How ArkTS Code Security Risks Are Detected: Inside Alibaba’s Cutting‑Edge Analysis Framework

Preface: Security Is the Foundation of Technological Development

In the rapid digital transformation, security remains the immutable infrastructure for all technology stacks, from traditional internet systems to AI‑native platforms.

Security Challenges and Opportunities in HarmonyOS Native Apps

From 2022‑2023 major platforms launched HarmonyOS native development; Alibaba’s security team identified new attack surfaces introduced by ArkTS and the modular architecture, noting a lack of mature security tools.

In early 2024 a market survey revealed no dedicated ArkTS security analysis solutions, prompting a year‑long collaboration to build a comprehensive detection framework, now open‑sourced.

Analysis Goals and Architecture Design

The focus is the business Native layer (ArkTS), which contains complex cross‑bundle communication, component calls, and permission management.

Four core capabilities are required: full call‑chain analysis, taint data‑flow tracking, precise change analysis, and deep business‑logic understanding.

ArkTS Language Analysis Framework Core Design

Three modules:

Source Extraction and Analysis Layer: extracts AST from ArkTS, builds an intermediate representation, and generates control‑flow graph (CFG), data‑flow graph (DFG), and call graph.

Advanced Algorithms and Analysis Layer: implements call‑chain, context‑sensitive taint analysis, and ArkTS‑specific optimizations.

Program Modeling and Knowledge Layer: models framework APIs, system services, and third‑party libraries, adding expert security rules.

Function‑Level Data‑Flow Analysis

Three steps: precise control‑flow modeling, modeling of ArkTS data operations (assignments, destructuring, object passing), and extracting three key data‑flow summaries for leakage, injection, and end‑to‑end attack paths.

Inter‑Function Analysis Algorithms

First‑generation Bottom‑Up algorithm aggregates summaries from leaf functions; second‑generation adds a parallel phase and on‑demand top‑down context‑sensitive analysis, improving precision for polymorphic calls and callbacks.

Program Modeling and Large‑Model Assisted Techniques

Automated extraction of SDK interfaces, prompting large language models to generate security behavior models for 520 critical APIs with 70% out‑of‑the‑box accuracy, reducing manual effort.

CI/CD Integration and Change Analysis

Security scans are triggered before bundle integration; change analysis isolates modified code, builds incremental ASTs, and assesses risk impact through incremental risk evaluation.

Cross‑Bundle Analysis and Knowledge Graph Architecture

Each bundle is treated as an independent unit; summaries are stored in a knowledge graph with nodes for inputs, outputs, dangerous calls, intermediate processing, and security checks, enabling queries such as unauthorized cross‑company data transfer.

Risk Inference Engine and Intelligent Detection System

A four‑layer architecture (data collection, knowledge association, intelligent decision, business platform) uses a DSL for sub‑graph pattern matching to detect risks like unsanitized file‑upload paths.

Technical Achievements and Future Outlook

Delivered a professional ArkTS analysis toolchain, a comprehensive knowledge graph, open‑sourced core components, and plans to enhance algorithms, support “three‑platform one‑code” development, expand cross‑language analysis, and integrate AI‑driven optimizations.