●

consumers, and listen to their feedback and suggestions on privacy and security

server, and then delivers a balance return instruction.

All data transmitted on networks, including data between a mobile device and server,

is transmitted through a secure transmission channel to ensure data security. In

addition, integrity check is performed on app downloads to ensure that information on

the network connection between a mobile device and server is not stolen or

●

To minimize the impact of attacks on the cloud, security zones and service isolation

are implemented based on the security zone division principles and proven practices

within the industry. Physical and logical isolation is achieved by dividing a data center

into multiple security zones based on service functions and network security risks,

improving the network's self-protection and fault tolerance capabilities against

intrusions.

●

●

●

In addition to horizontal network divisions based on attack surfaces, security groups

are vertically divided based on apps. Each security group uses an independent VLAN

The host OS is minimized and services are security-hardened to safeguard the

system. In addition, an IDS is deployed to detect possible intrusions.

Web apps and underlying systems utilize the distributed data sampling and

centralized analysis & protection model to match intrusion rules for warning and

protection. The provided functions include host protection, Trojan horse detection,

account security detection, tracing & query, intrusion forensics tracing, software

fingerprint collection, policy management, user-defined policy, trustlist, script delivery,

upgrade service, and policy library.

Standard images, which are created by professional teams and released after strict

tests, are deployed for services, including the OS and installed software. These

images consist of the basic OS and hardened initialization components. In addition,

The host-based intrusion prevention system (HIPS) is deployed on hosts to detect

attacks, including abnormal shell, rootkit, web shell, and account privilege escalation,

in real time.

In addition to ingress defense, a data-centric and multi-layer in-depth security

defense system is established based on the IDS.

●

●

●

●

system supports various threat analysis models and algorithms, as well as accurately

identifies attacks, including common brute force cracking, port scanning, zombies,

web attacks, unauthorized web access, and APT attacks. In addition, the system

analyzes potential risks and provides warnings based on threat intelligence.

In a zero trust network environment, apps can access the system only after being

authenticated. The system continuously authenticates apps and performs dynamic

access control. The zero trust architecture senses the runtime environment in real

time and promptly makes decisions and handles issues when detecting any

exception.

With technical support from the Huawei Product Security Incident Response Team

(PSIRT), HMS has built a comprehensive vulnerability management system that

provides vulnerability collection, vulnerability handling, and vulnerability information

collaboration. Comprehensive research on system vulnerabilities, virtualization-layer

vulnerabilities, and application-layer vulnerabilities is conducted to generate rapid

mainstream OSs and middleware to promptly update patches. In addition, we

prioritize the OS security policy configuration to ensure proper allocation of system

permissions, disable unnecessary services and protocol ports, and properly manage

system accounts. Furthermore, check tools are used to periodically scan system

vulnerabilities, and OS security risks are promptly assessed and rectified.

threats more conveniently, respond to vulnerabilities more directly and efficiently, and

mitigate security threats, HMS provides an online method of submitting

vulnerabilities. You can contact us via PSI[email protected].

We adhere to the principle of responsible disclosure to safeguard users' data. With

regard to vulnerabilities, we will promptly push workarounds and fixes to end users

under the condition that greater attack risks will not be caused by proactive

disclosure.

To audit suspicious operations, a centralized and comprehensive log audit system is

implemented. The system aggregates the operation logs of physical devices,

networks, platforms, apps, databases, and security systems to ensure that risky

HUAWEI Mobile Cloud is an HMS app for storing user data, including photos, videos,

contacts, in a secure manner. It also automatically synchronizes the data on devices

that are signed in with the same HUAWEI ID. All data synchronized and backed up in

HUAWEI Mobile Cloud is encrypted during transmission and before being stored on a

2. The KMS generates a key for each user, and the app can only obtain the key of

4. The key used for encrypting data is encrypted using the user key before being

countries and regions. Without the need to change SIM cards, users can access the

Internet anytime and anywhere by simply purchasing and enabling a destination

package. With underlying chip technologies developed for years, SkyTone can

automatically authenticate device identities and download soft SIM card data

securely, delivering high-speed Internet access to users.

SkyTone encrypts and stores personal information to be cached on mobile phones,

and stores sensitive service data (such as SkyTone package traffic information) in

the TEE to provide chip-level data security protection.

Certain SkyTone services involve collaboration with third-party platforms. To redirect

to a third-party HTML page, the system performs trustlist-based control on third-party

regarding the device's location before the user signs in to HUAWEI ID and gives

consent.

When Find Device is enabled, users can locate their devices and play ringtones at

maximum volume levels. Users can also remotely lock their devices and enter screen

lock information. After screen lock information is set, it is displayed on the device.

The lock function enables the device to enter the lock screen state and automatically

report location data to the server. All location data is encrypted, and only records

from within a 24-hour period are stored. Furthermore, users can erase data from their

devices and permanently delete all data (including in the SD card) after entering the

HUAWEI ID and password.

which the invited users will be unable to view the shared positions anymore. The

HUAWEI Browser offers various mobile services, including web browsing, information

recommendation, website navigation, download, and search. It enables users to surf

the Internet with maximum security and privacy.

HUAWEI Browser is equipped with powerful capabilities for detecting and blocking

malicious websites. It can promptly identify phishing attempts, Trojan horses,

malware, and websites that contain illegal content (such as gambling and

pornography), as well as display different alerts and block websites that have a

certain level of risk, safeguarding users' information and devices. In addition,

HUAWEI Browser's ad blocking feature can identify whether a website URL contains

HUAWEI Browser can proactively detect trackers during web page browsing and

block tracking cookies by default, preventing them from storing users' personal

information or tracking users' Internet browsing behavior.

During Internet browsing, HUAWEI Browser prevents web pages from opening apps

without the user's permission. This prevents web pages from opening malicious apps

when the user visits the web pages.

HUAWEI Browser provides users with a visualized report regarding privacy and

security protection. Users can view the report to check event details such as blocked

ads and tracking cookies.

Users can also choose to browse websites in a private browsing mode. In this mode,

HUAWEI Browser does not record users' browsing information.

HUAWEI Browser also provides users with the ability to surf the Internet in basic

sensitive data (such as user names and passwords) that is automatically saved by

websites is securely stored in HUAWEI Browser. HUAWEI Browser encrypts auto-fill

web page credentials for storage and stores the encryption key in the TEE for multi-

layer encryption protection. When users need to view or modify their auto-fill web

page credentials, they must verify their identity by providing their lock screen

passwords or fingerprints. This serves to prevent such credentials from being leaked

or maliciously tampered with.

for children, and protect children from being exposed to age-inappropriate content.

Huawei Pay is a secure, convenient, and smart electronic wallet that allows users to

access their public transport passes, bank cards, door keys, and eIDs on their

Huawei mobile devices. With just a single tap, users can use their phones to shop,

take a bus, open a door, authenticate their identities, and more.

HUAWEI Wallet does not store sensitive information such as a bank card's CVV (the

last three digits on a bank card's magnetic stripe) and validity period. Only the token

information of a bank card number is stored in the security chip. To ensure data

security when a bank card is added to Huawei Pay, the binding information is

The Huawei Pay server communicates with devices and payment servers through a

secure TLS channel.

Huawei Pay signs payment messages using a digital certificate to ensure their

integrity, preventing user payments from being maliciously deducted or tampered

with.

In-App Purchases (IAP) provides in-app payment capabilities for global developers,

and delivers unified capabilities such as product definition, product ordering and

purchase, and service delivery for apps.

With IAP, users can make in-app payments (using bank cards or HUAWEI Points)

conveniently, securely, and confidentially.

Users can authorize IAP to use their fingerprints or faces for payment, which is based

data, thereby enabling security verification from the device, app, and user

perspectives, as well as ensuring message integrity.

system verifies whether the fingerprint or face data is consistent with that stored in

the TEE of the user's mobile phone. If the fingerprint or face data is consistent,

transaction data will be signed using the PKI digital certificate in the TEE before

being uploaded to the server, ensuring payment security. Throughout the payment

process, fingerprint and face data is stored only in the TEE, as opposed to the cloud,

safeguarding users' private information.

The IAP server adheres to the storage encryption requirements of the financial

Huawei Pay and IAP have obtained PCI-DSS certification, ADSS certification of

China UnionPay, and BCTC certification.

coupons, flash sales, and other promotional campaigns. This provides users with fair

and convenient service experience.

storage location are determined based on the region a consumer is located (app

distribution location). The 3+X deployment policy for physically isolated data storage

of different regions enables strict control over the risks of cross-border data transfer.

The data isolation mechanism is used to prevent abuse of data. Data isolation refers

to the isolation between data for which Huawei acts as a data controller and data for

which Huawei acts as a data processor, as well as isolation of data among different

developers.

In services in which Huawei acts as a data controller, such as in Account Kit and IAP,

Huawei notifies users of personal data processing information in the out-of-box

information, including downloading personal information copies, controlling statistic

When deciding to build apps based on HMS Core, a developer should first register as

framework provides developers with the registration, open capability application,

open capability access credential setting, and cloud-based open capability token

generation and verification capabilities. This framework uses the Advanced

Encryption Standard (AES) algorithm to encrypt and store developers' registered

personal information, such as their identity and bank account information.

HMS Core kits can be released with HMS Core (APK), or be independently released

and dynamically loaded by HMS Core (APK). HMS Core (APK) that contains HMS

Core kits of a new version is launched on HUAWEI AppGallery. Users can decide

whether to update HMS Core (APK), and HMS Core (APK) can be updated only with

users' prior authorization. If HMS Core (APK) is updated, its signature will be verified.

whether the signing certificate fingerprint of the kit is added to the trustlist prior to an

update. If not, the kit cannot be loaded. If the fingerprint is in the trustlist, the APK

signature is verified. An overwrite update is allowed only after the signature

verification is successful.

access the open capabilities with authentication credentials. Currently, supported

credentials are API key, OAuth 2.0 client ID, and service account key.

The API key, OAuth 2.0 client ID, and OAuth 2.0 client secret are generated using

secure random numbers, encrypted using AES-GCM, and stored on the server to

prevent from leakage. The public key of a service account key is stored by HMS

Core, and the private key is stored by developers. Authentication credentials are

used in the following scenarios:

1. API key: This is a simple encrypted string that can be used to utilize HMS Core's

The security sandbox for HMS Core kits is built on various technologies for security

isolation at the system level and the virtual container technologies. A kit running in

the sandbox has a completely isolated file namespace, and any request from the kit

for the system resources (including the network, external storage, location, contact,

and recording) is forcibly authenticated. Thanks to the security sandbox mechanism,

impacts brought by faults or vulnerability exploitations on a kit are isolated and

mitigated, strengthening the security of HMS Core.

HMS Core servers are deployed in multi-site disaster recovery (DR) mode. The