Security Risk Detection for HarmonyOS ArkTS Code: Architecture, Analysis Framework, and Future Directions

Introduction Security is the foundation of all software systems, and this holds true for emerging platforms such as HarmonyOS and its ArkTS language. The rapid digital transformation demands robust security mechanisms to protect user data and transaction integrity.

HarmonyOS Native Application Security Challenges The migration to HarmonyOS introduces new attack surfaces due to immature security maturity, lack of tooling, and complex cross‑bundle communication. A market survey revealed an absence of dedicated ArkTS security analysis tools, prompting the development of a custom solution.

Analysis Goals and Technical Architecture The focus is on the business Native layer (ArkTS) where critical logic, cross‑bundle communication, and permission management reside. The analysis framework must handle dispersed code, diverse communication mechanisms, and implicit framework calls.

Core Design of the ArkTS Analysis Framework The framework consists of three modules: Source Extraction & Analysis Layer , Advanced Algorithms & Analysis Layer , and Program Modeling & Knowledge Layer . It extracts ASTs using a customized Huawei ArkTS compiler front‑end, stores relational data via Datalog, and builds control‑flow, data‑flow, and call graphs.

Source Extraction Technology By leveraging the ArkTS compiler, the system obtains full ASTs and converts them into a Datalog‑based relational database, enabling efficient recursive queries for control‑flow and data‑flow analysis.

Function‑Level Data‑Flow Analysis The analysis models control structures, data operations (including assignments, destructuring, and object sharing), and extracts three key data‑flow summaries: input‑to‑output, input‑to‑sensitive‑operation, and rule‑defined end‑to‑end paths.

Inter‑Function Analysis Algorithms Two generations of algorithms are employed: a Bottom‑Up approach for linear scalability and a two‑phase parallel‑then‑context‑sensitive method that improves precision for polymorphic calls and callbacks.

Knowledge Graph and Cross‑Bundle Analysis Each bundle is treated as an independent analysis unit, with its data‑flow summary stored in a unified knowledge graph containing entry, exit, dangerous call, intermediate, and protection nodes. Explicit and implicit calls are linked via unique identifiers and framework‑specific connection keys.

Risk Inference Engine Risks are expressed as sub‑graph matching problems using a domain‑specific language (DSL) that defines patterns, constraints (e.g., missing path normalization), and result formats. This enables detection of complex multi‑step attack chains with visualizable results.

Technical Achievements and Future Outlook The project delivered a professional ArkTS analysis toolchain, a comprehensive knowledge graph, and an open‑source core engine. Future work includes algorithmic optimizations, support for "three‑platform‑one‑code" development, cross‑language analysis, and AI‑driven analysis enhancements.