Black Hat Europe 2025 | Offensive Testing Of HarmonyOS NEXT Applications With Harm0nyz3r & DVHA

HarmonyOS NEXT marks Huawei's transition to a fully independent operating system, powering a growing ecosystem of mobile devices and applications. While adoption is accelerating, public research into its security architecture, and its implications for app developers and end users, remains minimal. This talk presents the results of a security assessment of HarmonyOS NEXT and its application ecosystem, combining a custom-built testing framework (Harm0nyz3r) with a purposely vulnerable application (Damn Vulnerable HarmonyOS Application – DVHA). Harm0nyz3r, inspired by Android security tools like Drozer, enables researchers to enumerate and interact with app IPC endpoints, fuzz abilities, and invoke hidden or restricted components. DVHA serves as a realistic playground, containing vulnerabilities such as insecure logging, hardcoded credentials, insecure data storage, SQL injection, command injection, and access control bypasses. We will walk through methodology, exploitation workflows, and real-world findings, including challenges posed by HarmonyOS NEXT's unique security model and differences from Android. Live demonstrations will show how Harm0nyz3r maps an application's attack surface, crafts malicious payloads, and successfully exploits vulnerabilities in DVHA — with clear takeaways for vulnerability discovery in production apps. Attendees will leave with a practical understanding of HarmonyOS NEXT app security, new offensive testing techniques for this emerging platform, and an appreciation of why mobile security research must expand beyond Android and iOS to address the next wave of global devices. By: Jorge Wallace | Cybersecurity Technical Leader, DEKRA https://ift.tt/UDduJcN

source https://www.youtube.com/watch?v=4xfSTNgy8UE