Security controls are a set of system-implemented ArkUI components provided by the system, application integration of such components can achieve automatic authorization after the user clicks, without the need for pop-up authorization. They can be integrated into the application page as a kind of "special button", realizing the design idea of user-click authorization.
Compared to the dynamic way of applying permissions, the security control can be based on scenario-based authorization, simplifying the operation of developers and users, and the main advantages are:
- Users can control the timing of authorization and minimize the scope of authorization.
- Authorization scenarios can match the user's true intent.
- Reduce pop-up interruptions.
- Developers don't have to request permissions from the app marketplace to simplify operations.
Secure Controls insists on capturing only the personal data necessary to fulfill business functions in order to serve the needs of users and help develop privacy-compliant applications that are transparent, optional, and controllable.
Safe Controls List
The system currently offers three types of security controls
PasteButton
This control corresponds to the Clipboard Read privilege. After the application integrates the Paste control, the user clicks on the control and the application reads the clipboard data without a popup.
Suggested Scenarios: The Paste control can be used in any scenario where the application needs to read the clipboard, avoiding the popup prompts that can be intrusive to the user.
SaveButton
This control corresponds to the media library write privilege. After the application integrates and saves the control, the user clicks on the control and the application obtains authorization to access the media library privileged interface within 10 seconds.
Suggested Scenarios: The Save control can be used in any scenario where the application needs to save a file to the media library (save an image, save a video, etc.). Unlike Picker, which requires you to pull up the system application and then let the user choose a specific path to save, Save control will save directly to the specified media library path, which makes the operation much faster.
LocationButton
This control corresponds to the Precise Location privilege. After the application integrates the location control, the user clicks on the control, regardless of whether the application has applied for or been granted the Precise Positioning privilege, the application will be authorized for Precise Positioning during this foreground period, and can call the location service to obtain Precise Positioning.
Suggested scenarios: the app is not a strong location-related app (such as navigation, sports and health, etc.), and only needs to use location information in some front-end scenarios (such as locating the city, punching cards, sharing location, etc.). If you need to use it for a long time or use the location information in the background, it is recommended to apply for location privileges.
Mechanisms of operation
The overall solution consists of security control UI components, security control management services, and security control enhancements:
- UI components: achieve a fixed text icon style, easy for users to identify, while providing a relatively rich customization capabilities, easy for developers to customize.
- Control Management Service: Provide control registration management capability, control temporary authorization mechanism, and manage the authorization effective period to ensure that the application cannot register and use security controls in the background or under the lock screen.
- Security Enhancement: Mechanisms such as address randomization, challenge value checking, callback UI framework to double-check control information, caller address checking, component anti-overwriting, and real click event verification are implemented to prevent application developers from abusing the authorization mechanism through obfuscation, concealment, tampering, and imitation to disclose user privacy.
When the developer calls the interface, the operational flow is shown in the figure.
Constraints and limitations
Because of their automatic authorization feature, security controls are subject to a number of restrictions in order to protect the user's privacy from being accessed by malicious applications. Application developers need to ensure that the security control is clearly visible on the application interface and can be clearly identified by the user to prevent authorization failures due to overlaying, confusion, and other factors.
When the authorization fails due to illegal control style, please check the device error log and filter the keyword "SecurityComponentCheckFail" to get the specific reason.