20.04, 22:00–22:45 (Europe/Vienna), EI 7
This talk describes the reversing process of the Huawei Health app. In this context, the proprietary BLE Huawei Link Protocol v2 will be disclosed, which allows the use of the Huawei fitness devices without the Health App and its accompanying ecosystem.
Fitness wristbands and watches, so-called fitness trackers are constantly gaining in popularity. They can record a variety of private data (e.g. pulse, steps, calorie consumption, sports activity), which may also be of interest to other individuals. By now, the first insurance companies are already offering superior rates for providing them with the captured fitness data. Due to the great demand, it is not surprising that many well-known manufacturers offer fitness trackers. With the Huawei Band 3 Pro, the Huawei Watch GT and the Honor Band 4 (Honor is a sub-brand of Huawei), Huawei also sells a wide range of varying trackers. All these trackers are controlled with the Huawei Health App, which is available for both Android and iOS.
Huawei is using Bluetooth Low Energy (BLE) for the communication between smart phones and the addressed fitness devices. Built upon BLE, the proprietary protocol Huawei Link Protocol v2 is used. Since the protocol is not documented and partially encrypted, breaking out of the Huawei ecosystem is not simple. Until now, users have been bound to the Huawei Health App and its corresponding cloud environment and had to accept that their data is uploaded to Chinese servers.
During this talk the following, generally applicable methods for reverse engineering of Android applications are discussed:
- Different methods to extract the app from the smart phone
- Static analysis and deobfuscation of complex multidex applications (the Huawei Health App comprises over 13.000 classes and far over 64K methods) with Jadx [1] and Android Studio [2]
- Dynamic analysis and instrumentation with Frida [3] to intercept the Bluetooth communication and to circumvent the code signing protection
Furthermore, the subsequent results concerning the Huawei Health App and the Huawei Link Protocol v2 will be presented:
- The structure of the Huawei Link Protocol v2, including the handshake and cryptographic authentication between fitness tracker and smart phone
- The readout of the fitness data stored (beside the cloud) on the smart phone in an encrypted local SQLite database (SQLite Encryption Extension), including the retrievement of the encryption key
[1] https://github.com/skylot/jadx
[2] https://developer.android.com/studio/
[3] https://www.frida.re/
Christian Kudera is security analyst and researcher at SBA Research. He received an M.Sc. in Hardware and Software Security from TU Wien. Currently he is working towards his Ph.D. with the focus on IoT and embedded systems security. He has more than six years of experience as a security analyst in the areas of hardware and software security. He teaches multiple courses at TU Wien (Internet Security, Advanced Internet Security), and at Universities of Applied Sciences (Rosenheim University of Applied Sciences, University of Applied Sciences Campus Vienna, St. Pölten University of Applied Sciences). Since 2016, he has been actively involved in a number of international and national research projects such as AnyPLACE and SG2, during which he focused on the security of embedded systems in the domain of smart metering and smart grids, respectively.