Huawei says your health data is encrypted on your phone and they can't access it. But the app needs internet access and syncs your data to Huawei's cloud servers. Chinese law requires Huawei to hand over data to intelligence agencies if asked. So your heart rate, sleep, and location data may end up accessible to the Chinese government despite Huawei's encryption claims. Five countries banned Huawei from building phone networks because they couldn't trust the company with communications data. Yet the same company freely sells smartwatches that track your heart rate, blood oxygen, sleep, stress, location, and menstrual cycle — data that is far more personal than anything flowing through a cell tower. If Huawei can't be trusted with network infrastructure, why is it trusted with your most intimate biometric data?.
What they claim: Huawei privacy policy states wearable health data is "encrypted and stored in your phone's internal memory" using AES CBC 256 encryption with a "randomly generated key that even Huawei cannot decrypt."
What we found: The Huawei Health app requires INTERNET, ACCESS_BACKGROUND_LOCATION, and cloud sync permissions. Huawei's own privacy statement confirms "Personal data collected and generated during our operations in the People's Republic of China will be stored in China." The app's Health Cloud feature syncs biometric data across devices via Huawei's cloud infrastructure. China's National Intelligence Law Article 7 compels all organizations to "support, assist, and cooperate with national intelligence efforts" — meaning even encrypted data stored on Huawei servers is accessible to Chinese intelligence by law.
What they claim: Huawei Technologies was banned from 5G infrastructure in all Five Eyes nations (Australia, US, UK, NZ, Canada) due to national security risks including potential surveillance backdoors and obligations under China's National Intelligence Law.
What we found: Despite being deemed a national security threat too dangerous to build telecommunications infrastructure, Huawei consumer devices including the Watch GT 4 remain freely available in all Five Eyes countries. The Watch GT 4 collects continuous heart rate, blood oxygen, GPS location, sleep patterns, stress levels, skin temperature, and menstrual cycle data — far more intimate data than any network equipment handles. FCC still grants the same Huawei Technologies Co., Ltd (grantee QIS) approval for consumer wearables.
What they claim: Huawei states it "does not collect data revealing biometric data" in its general privacy statement.
What we found: The Huawei Health app collects continuous biometric data including heart rate (24/7 PPG sensor), blood oxygen (SpO2), skin temperature, sleep quality, stress levels (HRV-based), and menstrual cycle tracking. The app requests BODY_SENSORS and BODY_SENSORS_BACKGROUND permissions to access this data continuously, including while not actively in use. This is a direct contradiction between Huawei's stated privacy position and the actual data collected by their companion app.
What they claim: A health-tracking smartwatch companion app should only need permissions related to health data, Bluetooth connectivity, and fitness tracking.
What we found: Huawei Health requests 46 permissions including READ_SMS, SEND_SMS, READ_CONTACTS, WRITE_CONTACTS, READ_CALENDAR, WRITE_CALENDAR, CAMERA, RECORD_AUDIO, READ_PHONE_STATE, SYSTEM_ALERT_WINDOW, and USE_FINGERPRINT. A smartwatch health app has no legitimate reason to read or send SMS messages, access contacts and calendar entries, or record audio. The Watch GT 4 hardware has no camera or microphone, yet the companion app requests CAMERA and RECORD_AUDIO permissions on the phone.
What they claim: The Watch GT 4 connects via Bluetooth 5.2 only (no Wi-Fi or cellular), implying data stays between the watch and paired phone.
What we found: While the watch itself lacks Wi-Fi, all synced data flows through the Huawei Health app on the paired phone, which requires INTERNET permission and connects to Huawei cloud endpoints including hicloud.com, dbankcloud.com, vmall.com, and hwcloudservice.com. The phone becomes the gateway for transmitting intimate biometric data to Huawei's cloud infrastructure. Huawei's privacy policy confirms data may be stored in China and is subject to the National Intelligence Law. The Bluetooth-only design creates a false sense of isolation when the phone acts as an always-on data pipeline to Huawei servers.
What they claim: Huawei's privacy controls page states users "have the right to determine whether to sync their data to Cloud" and "what data can be shared with third-party apps."
What we found: The Huawei Health app includes Huawei Mobile Services (HMS) Core, Huawei Analytics Kit, Huawei Push Kit, and Huawei Crash Service — four trackers embedded in the app that transmit data to Huawei servers regardless of user cloud sync preferences. The app requests ACCESS_BACKGROUND_LOCATION and BODY_SENSORS_BACKGROUND permissions, enabling continuous data collection even when the app is not actively in use. The FOREGROUND_SERVICE_DATA_SYNC permission indicates automated data synchronization that may not be fully under user control.
What they claim: Huawei's privacy policy states data retention is "no longer than is necessary for the purposes" but provides no specific timeframes.
What we found: China's Cybersecurity Law (2017) and Data Security Law (2021) require companies to retain data for government access purposes, potentially indefinitely for national security matters. The National Intelligence Law provides no time limits on intelligence cooperation obligations. While Huawei's GDPR compliance for European users suggests specific retention periods, the company's obligations under Chinese law may require indefinite retention of data that transits Chinese servers. The vague "no longer than necessary" language provides cover for extended retention compelled by Chinese authorities.
What they claim: Huawei Health app's menstrual cycle tracking collects some of the most sensitive health data possible from users.
What we found: The Watch GT 4 tracks menstrual cycles, which in many jurisdictions constitutes sensitive health data under GDPR Article 9 (special category data) and requires explicit consent. The app requests BODY_SENSORS_BACKGROUND for continuous collection. This data flows through Huawei's cloud infrastructure and is subject to China's National Intelligence Law. In jurisdictions where reproductive health data has legal implications (e.g., states with abortion restrictions), the combination of menstrual cycle data, GPS location tracking, and potential Chinese government access creates a uniquely dangerous data collection scenario.
What they claim: Huawei claims security is a priority and publishes monthly security bulletins for its smart watches.
What we found: In 2024 alone, Huawei disclosed 8 CVEs affecting HarmonyOS wearables including 4 high-severity vulnerabilities: CVE-2024-32991 (Wi-Fi wpa_supplicant permission bypass), CVE-2024-32990 (permission verification bypass), CVE-2023-52719 (privilege escalation in PMS), CVE-2024-32997 (binder driver race condition). Unlike Android devices with Google Play Protect providing independent security verification, HarmonyOS updates are entirely controlled by Huawei with zero third-party audit. Users cannot verify what data security patches transmit or whether vulnerabilities are actually fixed.
What they claim: Huawei claims wearable data is protected with AES CBC 256 encryption in the phone's "privacy sandbox" with a randomly generated key.
What we found: The Huawei Health app requests REQUEST_IGNORE_BATTERY_OPTIMIZATIONS to run continuously, ACCESS_BACKGROUND_LOCATION for persistent location tracking, FOREGROUND_SERVICE_DATA_SYNC for ongoing data transmission, and connects to multiple Huawei cloud endpoints (hicloud.com, dbankcloud.com, hwcloudservice.com). If data were truly encrypted with a key "even Huawei cannot decrypt," there would be no need for continuous cloud sync services, background data transmission, or multiple cloud endpoints. The architecture of always-on cloud connectivity directly contradicts the claim of local-only encrypted storage.
What they claim: Huawei positions its proprietary HarmonyOS ecosystem as a security advantage, replacing Google services with Huawei Mobile Services.
What we found: The replacement of Google Play Protect with Huawei's own HMS Core means zero independent security verification. The Huawei Health app bundles Huawei Analytics Kit and Huawei Push Kit — Huawei's own versions of Google Analytics and Firebase Cloud Messaging — creating a parallel tracking infrastructure under Huawei's sole control. With 8 CVEs disclosed in 2024 alone for smartwatch firmware and no independent audit mechanism, the proprietary ecosystem concentrates all trust in a single company that is legally obligated to cooperate with Chinese intelligence.