create a health research app using samsung health stack objective create a health research app that collects and processes participant's health data, survey responses, and task results using samsung health stack. overview samsung health stack is an open-source technology stack offering end-to-end solutions for collecting and analyzing data from wearable devices in android and wear os environments. with applications ranging from medical research to clinician services and beyond, this tech stack provides the tools and infrastructure necessary to expedite the development and deployment of health-based studies. the framework includes: samsung health stack app sdk - a software development kit (sdk) for building android and wear os apps capable of collecting data from wearable devices. web portal - a customizable interface for creating surveys, managing team members, tracking participants, and analyzing data. backend services - api endpoints to access and interact with a robust data engine. see samsung health stack descriptions for detailed information. set up your environment you will need the following: installed and running samsung health stack backend system installed samsung health stack web portal firebase private key used during the backend system installation android studio (latest version recommended) android jetpack compose (latest version recommended) samsung galaxy mobile device with health connect app and samsung health app installed samsung galaxy watch synced to the mobile device google account sample code here is a sample code for you to start coding in this code lab. download it and start your learning experience! research app sample code (4.09 mb) create a firebase project follow the instructions at firebase.google.com/docs/android/setup to add a firebase project to the firebase account you created during the backend system installation. set applicationid as healthstack.sample and download the resulting google-services.json file from firebase. to learn more, see installing the app sdk - create a firebase project. create a new study sign in to the web portal page you deployed. on the study collection page, click the create new study button. noteonly the account who has team admin role can create a new study. see the role-based access control for more details about the differing levels of access permission granted to different roles. set your study name and logo. then click the continue button to create your study. select the principal investigator role and click the confirm button. the overview page appears like below: to connect your app to the backend system of your web portal, you need to know the id of your study. you can get the study id by opening chrome's developer tools. right-click on the web portal page and select inspect. then, open the network panel. click study settings from the left navigation bar. you can see activities recorded on the network tab. the value after projectid= is the id of the study, which you need to set up in the research app. connect the research app to the backend system in android studio, click open to open the project files of the research app. locate the downloaded android project (codelab-before) from the directory and click ok. copy and paste the downloaded google-services.json from firebase to samples > researchsample module. go to samples > researchsample > res > values, and in the strings.xml file, set the following values to connect the app to the backend system: research_platform_endpoint - backend system’s endpoint, including the port number research_project_id - id of the study created <!-- backend integration --> <string name="research_platform_endpoint">http://you.must.set.backend.url</string> <string name="research_project_id">study_id</string> customize the introduction page and eligibility survey the sample research app already includes introduction page and eligibility survey, which you can customize to align with the objective of your study. to modify the introduction page and eligibility survey questions, go to samples > researchsample > java > healthstack.sample and open the onboardingmodule.kt file. introduction page go to the intromodel constructor within the intro function, and create two introsections as below: overview - "a study on walking over an hour daily versus non-walkers." description - "we want to conduct a study to compare the daily life patterns of people who walk more than an hour each day and those who don't." sections = listof( introsection( "overview", "a study on walking over an hour daily versus non-walkers.", ), introsection( "description", "we want to conduct a study to compare the daily life patterns of people " + "who walk more than an hour each day and those who don’t." ) ) the introduction page would look like as below: eligibility survey part of the onboarding process is asking the participants questions through an eligibility survey to determine their suitability for your study. the eligibility survey consists of three steps: eligibilityintrostep - displays an introduction about the survey eligibilitycheckerstep - displays the eligibility questions eligibilityresultstep - displays the result of the survey based on the answers the eligibilitycheckerstep receives the eligibilityquestions. the questions can be a choicequestionmodel, datatimequestionmodel, or multichoicequestionmodel, depending on the type of survey question model you set. modify the eligibility question pages as below: eligibility question 1 type choicequestionmodel id average_walking_time query how many minutes on average do you spend walking each day? explanation unit: minute candidates listof(0, 30, 60, 90, 120) viewtype slider eligibility question 2 type choicequestionmodel id tracking_device query are you willing to wear a tracking device to monitor your dailywalking activity? candidates listof("yes, i'm willing to use a tracking device", "no, i'm notcomfortable using any tracking device") answer yes, i’m willing to use a tracking device eligibility question 3 type choicequestionmodel id participate query are you available and willing to commit to participating in thestudy for a specified duration? candidates listof("yes, i'm available and willing to commit", "no, i'm notavailable or willing to commit") answer yes, i’m available and willing to commit. private val eligibilityquestions: list<questionmodel<any>> = listof( choicequestionmodel( id = "average_walking_time", query = "how many minutes on average do you spend walking each day?", explanation = "unit: minute", candidates = listof(0, 30, 60, 90, 120), viewtype = slider ), choicequestionmodel( id = "tracking_device", query = "are you willing to wear a tracking device to monitor your daily walking activity?", candidates = listof( "yes, i’m willing to use a tracking device", "no, i’m not comfortable using any tracking device" ), answer = "yes, i’m willing to use a tracking device" ), choicequestionmodel( id = "participate", query = "are you available and willing to commit to participating in the study for a specified duration?", candidates = listof("yes, i’m available and willing to commit", "no, i’m not available or willing to commit"), answer = "yes, i’m available and willing to commit" ) ) you can make a pass condition for each question by setting the answer field. a failed result means the participant is not eligible for the study. after defining eligibility questions, the eligibility survey pages would look like as below: set health data permissions you can request permission to collect health data from your study participants. however, before requesting permissions, your app must first declare them in the manifest. go to researchsample module > res > values. in health_permissions.xml, you can declare permissions to read or write data on health connect for steps, sleepsession, sleepstage, oxygensaturation, and bloodpressure data types. notepermission to read and write heartrate data is already declared in the project. <item>androidx.health.permission.steps.read</item> <item>androidx.health.permission.steps.write</item> <item>androidx.health.permission.sleepsession.read</item> <item>androidx.health.permission.sleepsession.write</item> <item>androidx.health.permission.sleepstage.read</item> <item>androidx.health.permission.sleepstage.write</item> <item>androidx.health.permission.oxygensaturation.read</item> <item>androidx.health.permission.oxygensaturation.write</item> <item>androidx.health.permission.bloodpressure.read</item> <item>androidx.health.permission.bloodpressure.write</item> tipfor more information, see the list of data types and permissions. then, go back to healthstack.sample folder. in researchapplication.kt, request permissions from the participants to collect required health data. val healthdatarequired = listof("heartrate", "sleepsession", "sleepstage", "bloodpressure", "steps", "oxygensaturation") tipsee the list of health data types you can collect on health connect. set sync interval and choose health data to display you can set the sync interval per health data type. however, it is recommended to set a minimum interval of 15 minutes because the app is using android's workmanager. tipto learn more about the workmanager, see periodicworkrequest. in mainactivity.kt, set healthdatasyncspecs as below: health data type sync interval heartrate 15 minutes steps 20 hours sleepsession 1 day sleepstage 1 day oxygensaturation 30 minutes bloodpressure 30 minutes val healthdatasyncspecs = listof( syncmanager.healthdatasyncspec("heartrate", 15, timeunit.minutes), syncmanager.healthdatasyncspec("steps", 20, timeunit.hours), syncmanager.healthdatasyncspec("sleepsession", 1, timeunit.days), syncmanager.healthdatasyncspec("sleepstage", 1, timeunit.days), syncmanager.healthdatasyncspec("oxygensaturation", 30, timeunit.minutes), syncmanager.healthdatasyncspec("bloodpressure", 30, timeunit.minutes), ) you can set which data type to display in the research app. the status card for heart rate is already set to display. to show other status cards, such as sleepsessionstatus, add them to the list of healthdatatodisplay. val healthdatatodisplay = listof(heartratestatus, sleepsessionstatus, taskstatus) run the app, join the study and sync your health data build and run the app on a samsung galaxy mobile device. ensure the samsung health app and health connect app is installed on the device and a galaxy watch is connected. notereset the app to its initial state by clearing its data. go to your phone's settings and then swipe to and tap apps. select or search for the researchsample app. tap storage, tap clear data, and then click ok. in the research app, you can join the study by signing in with your google account after passing the eligibility survey, providing consent, and allowing data access to health connect. the research app shows your heart rate data (bpm) and the time you spent sleeping (hrs) based on the data from your galaxy watch and mobile device. notethe data shows and updates in the app based on the sync interval you set. if you want the heart rate data to display immediately, you can measure your heart rate manually using the galaxy watch. then, click the sync health data button in the research app's settings. check health connect's recent logs if data is not showing or updating. the web portal also displays and processes the data from the research. to see the average heart rate data, go to the overview section. scroll to the participant list table, then click the participant data row. the participant management shows health data collected on average, such as heart rate. create a survey task a survey is a sequence of questions that collect information from the participants in your study. in this step, create a survey task and see the result from the web portal. go to the study management section and expand the task management. open the surveys tab and click the create survey button on the top right corner. set survey title as daily survey. then, write three questions as below: after writing all the survey questions, click the publish button. set the frequency as daily and the publish time as early as possible. then, click the publish button on the bottom right corner. you can find your survey task on the published list. go to the research app and touch the refresh button next to upcoming tasks or today to see the survey you created. answer and complete the survey task. go back to the web portal. click your survey task from the published list. reload the web page or re-login to get the result. you can see the survey report in the responses and analytics tab. create an activity task activities allow researchers to collect specific types of data from users. for this study, add an activity to collect measurements related to manual dexterity. in study management, go to the activities tab and click the create activity button. select motor for the activity category and choose tapping speed. click the create button. click the publish button on the task edit page. set frequency as daily and publish time as early as possible. then, click the publish button. you can find your activity task on the published list. in the research app, touch the refresh button to see the newly added activity. open and perform the activity task. in the web portal, click your activity task from the published list. enter the participant id to see the collected data. you're done! congratulations! you have successfully achieved the goal of this code lab. now, you can create your own research app that can collect and process users’ health data, answers to survey and activity task results for research purposes by yourself! if you face any trouble, you may download this file: research app complete code (4.09 mb) to learn more, see samsung health stack.

overview samsung health stack is an open-source technology stack offering end-to-end solutions for collecting and analyzing data from wearable devices in android and wear os environments. with applications ranging from medical research to clinician services and beyond, this tech stack provides the tools and infrastructure necessary to expedite the development and deployment of health-based studies. the framework includes: samsung health stack app sdk: a software development kit for building android and wear os apps capable of collecting data from wearable devices. web portal: a customizable interface for creating surveys, managing team members, tracking participants, and analyzing data. backend services: api endpoints to access and interact with a robust data engine. the galaxy watch 5 has been extensively tested for compatibility with this tech stack. other devices may work but have not been officially tested. you can start by installing the components of the tech stack. here are the links to the installation guides: installing the backend system installing the app sdk installing the web portal samsung health stack app sdk the app sdk simplifies the creation of mobile apps that collect data from participants. it provides building blocks for participant onboarding and consent, survey presentation, participant task creation, visual reporting, and data management. for further details, please check sdk documentation web portal the web portal is a dashboard for interactive data visualization and study management. it offers a platform for managing research team members, creating and deploying app content such as participant surveys, tracking study participant activity, and analyzing participant data. please note, as of now, chrome is the only browser supported for accessing the web portal. backend services the backend services provide a set of api endpoints for data storage, retrieval, and analysis. this allows your application to interact with the data engine, performing operations as needed. for more details, visit the rest api documentation. how does it all fit all together? contributing as an open-source project, samsung health stack welcomes contributions from the developer community. if you'd like to contribute, check out contributing to the open source project. samsung health stack strives to make the process of creating and managing health studies more efficient and accessible. through its comprehensive suite of tools and services, it serves as a robust foundation for health-based projects.

missing google-services.json file in the source code for firebase integration. the app uses firebase to provide a 3rd party login to users. the google-services.json file must be included in the source code. a reference to integrate it can be found here. need guidance on backend installation for the app. the app fetches project information such as surveys and activity tasks from the backend. for testing, it's recommended to follow the backend installation guide instead of integrating your own backend system. detailed instructions can be found here. error encountered while trying to build the modules related to healthstack.sample. the error seems to arise from a missing client for the package name 'healthstack.sample'. ensure that the correct configurations are available and that the associated files for this client are not missing. possibility of using the graphics and ui from the samsung health app in the new build. (no specific answer provided in the email chain, would need further follow-up.) how to capture and export accelerometry continuously, not just during the activity task? the app regularly sends over health data logged by health connect at intervals that can be set by the user. for sensor data related to each activity task, it's collected & synced when the activity is conducted. specific activity tasks and their associated sensor types were provided. which data types from health connect can be utilized? the app can utilize all data types supported by health connect. by modifying the list of healthdatarequired, you can adjust the app to collect additional data types recorded by health connect. however, to have data input, that data needs to exist in health connect. resolution to ./gradlew clean failing for app-sdk? this appears to be an issue with the system failing to communicate with the gradle plugin repository. ensure that your system is online, and if you're using a proxy environment, check proxy settings. if a proxy is in use, the issue might be an ssl handshake failure. check ssl settings and proxy configurations.

open source samsung automation studio is one way to integrate samsung services with open source or 3rd-part services. we are actively using open source and trying to contribute to the open source ecosystem. check out the following article. samsung electronics migrates iot developer tools to cloud foundry based on node-red samsung automation studio was forked from node-red version 0.17.5 and developed to support the easy development of smartthings automation webhook in early 2016. low-code programming for event-driven applications node-red is a programming tool for wiring together hardware devices, apis and online services in new and interesting ways. it provides a browser-based editor that makes it easy to wire together flows using the wide range of nodes in the palette that can be deployed to its runtime in a single-click. flow-based programming invented by j. paul morrison in the 1970s, flow-based programming is a way of describing an application’s behavior as a network of black-boxes, or “nodes” as they are called in node-red. each node has a well-defined purpose; it is given some data, it does something with that data and then it passes that data on. the network is responsible for the flow of data between the nodes. it is a model that lends itself very well to a visual representation and makes it more accessible to a wider range of users. if someone can break down a problem into discrete steps they can look at a flow and get a sense of what it is doing; without having to understand the individual lines of code within each node. more details are available at nodered.org contributes samsung automation studio team published custom nodes on the node-red site. we are improving it through open source. see the following github. https://github.com/samsung/samsungautomationstudio and we continue to engage the nodered community. running on cloud foundry automation studio deploys flows in secured and isolated containers whose healths and lifecycles are managed automatically by the reliable container platform (cf) cloud platform cloud platforms let anyone deploy network apps or services and make them available to the world in a few minutes. when an app becomes popular, the cloud scales it to handle more traffic, replacing build-out and migration efforts that once took months with a few keystrokes. cloud platforms enable you to focus exclusively on your apps and data without worrying about underlying infrastructure. the following diagram shows the layers of a typical technology stack, and compares the traditional it model to the cloud platform model: about the cloud foundry platform this section describes why cloud foundry is an industry-standard cloud platform. not all cloud platforms are created equal. some have limited language and framework support, lack key app services, or restrict deployment to a single cloud. as an industry-standard cloud platform, cloud foundry offers the following: open source code: the platform’s openness and extensibility prevent its users from being locked into a single framework, set of app services, or cloud. deployment automation: developers can deploy their apps to cloud foundry using their existing tools and with zero modification to their code. flexible infrastructure: you can deploy cloud foundry to run your apps on your own computing infrastructure, or deploy on an iaas like vsphere, aws, azure, gcp, or openstack. commercial options: you can also use a paas deployed by a commercial cloud foundry cloud provider. community support: a broad community contributes to and supports cloud foundry. cloud foundry is ideal for anyone interested in removing the cost and complexity of configuring infrastructure for their apps. more details are available at cloudfoundry.org get started - samsung automation studio (beta)

application security this topic describe the security of applications which run on samsung devices. related info web security testing guide owasp secure software development lifecycle microsoft security development lifecycle (sdl) cwe list version 4.6 overview security is becoming an important issue with the increase of various smart devices. in order to protect data from users and businesses, samsung devices are enhancing security in several layers, from hardware to software. as samsung device applications are also software driven by samsung, the security needs to be taken into account. samsung device applications can store important information such as code and key values and personal information of the user, which is an important resource that must be protected. these resources can be leaked due to a variety of reasons, such as a simple mistake by a developer or hacking by an attacker. in order to safeguard this, samsung device applications need to be developed according to secure by design. in particular, the personal information of the user should comply with the policy related to the personal information for each country. secure by design all software within the devices developed by samsung are based on the secure development lifecycle (sdl) model, and development step is divided into analysis, design, implementation, and testing, so vulnerability should be removed by performing a security review at each step. from the same point of view, applications operating on samsung device should maintain the same security level. for this, we recommend that you consider security in the application development phase by referring to the following step-by-step security review. security in the analysis/design phase: you should identify important information that is stored and transferred and ensure that the information is handled safely. if you receive user input, you should review that you do not require more information than you need, and there is no issue with the input format. you must identify the important information to be used and ensure that the information is displayed on vulnerable areas in the flow of the program. in particular, when transmitting important information outside the device, you need to ensure that it communicates with the specified server through a secured channel. at the time of designing, you must first define important information that needs to be protected and design it in a proper manner to protect it. security in the implementation phase: it must be implemented in compliance with security rules to prevent information in the software from being leaked through known vulnerabilities. important information obtained in the design phase should be stored by applying security techniques such as encryption and make sure that it does not exist in plain text within the program. establish secure coding rules for each language and proceed with development accordingly. you must use only the minimum permissions required and notify the user of the permissions you use. you should make sure that the security channel is properly set on the network, and the latest version of the technology is applied. if you use encryption algorithms, you must use them securely using verified standard algorithms where vulnerabilities are not reported. security in test phase: security checks must be performed before deployment to prevent security issues and maintain security through maintenance after deployment. before deployment, it is necessary to verify that there is no issue with analysis, design, and implementation when actually operated through simulated hacking, packet checking, etc. after deployment, if a new vulnerability is found or a modification occurs in the security check, it must be patched and applied to all users as soon as possible. security review process in order to maintain the security of the application ecosystem, samsung is performing security checks on the submitted applications. samsung checks the risk or misuse cases that may occur due to the submitted applications, and if there is an issue, the deployment process can be stopped and the application submitter can be advised to fix it. application security guide this section provides basic security guidelines to consider in the development of applications. for a safe and reliable application running environment, we recommend that you proceed with the following points in the development phase. data protection three key factors for data protection are confidentiality, integrity, and availability. if an application sends or stores sensitive information, the application must encrypt data stored on these devices and protect it from attackers. it is very important to protect sensitive data such as user credentials or personal information in application security. if the mechanism of the operating system is not used correctly, sensitive data can be unintentionally exposed. definition of sensitive data: personally identifiable information that can be exploited for identity theft: for example, resident registration number, social security number, credit card number, bank account number, health information, etc. sensitive data that can lead to loss of honor and loss of money if leaked all data that must be protected for legal or compliance reasons. security item description data protection sensitive data, such as passwords or pin data, should not be exposed through the user interface. the key values used by the application must be hardcoded or not stored in plain text. sensitive data should not be stored in an application container or external storage. sensitive data should not be recorded in the application log.sensitive data should not be shared with third parties unless it is necessary in the architecture. sensitive data should not be shared with third parties unless it is necessary in the architecture. keyboard cache must be disabled from the text input that processes sensitive data. sensitive data should not be exposed even during internal communication. you should ensure that the data stored in the client-side storage (ex: html5 local storage, session store, indexeddb, regular cookie, or flash cookie) does not contain sensitive data. make sure that you have provided clear t&c for the collection and use of the provided personal information and that you have provided selective consent to the use of that data before you use it. reference links:european union general data protection regulation (gdpr) overvieweuropean union data protection supervisor - internet privacy engineering networkapplication development privacy guide table 1. data protection security description and reference links authentication if there is a feature to log-in to the remote service by the user, it must be configured through security design. even when most of the logic is operating on a remote service, the device must also meet security requirements on how to manage user accounts and sessions. security item description authentication if the application provides remote services to the user, user name and password authentication must be performed from the remote service. if you use status storage session management, the remote service must authenticate the client request using the randomly generated session identifier without sending the user's credentials. if using stateless token-based authentication, the remote services must provide signed tokens using security algorithms. when a user logs out, the remote service must end the existing session. table 2. authentication security description access control an application can access a resource only if it has access to it. security item description access control application must require only the minimum access required. application must use the privilege that match the permissions and specify the privileges used. when accessing user data, make sure that the principle of minimum access privilege requirement is followed. applications must have access to apis, data files, urls, controllers, directories, services, and other resources with minimal access required. you should verify and process all input from external resources and users. this should include data received through the ui, a user-defined url, inter-process communication (ipc), etc. if an application uses a completely unprotected custom url, you should not export sensitive information. important data or apis must be protected from user access other than data owners. reference links:owasp cheat sheet: access control table 3. access control security description and reference links communications when the network is used, the application should not display the transmitted/received content using a secured channel. security item description communications data must be encrypted on the network using tls(transport layer security). security channels must be used consistently throughout the application. the setting of the security channel must be configured to protect information safely. the data being transmitted must be protected from being snatched/taken over in the middle. (ex. defence against man in the middle attack) reference links:owasp – tls cheat sheet table 4. communications security description and reference links input validation you must defend the command insertion attack through validating the validity of input value. input value validation should be considered at all stages of development. security item description input validation input values must process the data based on type and content, applicable laws, regulations and other policy compliance, and define how to handle it. you must ensure that input validation is performed on a trusted service layer. you need to check whether it protects against parameter attacks such as mass parameter allocation attacks or unsafe parameter allocation. all possible input values (e.g. html form fields, rest requests, url parameters, http headers, cookies, batch files, rss feeds, etc.) must be checked using validation (ex. whitelist). you should check whether the values entered are in the correct form in well-defined schemas, including allowed characters, lengths, and patterns. the url redirection and forward should display a warning that only whitelist targets are allowed or that you are connecting with potentially untrusted content. make sure you use memory safety strings, secure memory copy, and pointer calculation to detect or prevent stacks, buffers, or heap overflows. in order to prevent integer overflow, you need to make sure that sign, range, and input validation techniques are used. reference links:xml external entity (xxe) prevention cheat sheetreducing xss by way of automatic context-aware escaping in template systems table 5. input validation security description and reference links password management in case of application with different user password, security settings are required for them. security item description password management you must ensure that the password does not contain spaces and cut/copy is not performed. in the password change feature, you should check that the user's current password and new password are required. it is recommended to provide a password strength meter so that users can set a stronger password. it is also recommended to provide rules that limit allowed character types (uppercase letter, numeric, special characters). you should check that it is recommended to change your user password within the right due date. do not store the user password in the application's properties or settings file in plain text or recoverable form. passwords must be stored, transferred, and compared in a hashed state using a standard hash function. to prevent random attacks, you should use the login limit(number of login) or captcha. default password should not be generated. make sure you do not show the key information, like passwords in the log. reference links:cwe-804: guessable captchacwe-836: use of password hash instead of password for authenticationcwe-257: storing passwords in a recoverable formatcwe-261: weak encoding for passwordcwe-263: password aging with long expiration table 6. password management security description and reference links session manager a session is a technique for controlling and maintaining the status of a user or device interacting with one user in a web application. a session has a unique value for each user and cannot guess or share that value. security item description session manager you should check that the session token is not exposed/displayed in the application's url parameter or error message. make sure the application generates a new session token from user authentication. you should check that the session token is stored using properly secured cookies or security methods. you should check that a session token is generated using a standard encryption algorithm. make sure the session is not reused by verifying that the session token is invalid when logout and session expires. reference links:owasp session management cheat sheetalgorithms, key size and parameters report 2014 table 7. session manager security description and reference links error handling the purpose of error handling is to allow applications to provide security events related to monitoring, status check, and increase in permission, and not just creating logs. security item description error handling you must ensure that common error handling formats and access method are used. you must make sure exception handling is used on the code base to explain expected and unexpected error conditions. you must ensure that other error handlers that can prepare all unprocessed exceptions are defined. in case of an error, you must make sure that the message shown to the user does not contain application-related technical or sensitive information. we recommend using separate error codes for error support.. table 8. error handling security description release check the following before releasing the application. security item description release application must be signed and distributed with a valid certificate, and the private key must be properly protected. debugging code and developer support code (test code, back door, hidden settings, etc.) must be removed. deployed applications should not output or record detailed errors or debugging messages. libraries and frameworks etc. used by applications should be checked for known vulnerabilities. the equipment used for release must be able to respond to external threats (viruses, hacking, etc.). it should be built in release mode. a separate debug message should not be left from the application. if you include binary, debug information should be removed. if a vulnerability occurs after release, you should update the application as soon as possible and always keep the latest version. table 9. release security description