = client.initUserDetect()
    initTask.addOnSuccessListener {
        //Initialization was successful

        //You can find your APP_ID under "App information" in your project's settings on the AppGallery Developer Console.
        val task = client.userDetection("APP_ID")
        task.addOnSuccessListener {
            val responseToken = it.responseToken

            if (responseToken.isNotEmpty()) {
                //Pass this token to your server, and have it call HMS' cloud API to do the actual verification.
            }
        }
        task.addOnFailureListener {
            //A communication error occurred.
            //If `it is ApiException`, you may be able to get more details about why
            //the failure occurred.
        }
    }
    initTask.addOnFailureListener {
        //Initialization failed.
    }
}


WifiDetect
If your app relies on a secure WiFi connection, this API may be helpful to you. You can use it to check whether the user's WiFI connection is actually secure.

Here's a quick example stub in Kotlin:

Code:
Select Code
fun checkWifi() {
    val client = SafetyDetect.getClient(context)

    val task = client.wifiDetectStatus
    task.addOnSuccessListener {
        //The status will either be 0, 1, or 2, depending on the WiFi network state.
        //0 means WiFi is disconnected.
        //1 means WiFi is secure.
        //2 means WiFi is insecure.
        val status = it.wifiDetectStatus
    }
    task.addOnFailureListener {
        //A communication error occurred.
        //If `it is ApiException`, you may be able to get more details about why
        //the failure occurred.
    }
}
Conclusion
That's all for the SafetyDetect SDK! If you're using HMS, or you're planning to use HMS, and you want to make sure your app is properly secured, the various included APIs are sure to be helpful.

You can find more details, including the full API reference for the Safety Detect SDK, on Huawei's developer website.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes