All Your Fitness Data Belongs to You: Reverse Engineering the Huawei Health Android App

EI 7
Christian Kudera
This talk describes the reversing process of the Huawei Health app. In this context, the proprietary BLE Huawei Link Protocol v2 will be disclosed, which allows the use of the Huawei fitness devices without the Health App and its accompanying ecosystem.
Fitness wristbands and watches, so-called fitness trackers are constantly gaining in popularity. They can record a variety of private data (e.g. pulse, steps, calorie consumption, sports activity), which may also be of interest to other individuals. By now, the first insurance companies are already offering superior rates for providing them with the captured fitness data. Due to the great demand, it is not surprising that many well-known manufacturers offer fitness trackers. With the Huawei Band 3 Pro, the Huawei Watch GT and the Honor Band 4 (Honor is a sub-brand of Huawei), Huawei also sells a wide range of varying trackers. All these trackers are controlled with the Huawei Health App, which is available for both Android and iOS. Huawei is using Bluetooth Low Energy (BLE) for the communication between smart phones and the addressed fitness devices. Built upon BLE, the proprietary protocol Huawei Link Protocol v2 is used. Since the protocol is not documented and partially encrypted, breaking out of the Huawei ecosystem is not simple. Until now, users have been bound to the Huawei Health App and its corresponding cloud environment and had to accept that their data is uploaded to Chinese servers. During this talk the following, generally applicable methods for reverse engineering of Android applications are discussed: Different methods to extract the app from the smart phone Static analysis and deobfuscation of complex multidex applications (the Huawei Health App comprises over 13.000 classes and far over 64K methods) with Jadx [1] and Android Studio [2] Dynamic analysis and instrumentation with Frida [3] to intercept the Bluetooth communication and to circumvent the code signing protection Furthermore, the subsequent results concerning the Huawei Health App and the Huawei Link Protocol v2 will be presented: The structure of the Huawei Link Protocol v2, including the handshake and cryptographic authentication between fitness tracker and smart phone The readout of the fitness data stored (beside the cloud) on the smart phone in an encrypted local SQLite database (SQLite Encryption Extension), including the retrievement of the encryption key [1] https://github.com/skylot/jadx [2] https://developer.android.com/studio/ [3] https://www.frida.re/

Additional information

Type Talk
Language English

More sessions

4/19/19
EI 7
Der Eröffnungstalk!
4/19/19
EI 7
In diesem Talk wird die KI-basierte Manipulation von Videos gezeigt. Als Beispiel werden Personen aus der Echtzeitübertragung einer IP-Kamera entfernt, um unbemerkt Objekte zu platzieren. Um dies zu ermöglichen wird zusätzlich ein Angriffsvektor auf IP-Kameras gezeigt.
4/19/19
Bastian W. / @dasrecht
EI 9
Wie sich die tägliche Arbeit verändert, wenn man ausschliesslich an einem OpenSource Projekt arbeitet.
4/19/19
EI 7
Für eine sichere und funktionale Datenspeicherung in der Cloud benötigen wir neue Technologien, ein Ansatz ist Searchable Encryption (SE). Nach einer kurzen Einführung zum aktuellen Stand der Verfahren werden wir Searchitekt, unser Developer Framework für SE vorstellen.
4/19/19
Paul Fuxjäger
EI 9
Yes, we want to talk about ActivityPub - because it's what drives many popular fediverse services (e.g. mastodon). We will cover history and basic structure of the spec. And then discuss whether or not this a case of XKCD 927 and if Moxie Marlinspike's blogpost applies.
4/19/19
Habrok
EI 7
In diesem Talk werden wir uns eine richtige Untote unter den Programmiersprachen etwas genauer anschauen. Unter Anderem stelle ich Details vor, die heute furchterregend sind, zu ihrer Zeit aber wie eine gute Idee aussahen oder technisch notwendig waren.
4/19/19
EI 7
Vor zwei Jahren stand auf dem Easterhegg-Fahrplan ein Treffen zur Reanimation der Datenschleuder. Seitdem arbeitet ein Team daran, dass es wieder eine Datenschleuder gibt. Darüber, warum und wie wir das machen und wie ihr das auch machen könnt, wollen wir reden.