Оффлайн
- Регистрация
- 1 Мар 2015
- Сообщения
- 1,481
- Баллы
- 155
Hello~ I am Xiao L, the female programmer who is looking for bugs in the code pile.Recently, I was addicted to researching the security mechanism of HarmonyOS Next. The more I dug, the more I felt that this system was wrapped in three layers of bulletproof vests on the data. Today I will show you how Hongmeng engraved the "sense of security" into the code~ (Warm reminder: This article is based on the latest Hongmeng version. If there are technical memes that make you feel cold, I will lose~)
Chapter 1: The "Four Beams and Eight Pillars" of the Safe Castle
1. "Anti-thief package" from chips to applications
The security architecture of HarmonyOS Next is like building a castle, from the foundation to the roof, it exudes the stubbornness of "don't think of breaking me":
Let me give you a heart-wrenching example: if your health code data is stolen by a hacker, you can forge a "mobile source of infection" in minutes; if the company's financial reports are leaked, the stock price can fall into an electrocardiogram.HarmonyOS Next's security system is like hiring a "special force" for the digital world, which not only protects user privacy and wallets, but also allows smart devices to connect to the Internet with confidence - after all, no one wants the smart speakers at home to suddenly become "eavesdroppers", right?
Chapter 2: "Hardcore Operation" of Security Technology
1. Permission management: The user is the "tendant"
import crypto from '@ohos.crypto';
// Encryption function: data becomes "garbled"
async function: wear a vest for data (data: string, key: string): Promise<string> {
try {
const encryption machine = crypto.createCipher('AES/CBC/PKCS7Padding', key);
const encryption fragment = encryption machine.update(data);
const full ciphertext = Buffer.concat([encryption fragment, encryption machine.final()]);
return full ciphertext.toString('base64'); // wrap another layer of base64 "disguise"
} catch (error) {
console.error('encryption overturns:' + error.message);
return '';
}
}
// Decryption function: garbled code becomes "human words"
async function removes the vest for data (encrypted data: string, key: string): Promise<string> {
try {
const nude ciphertext = Buffer.from(encrypted data, 'base64'); // First tear the base64 disguise
const decryptor = crypto.createDecipher('AES/CBC/PKCS7Padding', key);
const decryption fragment = decryption machine.update(nude ciphertext);
const raw data = Buffer.concat([Decryption fragment, decryption machine.final()]).toString();
return the original data;
} catch (error) {
console.error('Decryption overturns:' + error.message);
return '';
}
}
// Test: See if the vest is firm
async function to test whether encryption is reliable () {
const little secret = 'Work overtime tonight to change your needs';
const Master Key = 'abc123!@#'; // Don't be so casual in the real scene!
const encrypted ciphertext = await wears a vest for the data (little secret, master key);
console.log('encrypted:', encrypted ciphertext); // "Mars text" that looks like garbled
const The truth after decryption = await to remove the data from the vest (encrypted ciphertext, master key);
console.log('Decrypted:', the decrypted truth); // It should be able to turn back to "overtime work to change the need"... right?
}
Remember to be careful when running this code - if the key is lost, the data will become a "sense", which is harder to retrieve than the programmer's hairline~
Chapter 3: Security Practical Battle: "Anti-theft Diary" of the Bank APP
1. The "triple anti-theft door" of online banking
When studying the security mechanism of HarmonyOS Next, I always have the illusion of "code protecting the world" - every permission pop-up window and every encryption code are building a wall for the user's digital life.Of course, no matter how powerful the system is, it requires developers to "according to the rules", just like a strong castle, someone has to patrol regularly~ Next time I will tell you about Hongmeng's performance optimization skills, and by the way, "How to make the code run faster than the product manager's mouth", remember to squat!?
(Please indicate the source and original author Xiao L when reprinting. Violators... Hackers can't find your encrypted data, are you afraid?)
Chapter 1: The "Four Beams and Eight Pillars" of the Safe Castle
1. "Anti-thief package" from chips to applications
The security architecture of HarmonyOS Next is like building a castle, from the foundation to the roof, it exudes the stubbornness of "don't think of breaking me":
- Hardware layer: Put a "safe" on the data The TEE trusted execution environment jointly created with chip manufacturers is a "underground vault" of data.For example, the fingerprint information is only quietly verified in TEE from the moment someone disassembles the device into parts, but it cannot be pried open this "treasury".This is like your bank card password, which is only secretly compared in the ATM, and the camera outside cannot be photographed no matter how high-definition it is.
- Kernel layer: "Isolation Guardrail" in the memory world The kernel uses memory isolation technology to lock each process in a "independent black room". Want to steal data across the house?There is no door!Just like the security inspector at the morning rush hour of the subway, you will never let you get into other people's carriages without tickets.In addition to the permission management "Access Control System", any process can touch any resource, and you must first display the "working certificate" (authorization).
- System service layer: 24-hour "security company" Identity authentication service is like access control with facial recognition, and the "triple level" of password + fingerprint + verification code. Even hackers want to turn around after seeing it.Encryption services are even more amazing. When data is transmitted, they are wrapped in "encrypted express packaging". Even if the express is intercepted halfway, they can only see a bunch of garbled codes - comparable to the secret codes in spy war movies.
- Application layer: Developer's "safety job" The "permission homework book" sent to developers is clearly clear: Want to get the user address book?First write clearly "why do you need" and "how to use it", and then you can start writing after the user has approved it.Just like when I was a child, I asked my parents for pocket money, so I had to report the purpose first, otherwise I would not be able to talk about it~
Let me give you a heart-wrenching example: if your health code data is stolen by a hacker, you can forge a "mobile source of infection" in minutes; if the company's financial reports are leaked, the stock price can fall into an electrocardiogram.HarmonyOS Next's security system is like hiring a "special force" for the digital world, which not only protects user privacy and wallets, but also allows smart devices to connect to the Internet with confidence - after all, no one wants the smart speakers at home to suddenly become "eavesdroppers", right?
Chapter 2: "Hardcore Operation" of Security Technology
1. Permission management: The user is the "tendant"
- Permissions "Level Examination" Ordinary permissions (such as WiFi) are like "open-book exams", and the system directly approves; sensitive permissions (such as reading text messages) must be "closed-book exams" - a dialog box pops up to "report" with the user: "I am a camera application, I want to take your beautiful selfie, do you agree?" The user nodded before starting work, and never do the "death first and then play".
- Permission "Repentance Medicine" Users can "deduct points" to the application in the settings at any time: I agreed to read the address book yesterday, but today I found that it secretly transmitted data?Turn off permissions with one click!The application must be adapted properly. For example, after the map application is refused to be located, it can only prompt "Please enable positioning" in shame, and you cannot go on strike~
- Encryption algorithm "Selecting Concubine"
- AES symmetric encryption: It is suitable for storing passwords such as "large amounts and fullness" data, just like locking a safe with the same key, unboxing quickly, accurately and ruthlessly.
- RSA Asymmetric Encryption: Only the private key can be disassembled when transmitting keys. It is comparable to the ancient "tiger talisman tuner" and is indispensable. For example, if you send an encrypted message to your best friend, first use AES to encrypt the content, then use her public key to encrypt the AES key. After receiving it, she uses the private key to disassemble the key, and then use the key to open the content - even if the hacker intercepts the express delivery, he can only stare at the two layers of passwords.
- Code practice: Wear "invisible clothing" on data
import crypto from '@ohos.crypto';
// Encryption function: data becomes "garbled"
async function: wear a vest for data (data: string, key: string): Promise<string> {
try {
const encryption machine = crypto.createCipher('AES/CBC/PKCS7Padding', key);
const encryption fragment = encryption machine.update(data);
const full ciphertext = Buffer.concat([encryption fragment, encryption machine.final()]);
return full ciphertext.toString('base64'); // wrap another layer of base64 "disguise"
} catch (error) {
console.error('encryption overturns:' + error.message);
return '';
}
}
// Decryption function: garbled code becomes "human words"
async function removes the vest for data (encrypted data: string, key: string): Promise<string> {
try {
const nude ciphertext = Buffer.from(encrypted data, 'base64'); // First tear the base64 disguise
const decryptor = crypto.createDecipher('AES/CBC/PKCS7Padding', key);
const decryption fragment = decryption machine.update(nude ciphertext);
const raw data = Buffer.concat([Decryption fragment, decryption machine.final()]).toString();
return the original data;
} catch (error) {
console.error('Decryption overturns:' + error.message);
return '';
}
}
// Test: See if the vest is firm
async function to test whether encryption is reliable () {
const little secret = 'Work overtime tonight to change your needs';
const Master Key = 'abc123!@#'; // Don't be so casual in the real scene!
const encrypted ciphertext = await wears a vest for the data (little secret, master key);
console.log('encrypted:', encrypted ciphertext); // "Mars text" that looks like garbled
const The truth after decryption = await to remove the data from the vest (encrypted ciphertext, master key);
console.log('Decrypted:', the decrypted truth); // It should be able to turn back to "overtime work to change the need"... right?
}
Remember to be careful when running this code - if the key is lost, the data will become a "sense", which is harder to retrieve than the programmer's hairline~
Chapter 3: Security Practical Battle: "Anti-theft Diary" of the Bank APP
1. The "triple anti-theft door" of online banking
- ** "Scan the face to check the post" first when entering the door** In addition to entering the password when logging in, you also have to "scan the fingerprint + receive the SMS verification code", which is as strict as passing the customs.It is even more absolute when transferring money. You must enter your payment password again to prevent someone from secretly operating while you are drinking water - it is more stringent than your mother checking your salary card balance.
- Data transmission by "wearing explosion-proof clothing" When communicating with the bank server, the entire process is encrypted with SSL/TLS, and the data is like sitting in a "lead carriage", and the hacker's "signal detector" cannot penetrate at all.The card number information stored locally is also buried in the "data cellar" with AES encryption. Even if the mobile phone is stolen, the thief can only dig up a bunch of garbled codes.
- Vulnerability "Sweeping Robot" Use the security scanning tool to scan the code three times a week to find potential loopholes like finding hair.As soon as the system is updated, follow up and adapt immediately - after all, hackers do not take holidays, and programmers cannot lie down.
- AI is a "monitoring security guard" In the future, the system may have a "AI security guard" and stare at your operation record every day: suddenly transfer 5 million to an unfamiliar account at 3 a.m.?AI directly locks the account + sends an alarm, which is faster than your partner discovers that you hide your private money~
- Quantum encryption "Ultimate Shield" Quantum encryption is like putting a "quantum lock" on data, using photons to transmit keys. As long as someone dares to peek, the photons will "detonate" and call the alarm - at that time, hackers may have to learn quantum physics first to destroy it, and it will be a big deal to think about it~
- Privacy "Drag" Data anonymization will make your information "disguised": the age shows "20-30 years old", and the address becomes "a certain district and a certain street", which will not delay application analysis needs, but also make hackers unable to recognize who you are - it can be called the "disguise" in the data world.
When studying the security mechanism of HarmonyOS Next, I always have the illusion of "code protecting the world" - every permission pop-up window and every encryption code are building a wall for the user's digital life.Of course, no matter how powerful the system is, it requires developers to "according to the rules", just like a strong castle, someone has to patrol regularly~ Next time I will tell you about Hongmeng's performance optimization skills, and by the way, "How to make the code run faster than the product manager's mouth", remember to squat!?
(Please indicate the source and original author Xiao L when reprinting. Violators... Hackers can't find your encrypted data, are you afraid?)