Which is more secure, Android or iOS? The turning point seems to be approaching...

In fact, objectively speaking, the result of a game cannot directly determine which mobile phone is safer, because there are many factors involved, such as system version, players' attention to different models, etc.

But one thing is 100% certain: after years of hard work, the security capabilities of Chinese local brand mobile phones are now strong enough to compete head-on with foreign brands such as iPhone and Samsung, and they often even have the upper hand (such as this time).

As a public account author who loves truth and seeks knowledge, I am very curious about what Huawei has done in terms of mobile phone security. So I recently contacted a technical friend who is very familiar with Huawei's mobile phone system - "Brother Hua".

Let's Rock!

Reason 1: The system kernel is very "fresh"

The security of Android phones depends largely on the security of the system kernel itself.

Although "all Android companies in the world are one family", whether it is Huawei, Xiaomi, Samsung, Meizu, OnePlus, or OV, the mobile phone systems are actually deeply customized and developed based on Google's open source Android system kernel.

But this does not mean that the security of all Android phones is the same, just like the same ingredients can taste different in the hands of different chefs.

Take this year's Mobile Pwn2Own phone cracking competition for example. Both Android phones, Samsung's S9 and Xiaomi 6 were cracked, while Huawei's P20 and Google's Pixel were not.

The reason why Huawei P20 won this round is largely because the system it runs on is fresh enough.

Brother Hua told me:

"The EMUI 9 system on the Huawei P20 phone that participated in the cracking competition is deeply customized and developed based on the latest "Android P" kernel.

This system kernel was released in August this year (2018). Its performance and security have been greatly improved compared with previous versions. Huawei's customized system for mobile phones naturally inherits these advantages. "

(EMUI 9 uses the Android 9 kernel)

​​

[[253597]]

"This is true for any smart device. The newer the system version, the fewer security vulnerabilities it generally has. This requires all R&D, security, and testing engineers to race against time."

Just like that, when Google released the Android P preview in March, nearly 2,000 Huawei engineers rushed out as soon as the gunshot sounded. Time waits for no one, and the custom development work on this end was in full swing and non-stop.

On August 7, Google just pushed the official version of Android 9.0 to its own Pixel phone. Huawei on the other side of the world also quickly released a message on Weibo, preparing to recruit users for internal testing.

(I looked through the Weibo at that time)

​​

In the end, Huawei released EMUI 9 and once again became the fastest manufacturer in China to release a new version of the Android customized system (also for Android 7.0 and 8.0).

Because of this, Huawei P20 and Google Pixel were ignored in this year's Pwn2Own hacking competition. I guess the hackers' inner monologue might be: "Huh? Android P? Sorry to bother you..."

Reason 2: A lot of extra work has been done on the basis of native Android

I questioned Hua Ge: "If we only talk about the update speed of the system kernel, no one can compare with Google's own Pixel phone. So why not just use Pixel?"

Hua Ge told me that Huawei has tens of thousands of R&D personnel, and of course they don't just use the Android system kernel directly. EMUI 9 has done a lot of additional development work based on native Android.

"Take kernel hardening as an example. Based on our own offensive and defensive experience, we will take precautions against possible attack methods that hackers may use and dig some traps for hackers in advance.

For example, randomly changing some addresses in the kernel to increase confusion, or adding some detection code to take countermeasures once it is found that the process attempts to jump to the location of malicious code.

Huawei phones also have a "secure boot" function, which uses cryptography principles to ensure that the software is not tampered with from outside the system kernel, closer to the hardware underlying system, when the phone is turned on. After normal startup, the daemon process will sense the operating status of the entire system kernel around the clock to protect system security.

At this point, Hua Ge specifically emphasized the advantages of Huawei's self-developed chips:

"There is a lot of work that needs to be done from the bottom up. Many mobile phone manufacturers rely on the standards and solutions of foreign chip manufacturers, but Huawei's mobile phone chips are self-developed, and the software and hardware R&D departments can cooperate with each other, so security and optimization work in all aspects will be much smoother."

Reason 3: "Independent space" with top security certification

Brother Hua told me that there is a special security area in Huawei phones - TEE OS.

TEE OS, also known as "Trusted Execution Environment", is independent of the Android kernel and is specifically used to process sensitive data. For example, passwords, fingerprints, 3D face unlocking, wallet payment and other functions are all stored and processed in isolation in the TEE OS area.

(A sketch that is not very rigorous)

​​

He gave an example. EMUI 9 has a "password safe" function. After the user logs into an APP for the first time, he can save the account password in the mobile phone. When he logs into the APP next time, he can fill it in directly, eliminating the need to remember the password and enter it manually.

“The data for this password safe function is stored in the TEE OS area.”

​​

[[253599]]

In fact, TEE OS is a bit like a bank counter. Ordinary people can walk around freely in the hall (Android system), and only bank staff can enter the counter (TEE OS). The two areas are isolated and information is exchanged through a small window.

Hua Ge said, "Huawei's self-developed TEE OS is called iTrustee. It has been using this technology since Mate 7 (around 2014). This year, it was upgraded to version 2.0. It was the first in China to obtain the CC EAL2+ level certification of the world's authoritative information technology security evaluation standard."

(Huawei TEE OS certification information found on a public website)

​​

Reason 4: Strict data security and permission control

When talking about data security, Hua Ge repeatedly mentioned a term that sounds a bit professional - "full life cycle management of data". It means ensuring the security of the entire process from the birth, transmission, use to the extinction of data.

It sounds a bit complicated, so we will try to explain it in a simpler way.

The key to data security lies in permission control, which simply means "who has access to what data, when?" To put it more bluntly, it means to beware of an app on your phone secretly reading your data without your knowledge.

Although the native Android system has a set of permission management solutions, the actual user experience is not perfect.

Hua Ge gave an example:

“You authorize an app to use the microphone, and your original intention was just to temporarily use a certain function, but once authorized, the app will have this permission forever.

Whether it is day or night, whether the phone is in your hand or in your pocket, it has the right to record, which is neither safe nor reasonable. "

Obviously, the apps in the phone don’t follow the rules as we imagine, and many problems with Android phones are caused by an app that is “dishonest and doesn’t follow the rules”:

They either read data they shouldn’t read, obtain permissions they shouldn’t have, and violate privacy;

Either display content that should not be displayed (marketing advertisements, bad information), affecting the user experience;

Either it wakes up processes that should not be woken up, occupies memory that should not be occupied, and consumes performance.

Brother Hua said that in order to solve the problem of APP abuse of permissions, Huawei mobile phones have prepared two measures, one soft and one hard. The former is for prevention in advance, and the latter is for handling afterwards.

Let’s talk about “literary recruitment” first.

In 2016, Huawei, together with Alibaba, Baidu, Tencent, and NetEase, jointly launched the "Android Green Alliance", bringing in hundreds of companies. The original intention was to allow APP developers to get the new version of the Android system faster, shorten the time for application development and adaptation, and improve the user experience.

After solving the problem of APP adaptation to mobile phone systems, Huawei launched an "Android Green Alliance Application Experience Standard", calling on alliance member companies to set an example and develop applications in accordance with the standard.

This year, the alliance released the 2.0 standard. I picked out a few of them for you to feel:

"If there is no necessary usage scenario, the application cannot pop up floating windows, customize background toasts, pop up background activities, and other behaviors that harass users on the desktop, lock screen, and other applications."

"The app cannot guide users to enable developer options, and is prohibited from guiding users to enable USB debugging mode."

"The permissions applied for by an application must have clear and reasonable functions and usage scenarios."

The problem of permission abuse in the Android ecosystem has been around for a long time, and simple appeals alone are certainly not enough.

In order to encourage developers to comply with the alliance's development standards, Huawei has implemented an "honesty certification" in its own application market. Only apps that have passed both manual and machine testing and strictly complied with the alliance standards can be marked with the "Android Green Alliance" logo in the Huawei application market.

​​

Let’s talk about “martial arts moves”.

If someone insists on doing evil, Huawei has prepared an "AI police dog" for them in the EMUI 9 system.

They developed an AI model, fed it with a large number of behavioral samples of malicious applications that had appeared in the past and trained it repeatedly. Through deep learning, the AI ​​model learned to automatically identify the behavioral patterns of malicious applications.

"It monitors the behavior of each application on the mobile phone. It doesn't care who developed the specific APP, but only cares about what it does. It detects and warns in real time and intercepts malicious behavior."

At the end of the conversation, I asked Brother Hua: "Which is safer, Android or iOS?"

He asked me in return: "Have you noticed that Apple's iOS and Android systems have become more and more similar in recent years? This is true in terms of functionality, fluency, security and other aspects of experience."

Me: “It’s becoming more and more alike…”

Brother Hua: “They will become more and more similar in the future.”

Me: “Why?”

Hua Ge said:

"Apple is about being closed, while Android is about being open. At the beginning, the difference was huge, but as time went on, Apple also opened up some features (for example, Apple did not support third-party input methods and NFC for swiping bus cards at the beginning, but later gradually supported them), and Huawei phones in the Android camp also developed a strictly controlled Huawei App Market.

Simply worrying about whether to be closed or open is meaningless. What is the ultimate goal of a mobile phone? It is nothing more than to bring users a safe, fast and comfortable experience. As long as Android and Apple are moving towards this goal, even if the initial gap is large, they will eventually reach the same destination.

Apple and Android are like two competitors on the same track, both are in motion.

The closed nature of iOS did give Apple a lot of security points in the early days, but Android did not sit idly by and has been catching up to date. It has finally been able to compete with iOS in the security field and is even slightly better.

In the future, they will continue to compete with each other.

​​

[[253600]]

In the end, what matters is nothing more than manpower, financial resources, technological research and development, determination to innovate, understanding of users and the industry... Countless people have exhausted their efforts to polish out one useful product after another, and there are no shortcuts.

I think this is the secret of Huawei’s success.”