Better Mobile App

HMS Core │ Safety Detect Makes High-level App Security Broadly Accessible

From ride-hailing, navigation and mobile travel
To gaming, streaming, and social media
Mobile apps have become indispensable in daily life
But increased convenience puts sensitive user data at risk
HMS Core Safety Detect offers unique protections
For comprehensive app security with little effort!
What Is Safety Detect?
Safety Detect is an open multi-dimensional security detection service offered by Huawei, that helps developers bolster app security capabilities, based on the Trusted Execution Environment (TEE) on Huawei phones, without compromising user experience.
System Integrity Check (SysIntegrity)
SysIntegrity is capable of checking whether the user device is rooted, unlocked, or escalated for higher permissions, and uses this information to help you determine how and when to restrict your app's behavior to avoid potential leaking of sensitive user information or financial information.
A unique advantage of SysIntegrity is that it is based on the TEE OS, which is built into every Huawei phone (running EMUI 9.0 or later). The TEE OS comes with Huawei's in-house microkernel, which has achieved the prestigious CC EAL 5+ certification, and is the first solution of its kind to pass formal verification. Having integrated SysIntegrity, it can isolate apps for bolstered protection, and provide independent privacy security protection services. For example, services with high security requirements, such as the payment services, are provided with the appropriate level of protection in the TEE OS.
App Security Check (AppsCheck)
When your app has integrated AppsCheck, it can obtain a list of malicious apps on the user's device, which provides a strong basis for high-level risk analysis (for risky/virus-infected apps). Users are then warned of the presence of any risks on your app, or prompted to exit your app. According to the three largest global virus evaluation agencies, AppsCheck can detect malicious apps with a staggering accuracy rate of 99%.
Malicious URL Check (URLCheck)
With URLCheck, your app can determine whether a visited URL contains phishing or malware apps. The check strikes the optimal balance between performance and timeliness, and is capable of detecting a wide range of malicious URLs, such as phishing and Trojan-infested URLs. URLCheck is easy to integrate into your app, and provides trusted, operation-free security services, reducing the costs associated with developing secure browsing services.
Fake User Detection (UserDetect)
Fake user detection is critical for app operations, as the presence of fake operations such as game bots, activity bonus hunting, and malicious spamming, can give your app a bad reputation. UserDetect can identify spoofed devices, based on the device signature and identifier, and identity relevant environmental risks, such as roots, simulators, VMs, device change tools, and anonymous IP addresses. It can also recognize fake users based on screen touch and sensor behavior, as well as prevent batch registration, credential stuffing attacks, bonus hunting, and content crawlers. These safeguards provide your app's users with unmatched peace of mind.
Many popular apps have integrated Safety Detect, such as the app for the Sputnik media outlet in Russia, APUS, a popular browser in India and Southeast Asia, and 1998 Camera in Vietnam.
How Can I Integrate HUAWEI Safety Detect?
Each of the four functions in Safety Detect has a dedicated API that is easy to integrate. For guidance during the integration process, please refer to the HUAWEI Developers website, where you will find the integration guide and other resources for reference, or you can contact us through [email protected] for further technical assistance.
* HMS Core 4.0 courses produced by HUAWEI Developers are now available on Huawei official channels, including Video Center on HUAWEI Developers and HUAWEI Developer Forum.
? Safety Detect - HMS Core Featured Courses

Amazing！200 lines of code 3D facial and fingerprint authentication

SingCARD has integrated with HUAWEI FIDO easily and efficiently with just 200 lines of code. ?
Users can login to the app with 3D facial and fingerprint authentication. ?
SingCARD has also integrated with HUAWEI Analytics Kit, which helps developers analyze attributes and user behaviors, achieving product optimization and refined operations. ?
Want to learn more？
Check this out ? https://bit.ly/3eGKIeb

For those that don't know, SingCARD in an Android app that displays the balance and transaction of your EZ-Link and NETS FlashPay cards. You can find it here.

HUAWEI FIDO2 Fingerprint and 3D Facial Sign-in Technology

Overview
Users have come to prioritize data security and privacy issues, in the wake of the full-scale digitalization of society, and have thus placed more stringent requirements on apps. To provide for top-notch security, many apps, in particular finance and payment apps, have incorporated biometric safeguards, such as fingerprint and 3D facial sign-in mechanisms. Fingerprint and 3D facial sign-in methods free users from the considerable hassle associated with repeatedly entering the account number, password, and verification code, delivering enhanced convenience alongside bolstered security.
You might have assumed that fingerprint and 3D sign-in are too costly or time-intensive to integrate into your app, but it’s actually remarkably easy. All you need to do is to integrate HMS Core FIDO into your app, and you'll be good to go!
What Is HMS Core FIDO2?
Fast Identity Online (FIDO) is an identity authentication framework protocol hosted by the FIDO Alliance. The FIDO Alliance, established in July 2012, has grown to encompass 251 members as of May 2019, including many of the leading vendors in the world. FIDO offers two series of technical specifications, UAF and U2F, and the launch of the FIDO 2.0 project represents a new era of enhanced identity authentication. To learn more about the members of the FIDO Alliance, please visit https://fidoalliance.org/members/.
Select FIDO Alliance Members
The FIDO specification aims to provide a universal, secure, and convenient technical solution for verifying online users' identities, under a multi-faceted, password-free model. It is applicable to a broad range of scenarios, including sign-in, transfer, and payment, in which the user identity needs to be verified. The FIDO2 specification outlines a powerful, comprehensive and versatile identity verification solution.
FIDO2 has three main application scenarios:
1) Fingerprint and 3D facial sign-in
2) Fingerprint and 3D facial transfer and payment
3) Two-factor authentication
This issue will address the first: fingerprint and 3D facial sign-in. Under this scenario, a user can sign in to an app through fingerprint or 3D facial authentication without entering a password, avoiding such risks as password leakage, and credential stuffing.
Demos
The videos below illustrate in detail how FIDO2 fingerprint and 3D facial sign-in are implemented.
(1) Fingerprint sign-in
(Video 1)
(2) 3D facial sign-in
(Video 2)
How Does HMS Core FIDO2 Work?
The FIDO specification outlines a technical framework for online identity verification. This framework encompasses the app and app server, as well as the FIDO authenticator, FIDO client, and FIDO server.
 FIDO authenticator: A mechanism or device used for local authentication. FIDO authenticators are classified into platform authenticators and roaming authenticators. Authenticators are better known as security keys to end users.
- Platform authenticator: An authenticator integrated into a FIDO-enabled device, such as an authenticator based on the fingerprint recognition hardware in a mobile phone or laptop.
- Roaming authenticator: An authenticator connected to a FIDO-enabled device that uses Bluetooth, NFC, or a USB cable, such as an authenticator with a similar shape to a USB key, or a dynamic token.
 FIDO client: A client integrated into the platform, such as Windows, MacOS, or Android with HMS Core (APK), that provides the SDK for apps; or a client integrated into browsers, such as Chrome, Firefox, or Huawei Browser, that provides JavaScript APIs for apps. The FIDO client serves as a bridge for the app in calling the FIDO server and FIDO authenticator to complete authentication.
 FIDO server: A server that generates an authentication request in compliance with FIDO specifications. The request is sent to the app server when it needs to initiate FIDO authentication. Once the FIDO authenticator has completed local authentication, the FIDO server will receive a FIDO authentication response from the app server, and verify the response.
There are two major processes associated with the FIDO specification: registration and authentication. With regard to sign-in scenarios, the registration process involves enabling the fingerprint or 3D facial sign-in function, and the authentication process involves completing sign-in via fingerprint or 3D facial authentication.
During registration, the FIDO authenticator will generate a public-private key pair for the user, which is then used as the authentication credential. The private key is stored in the FIDO authenticator, while the public key is stored on the FIDO server. In addition, the FIDO server will associate the user with the authentication credential.
During authentication, the FIDO authenticator will add a signature to the challenge value using the private key, and the FIDO server will verify the signature using the public key. The user is deemed as valid if the signature passes the verification.
Preparations
Before integrating FIDO2, you will need to configure your app information in AppGallery Connect, Maven repository address, and obfuscation scripts. You will also need to add build dependencies on FIDO2. The sample is as follows:
implementation 'com.huawei.hms:fido-fido2:5.0.0.301'
Development
FIDO2 includes two operations: registration and authentication. The processes are similar for the two operations. Key steps and code are shown below:
1. Initialize a Fido2Client instance.
Fido2Client fido2Client = Fido2.getFido2Client(activity);
2. Call Fido2Client.getRegistrationIntent() to initiate registration, or call Fido2Client.getAuthenticationIntent() to initiate authentication.
Obtain the challenge value and related policy from the FIDO server, and initiate a request. (Only the FIDO client APIs are provided here. For details about the interaction with the FIDO server, please refer to related specifications and contact the FIDO server vendor to obtain the related API reference.)
Call Fido2Client.getRegistrationIntent() to initiate registration, or call Fido2Client.getAuthenticationIntent() to initiate authentication.
Call Fido2Intent.launchFido2Activity() in the callback to start registration (requestCode: Fido2Client.REGISTRATION_REQUEST) or authentication (requestCode: Fido2Client.AUTHENTICATION_REQUEST). The callback will be executed in the main thread.
fido2Client.getRegistrationIntent(registrationRequest, registrationOptions, new Fido2IntentCallback() {
@override
public void onSuccess(Fido2Intent fido2Intent) {
fido2Intent.launchFido2Activity(XXXActivity.this, Fido2Client.REGISTRATION_REQUEST);
}
@override
public void onFailure(int errorCode, CharSequence errString) {
Log.e("errorCode: "+ errorCode + ", errorMsg: " + errString);
}
});
3. Call getFido2RegistrationResponse() or Fido2Client.getFido2AuthenticationResponse() in the callback Activity.onActivityResult() to obtain the registration or authentication result.
Fido2RegistrationResponse fido2RegistrationResponse = fido2Client.getFido2RegistrationResponse(data);
4. Send the registration or authentication result to the FIDO server for verification.
(Only the FIDO client APIs are provided here. For details about the interaction with the FIDO server, please refer to related specifications and contact the FIDO server vendor to obtain the related API reference. Relevant code is omitted here.)
More
Relevant demos, sample code, and development documents are also available on the HUAWEI Developers website.
GitHub demo and sample code:
https://github.com/HMS-Core/hms-FIDO-demo-java
HUAWEI FIDO2 MOOC video:
https://developer.huawei.com/consumer/en/training/detail/101583008688294169
Development guide:
https://developer.huawei.com/consum...re-Guides-V5/introduction-0000001051069988-V5
API reference:
https://developer.huawei.com/consum...ferences-V5/fido2overview-0000001050176660-V5
Coming Next
The next issue will delve into custom development, authenticator selection policies, and UI customization for FIDO2, with revealing firsthand testimony. Stay tuned!

[HMS Core 6.0 Global Release] HUAWEI Keyring Makes Cross-Device, Cross-App, and Cross-Platform Sign-in Easier than Ever

Keyring is an all-new security kit in HMS Core that is used to store user credentials on their devices, where the credentials can be shared between different apps and versions of an app, creating a seamless sign-in experience between your Android apps, quick apps, and web apps.
Keyring provides you with capabilities that make user credential management a sheer breeze, helping ensure your service continuity, by obtaining, encrypting, storing, authorizing, sharing, querying, accessing, and deleting such credentials, as needed. Keyring also provides your apps with APIs for storing, accessing, and querying user credentials, for effortless credential sharing between multiple apps. It enables the user to sign in to an app by using the credentials from another already signed-in app, for seamless cross-app sign-in.
In addition, Keyring also obtains the user credential sharing relationship between apps, to ensure that you can freely share the user credentials to different platform versions of your app, for example, Android app, quick app, and web app versions, making cross-platform sign-in a viable reality. Thanks to this capability, you'll be able to handle users from different platforms with remarkable ease.
Keyring offers airtight security, easy integration, and broad compatibility. It encrypts user credentials in the TEE, and securely stores the encrypted credentials on the user device itself. You can even define the credential sharing relationship between different apps and different platform versions of an app, so that only authorized apps are able to obtain a set of credentials. You can also enable the mechanism for users to verify their identities via biometric features before they can use the shared credentials, to bolster sign-in security. The industry-leading security capabilities in Keyring can be integrated in just 2 person-days, making it an efficient and cost-effective solution. Better yet, the service is designed to meet the security requirements of a vast range of apps, including shopping, travel, social media, reading, and many other service scenarios.
Keyring resolves longstanding issues related to inefficient credential management and credential security risks. The cross-app credential sharing function in Keyring can entice users to use your apps, and the cross-platform sign-in function streamlines the user conversion path and sign-in process. In the future, Keyring will provide an even greater range of features and HMS Core will open even more capabilities in the security field, to help you craft the best possible user experience.

Two-Factor Authentication Safeguards Account Security

An account acts as an indispensable network access credential for everyone in this digital world. It is associated with a user's digital assets and privacy, and even affects the security of their physical assets.
How to ensure user account security has become a focal point that challenges developers, and that process is known as identity verification, which plays an important part in account security.
Account hacking happens all the time and often comes with bad consequences. A leaked bank account password can lead to significant economic losses. A hacker tends to clear all paid props of the account holder after they break into a game account. In social media, however, a prankster steals accounts to make offensive comments for fun, without specifically aiming to benefit financially.
Convenient sign-in methods have made signing into an app even easier, but this could also leave user accounts vulnerable to malicious people who cause harm or obtain illegal benefits. An essential cause of account hacking is that some authentication methods are overly simple.
In conventional account name plus password login scenarios, once the password is disclosed, the account can be signed in to by anyone. So, how can we cope with this problem?
The answer is two-factor authentication. This authentication method addresses the vulnerabilities during user identity verification and strengthens user account security.
What Is Two-Factor Authentication?
Two-factor authentication is a system that utilizes the time synchronization technology. It uses a one-time password generated based on time, event, and key to replace traditional static passwords.
More specifically, in addition to the combination of the account name and password, a layer of security authentication, that is, dynamic verification code, is added to verify user identity and ensure sign-in security. This authentication method is called two-step authentication or multi-factor authentication.
The verification code generated each time varies according to the variables used for each authentication. Because the verification code changes with each use and is unpredictable, it ensures sign-in security in the basic password authentication phase.
Two-factor authentication is applicable to a wide range of scenarios. Generally speaking, this authentication method can be adopted as long as a static password is available.
Nowadays, two-factor authentication has been used in multiple fields, including the U key for online banking and SMS verification code. Along with the finance field, the "account name+password+dynamic password" authentication mode has been utilized by websites and apps to cut security risks and protect users' digital assets and privacy in social networking, media, and more. Currently, the devices and technologies for two-factor authentication are mature. The two-factor authentication solution consists of three parts:
Authentication device (token), agent software, and management server.
The authentication agent software functions between terminal users and network resources to be protected. When a user wants to access a resource, the authentication agent software sends the request to the management server for authentication.
To ensure the operability of two-factor authentication, the management server that receives and verifies two-factor authentication requests must be highly reliable and secure, support multiple two-factor authentication devices, and can be easily integrated with enterprise IT infrastructure which includes front-end network devices and service systems and back-end account systems, such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP).
For independent developers and small and medium-sized enterprises, two-factor authentication is necessary for ensuring the security and reliability of their data assets. As multiple account systems with two-factor authentication services have been released on the market, you can simply integrate one to free up investment in the R&D of agent software and management servers.
The two-factor authentication function of HMS Core Account Kit has been tested by numerous developers and the market, and has shown remarkable reliability. Not only that, Account Kit informs risks in real time and complies with the General Data Protection Regulation (GDPR) to raise the level of account security. Try out the kit for even safer and more convenient identity verification!
Learn more about Account Kit:
>> Documentation: overview and development guides of HMS Core on HUAWEI Developers
>> Open source repositories: HMS repositories on GitHub and Gitee
>> Forum: HUAWEI Developer Forum