Another fitness tracker with a well-known Chinese name was subjected to an extensive security analysis in our laboratory as part of our large Fitness Tracker comparison test. Whether the Huawei Band 2 Pro performs better than its compatriots from Lenovo and Xiaomi, who are rather mediocre in the test, will be clarified in the following test report.

 

Application Security

As a first step in our investigation, the mobile application of the Huawei Band 2 Pro was analyzed. In this case, three different applications (com.huawei.bone, version 21.0.0.366; com.huawei.hwid, version 2.5.3.301; com.huawei.health, version 8.0.0.309) had to be tested to ensure a full functionality test. However, it comes as no surprise that all three apps have a very similar level of security. Accordingly, the results are discussed here for all three in summary.

The static analysis revealed a relatively long list of potential dangers and weak points. Among other things, problems with the security of the SSL implementation were suspected, especially regarding certificate validation, keystore usage and the use of HTTP in general. In addition, the high authorization level that the application requires for operation was noted. The extent to which the potential problems found are also practically relevant was then examined in the practical tests for local and online communication.

Apart from that, the applications made a good impression: The source code of the three is adequately secured by obfuscation and an unsecured local storage of sensitive information could not be detected in the test. Another positive aspect is the implemented root detection within the applications, which informs the user on a possibly rooted smartphone that when using the app it can no longer be ruled out that the data may be read by unauthorized entities. This is a warning that we would like to see as standard for all applications that handle sensitive data.

Application detects root rights on smartphone and displays a corresponding message

Furthermore, the source code of the three applications could not easily be manipulated and translated back into a functional version of the applications, because our standard tools for encoding and decoding Android APK’s failed at this point. Whether intended or not, an increase in security!

 

Local Communication

In the area of local communication, we could not find any significant weaknesses in the test: Communication seems to be protected by adequate authentication and sufficiently encrypted or concealed. Overall, the Huawei Band 2 Pro appears inconspicuous in this point.

 

Online Communication

We were also unable to find any real weak points in the Huawei applications when it came to communication via the Internet: All observed connections, including registration, login and synchronization, were adequately encrypted and even our standard man-in-the-middle attacks were unsuccessful and did not lead to a simple data gain for a potential attacker in our tests. In this important point we can also attest the Huawei Band 2 Pro an adequate security level.

 

Data Privacy

Unfortunately, the Huawei Health Program’s privacy policy cannot be viewed by the customer in advance via the Huawei website. After the first start of the app, however, the very detailed data privacy statement is displayed. It contains information on the data collected, its processing and the purposes of recording. It also specifies the place of data processing, in the case of users in the EU, for example, only in Ireland. Data will not be shared with third parties without explicit consent. The storage time of data is also broken down in detail. After confirmation of the data privacy statement the required app authorizations are also explained again, and you can also object to the upload of fitness data to the cloud. In the App settings it is still possible to delete individual and all cloud data.

We have seldom seen such a data privacy friendly solution before. Huawei’s approach is an example not only for other Asian manufacturers, but also for many European manufacturers.

 

Verdict

In terms of security, neither the Huawei Band Pro 2 nor the associated applications afford a real critical vulnerability when it comes to security. Huawei does a very good job in the area of data privacy and informs its users adequately, but the data privacy statement is not available online. Overall, however, these few points do not justify devaluation. Accordingly, the Huawei Band 2 Pro will be awarded the full 3 stars.