At first

Hello, it's a big fish brain. Have you ever heard of HarmonyOS Next? HarmonyOS Next is a proprietary OS announced by China Huawei on October 22, 2024. Unlike HarmonyOS, which has been included in Huawei products so far, it does not use Android and is developed entirely on the basis of its own system. In this article, we will create a simple app for HarmonyOS Next and introduce basic information such as its file format. It also discusses the currently available static analysis techniques.

File structure of the HarmonyOS Next app

First, create a simple app. At this time, you need to use the dedicated IDE "DevEco Studio"*1 to develop HarmonyOS Next apps. DevEco Studio, like Android Studio, is an IDE based on IntelliJ IDEA and looks and functions very similar to older versions of Android Studio.

The folder structure of the project is also similar to Android Studio, and the folder structure of the project created according to the tutorial is as follows.

├── AppScope
│   └── app.json5
├── entry
│   ├── src
│   │   ├── main
│   │   │   ├── ets
│   │   │   │   ├── entryability
│   │   │   │   ├── entrybackupability
│   │   │   │   └── pages
│   │   │   ├── resources
│   │   │   └── module.json5
│   │   ├── build-profile.json5
│   │   ├── hvigorfile.ts
│   │   ├── obfuscation-rules.txt
│   │   └── oh-package.json5
├── build-profile.json5
├── hvigorfile.ts
├── oh-package.json5
└── oh_modules

Here are some of the most important files and folders.

• app.json5

  • The global configuration file for the HarmonyOS app defines app-level configuration information. It is equivalent to the Android tag.AndroidManifest.xml<application>

• module.json5

  • In the configuration file for each module, define the configuration information for the ability. It is equivalent to Android's of and tags.AndroidManifest.xml<activity><service>

• ets

  • Extended TypeScript (ArkTS, extension .ets) The folder where the source code is located.

    • pages It contains UI-related files such as , , and so on..ets.html.css

    • ○○ability The folder contains source code related to "Ability", which is the basic component of HarmonyOS Next. This is probably the Android equivalent of Activity.

• entry

  • It is equivalent to the Android Studio folder and contains the main source code and configuration files.app

Static Analysis

Analysis of HAP File Format

The sample app*2 we created is simple and has only the ability to go back and forth between two screens. The build procedure is also similar to Android, and when you select Build from the menu, a HAP file with the extension is generated..hap

Outline of HAP Structure

A HAP file is a ZIP compressed file and can be decompressed using or to see its internal structure. Typically, HAP files contain the following directories and files:unzip7z

├── lib/             # ネイティブライブラリ（.soファイル）
├── ets/             # ArkTS Bytecode（拡張子 .abc）
├── module.json      # モジュール設定情報
├── resources.index  # リソースインデックス
├── pack.info
└── resources/       # リソースファイルを格納

It looks similar to the internal structure of an Android app. The unzipped app has , which serves as the equivalent of . The contents are integrated with and and compiler information is added.module.jsonAndroidManifest.xmlapp.json5module.json5

Also, unlike Android, folders are not files, but files, which are the bytecode that compiled ArkTS.ets.dex.abc

module.json Analysis of

module.json is the central configuration file of a HAP file, which contains basic information about the app (package name, permissions, entry point, etc.).

Regarding the declaration of permissions, it was not set in the sample app, but I added the permission declaration to module.json5 with reference to the official document*3. hap file's module. The relevant part of the permission declaration in JSON looks like this:

"requestPermissions": [
    {
        "reason": "$string:reason",
        "reasonId": 16777230,
        "usedScene": {
            "abilities": [
                "EntryAbility"
            ],
            "when": "always"
        },
        "name": "ohos.permission.LOCATION"
    }
]

Compared to Android's permission declarations, it is characterized by containing more detailed information.

• reason: Contains explanatory text when requesting permission from the user. This specification is similar to the iOS implementation.

• usedScene: The scope and timing of permissions can be predefined. This allows you to fine-tune the ability that requires the declared permission to be used only at a specific time, which can be said to be a practice of the principle of least privilege.

Another thing that bothers me is the existence of the Intent mechanism in HarmonyOS Next. According to the official documentation*4, a mechanism similar to an Intent is called "Want" and supports two types of invocation methods, explicit and implicit, and can also pass data. The Android equivalent of intent-filter is module. In JSON, it is set as "skill".

Example of a typical Intent configuration on Android:

<activity android:name="ShareActivity" android:exported="false">
    <intent-filter>
        <action android:name="android.intent.action.SEND"/>
        <category android:name="android.intent.category.DEFAULT"/>
        <data android:mimeType="text/plain"/>
    </intent-filter>
</activity>

Example of HarmonyOS Next configuration corresponding to this:

{
  "module": {
    "abilities": [
      {
        "name": ".ShareAbility",
        "exported": false,
        "skills": [
          {
            "actions": ["ohos.want.action.sendData"],
            "entities": ["entity.system.default"],
            "uris": [{ "mimeType": "text/plain" }]
          }
        ]
      }
    ]
  }
}

Main correspondences:

• abilities element ↔ Android activity element

• exported property ↔ android:exported attribute in Android

• skillsconfig ↔ intent-filter block

  • Actions ↔ Action Element

  • entities ↔ category element

  • uris ↔ data element

Although there are some differences in the configuration format, the approach of static analysis for configuration files can be applied to HarmonyOS Next. In particular, the method of analyzing permission declarations and component disclosure settings is characterized by the fact that it can be used to use the analysis experience of Android applications.

Decompiling Ark Bytecode

As mentioned above, HarmonyOS Next uses ArkTS as its primary programming language, which is compiled to Ark Bytecode when the app is built.

The Development Tools SDK includes tools for disassembling (DevEco Studio\sdk\default\openharmony\toolchains\ark_disasm.exe). You can use it to disassemble files in the unzipped Files folder..hapets.abc

The following is a partial result of the output:

.function any &entry.src.main.ets.entryability.EntryAbility&.#~@1>#onCreate(any a0, any a1, any a2, any a3, any a4) <static> {
    mov v0, a0
    mov v1, a1
    mov v2, a2
    mov v3, a3
    mov v4, a4
    lda v2
    sta v10
    lda v10
    ldobjbyname 0x0, "context"
    sta v9
    lda v9
    ldobjbyname 0x2, "getApplicationContext"
    sta v8
    lda v8
    …

There is also an open source tool for decompiling Ark Bytecode() called abc-decompiler*5. This is a combination of a disassembly tool for HarmonyOS Next *6 and a UI type decompilation tool for Java. Therefore, it will eventually be decompiled as Java code..abcabcdejadx

However, at present, the readability of the analysis results is low, and garbled characters and unnatural grammar are scattered. However, it is possible to infer the original code to some extent by reading the context before and after.abc-decompiler

Conclusion

In this article, we investigated the basic information of the HarmonyOS Next app, which is gaining popularity, and the approaches to static analysis that are currently possible. It has only been a short time since it was released, and I could get a glimpse of the momentum and enthusiasm that it will continue to develop in the future. In the future, I would like to investigate and share dynamic analysis methods.

*1:Introduction-DevEco Studio - HUAWEI Developers(なお、HUAWEI IDの登録が必要)

*2:Building the First ArkTS Application in Stage Model-Quick Start-Getting Started - HUAWEI Developers

*3:module.json5 Configuration File-Application Configuration Files in Stage Model-Development Fundamentals-Getting Started - HUAWEI Developers

*4:Want-ability-Dependent Elements and Definitions-ArkTS APIs-Ability Kit-Application Framework - HUAWEI Developers

*5:GitHub - ohos-decompiler/abc-decompiler

*6:GitHub - Yricky/abcde: openHarmony逆向工具包

Original Article: Getting Started with HarmonyOS Next App Building and Static Analysis