All Your Fitness Data Belongs to You: Reverse Engineering the Huawei Health Android App

Christian Kudera

Playlists: 'eh19' videos starting here / audio / related events

This talk describes the reversing process of the Huawei Health app. In this context, the proprietary BLE Huawei Link Protocol v2 will be disclosed, which allows the use of the Huawei fitness devices without the Health App and its accompanying ecosystem.

Fitness wristbands and watches, so-called fitness trackers are constantly gaining in popularity. They can record a variety of private data (e.g. pulse, steps, calorie consumption, sports activity), which may also be of interest to other individuals. By now, the first insurance companies are already offering superior rates for providing them with the captured fitness data. Due to the great demand, it is not surprising that many well-known manufacturers offer fitness trackers. With the Huawei Band 3 Pro, the Huawei Watch GT and the Honor Band 4 (Honor is a sub-brand of Huawei), Huawei also sells a wide range of varying trackers. All these trackers are controlled with the Huawei Health App, which is available for both Android and iOS.

Huawei is using Bluetooth Low Energy (BLE) for the communication between smart phones and the addressed fitness devices. Built upon BLE, the proprietary protocol Huawei Link Protocol v2 is used. Since the protocol is not documented and partially encrypted, breaking out of the Huawei ecosystem is not simple. Until now, users have been bound to the Huawei Health App and its corresponding cloud environment and had to accept that their data is uploaded to Chinese servers.

During this talk the following, generally applicable methods for reverse engineering of Android applications are discussed:

Furthermore, the subsequent results concerning the Huawei Health App and the Huawei Link Protocol v2 will be presented: