This topic describe the security of applications which run on Samsung devices.
Web Security Testing Guide
OWASP Secure Software Development Lifecycle
Microsoft Security Development Lifecycle (SDL)
CWE List Version 4.6
Security is becoming an important issue with the increase of various smart devices. In order to protect data from users and businesses, Samsung devices are enhancing security in several layers, from hardware to software. As Samsung device applications are also software driven by Samsung, the security needs to be taken into account.
Samsung device applications can store important information such as code and key values and personal information of the user, which is an important resource that must be protected.
These resources can be leaked due to a variety of reasons, such as a simple mistake by a developer or hacking by an attacker. In order to safeguard this, Samsung device applications need to be developed according to Secure by Design. In particular, the personal information of the user should comply with the policy related to the personal information for each country.
All software within the devices developed by Samsung are based on the Secure Development Lifecycle (SDL) model, and development step is divided into analysis, design, implementation, and testing, so vulnerability should be removed by performing a security review at each step.
From the same point of view, applications operating on Samsung device should maintain the same security level. For this, we recommend that you consider security in the application development phase by referring to the following step-by-step security review.
In order to maintain the security of the application ecosystem, Samsung is performing security checks on the submitted applications.
Figure 1. Application security review process
Samsung checks the risk or misuse cases that may occur due to the submitted applications, and if there is an issue, the deployment process can be stopped and the application submitter can be advised to fix it.
This section provides basic security guidelines to consider in the development of applications. For a safe and reliable application running environment, we recommend that you proceed with the following points in the development phase.
Three key factors for data protection are confidentiality, integrity, and availability. If an application sends or stores sensitive information, the application must encrypt data stored on these devices and protect it from attackers. It is very important to protect sensitive data such as user credentials or personal information in application security. If the mechanism of the operating system is not used correctly, sensitive data can be unintentionally exposed.
Definition of sensitive data:
If there is a feature to log-in to the remote service by the user, it must be configured through security design. Even when most of the logic is operating on a remote service, the device must also meet security requirements on how to manage user accounts and sessions.
An application can access a resource only if it has access to it.
When the network is used, the application should not display the transmitted/received content using a secured channel.
You must defend the command insertion attack through validating the validity of input value. Input value validation should be considered at all stages of development.
In case of application with different user password, security settings are required for them.
A session is a technique for controlling and maintaining the status of a user or device interacting with one user in a Web application. A session has a unique value for each user and cannot guess or share that value.
The purpose of error handling is to allow applications to provide security events related to monitoring, status check, and increase in permission, and not just creating logs.
Check the following before releasing the application.