Another fitness tracker with a well-known Chinese name was subjected to an extensive security analysis in our laboratory as part of our large Fitness Tracker comparison test. Whether the Huawei Band 2 Pro performs better than its compatriots from Lenovo and Xiaomi, who are rather mediocre in the test, will be clarified in the following test report.
As a first step in our investigation, the mobile application of the Huawei Band 2 Pro was analyzed. In this case, three different applications (com.huawei.bone, version 220.127.116.116; com.huawei.hwid, version 18.104.22.1681; com.huawei.health, version 22.214.171.1249) had to be tested to ensure a full functionality test. However, it comes as no surprise that all three apps have a very similar level of security. Accordingly, the results are discussed here for all three in summary.
The static analysis revealed a relatively long list of potential dangers and weak points. Among other things, problems with the security of the SSL implementation were suspected, especially regarding certificate validation, keystore usage and the use of HTTP in general. In addition, the high authorization level that the application requires for operation was noted. The extent to which the potential problems found are also practically relevant was then examined in the practical tests for local and online communication.
Apart from that, the applications made a good impression: The source code of the three is adequately secured by obfuscation and an unsecured local storage of sensitive information could not be detected in the test. Another positive aspect is the implemented root detection within the applications, which informs the user on a possibly rooted smartphone that when using the app it can no longer be ruled out that the data may be read by unauthorized entities. This is a warning that we would like to see as standard for all applications that handle sensitive data.
Furthermore, the source code of the three applications could not easily be manipulated and translated back into a functional version of the applications, because our standard tools for encoding and decoding Android APK’s failed at this point. Whether intended or not, an increase in security!
In the area of local communication, we could not find any significant weaknesses in the test: Communication seems to be protected by adequate authentication and sufficiently encrypted or concealed. Overall, the Huawei Band 2 Pro appears inconspicuous in this point.
We were also unable to find any real weak points in the Huawei applications when it came to communication via the Internet: All observed connections, including registration, login and synchronization, were adequately encrypted and even our standard man-in-the-middle attacks were unsuccessful and did not lead to a simple data gain for a potential attacker in our tests. In this important point we can also attest the Huawei Band 2 Pro an adequate security level.
We have seldom seen such a data privacy friendly solution before. Huawei’s approach is an example not only for other Asian manufacturers, but also for many European manufacturers.
In terms of security, neither the Huawei Band Pro 2 nor the associated applications afford a real critical vulnerability when it comes to security. Huawei does a very good job in the area of data privacy and informs its users adequately, but the data privacy statement is not available online. Overall, however, these few points do not justify devaluation. Accordingly, the Huawei Band 2 Pro will be awarded the full 3 stars.