How ICBC Strengthens HarmonyOS Mobile Banking App Security

Under the dual pressure of global competition and cybersecurity challenges, independent innovation has become a new focus in China. Leveraging the autonomous and secure architecture of HarmonyOS, ICBC is actively adapting its mobile banking app to HarmonyOS, integrating the OS's native security features, participating in industry standard development, and collaborating with peers to establish security requirements throughout the app lifecycle.

1. HarmonyOS App Security Capability Building

Researching the Harmony ecosystem and analyzing security conditions of Android and iOS apps, ICBC identified HarmonyOS security risks and needs, focusing on three key areas:

1) Self‑developed security component

ICBC created a secure keyboard for HarmonyOS to prevent key‑logging software from capturing user input. The keyboard mimics physical layouts, supports common characters, disables copy/paste, clears memory promptly, and encrypts passwords in real time using randomly generated factors, ensuring user credential safety.

2) Leveraging native security capabilities

ICBC communicated financial app security requirements to Huawei, prompting the OS to provide APIs that simplify permission requests via system pickers, enhance user experience, and protect privacy. Additional measures such as certificate pinning and anti‑screen‑capture defenses were deployed to thwart man‑in‑the‑middle attacks and prevent malicious screenshot harvesting.

3) Promoting third‑party security vendor adaptation

ICBC facilitated dialogue between security product vendors and Huawei, encouraging strategic cooperation and integration of security solutions into the Harmony ecosystem, thereby advancing the overall security posture of HarmonyOS.

2. Participation in HarmonyOS App Industry Standard Construction

ICBC contributed to the "Software Green Alliance Application Experience Standard 6.0 – Security" for HarmonyOS, which defines security guidelines and testing methods across six stages: preparation, development/debugging, release, operation, maintenance, and decommission. This standard guides developers in creating secure OpenHarmony‑based applications.

Going forward, ICBC will continue expanding its HarmonyOS security research, incorporating internal and external threat intelligence, monitoring OS security updates, and refining security technologies to enhance app protection.