This topic describe the security of applications which run on Samsung devices.
Web Security Testing Guide
OWASP Secure Software Development Lifecycle
Microsoft Security Development Lifecycle (SDL)
CWE List Version 4.6
Security is becoming an important issue with the increase of various smart devices. In order to protect data from users and businesses, Samsung devices are enhancing security in several layers, from hardware to software. As Samsung device applications are also software driven by Samsung, the security needs to be taken into account.
Samsung device applications can store important information such as code and key values and personal information of the user, which is an important resource that must be protected.
These resources can be leaked due to a variety of reasons, such as a simple mistake by a developer or hacking by an attacker. In order to safeguard this, Samsung device applications need to be developed according to Secure by Design. In particular, the personal information of the user should comply with the policy related to the personal information for each country.
All software within the devices developed by Samsung are based on the Secure Development Lifecycle (SDL) model, and development step is divided into analysis, design, implementation, and testing, so vulnerability should be removed by performing a security review at each step.
From the same point of view, applications operating on Samsung device should maintain the same security level. For this, we recommend that you consider security in the application development phase by referring to the following step-by-step security review.
Security in the analysis/design phase: You should identify important information that is stored and transferred and ensure that the information is handled safely.
Security in the implementation phase: It must be implemented in compliance with security rules to prevent information in the software from being leaked through known vulnerabilities.
Security in test phase: Security checks must be performed before deployment to prevent security issues and maintain security through maintenance after deployment.
In order to maintain the security of the application ecosystem, Samsung is performing security checks on the submitted applications.
Samsung checks the risk or misuse cases that may occur due to the submitted applications, and if there is an issue, the deployment process can be stopped and the application submitter can be advised to fix it.
This section provides basic security guidelines to consider in the development of applications. For a safe and reliable application running environment, we recommend that you proceed with the following points in the development phase.
Three key factors for data protection are confidentiality, integrity, and availability. If an application sends or stores sensitive information, the application must encrypt data stored on these devices and protect it from attackers. It is very important to protect sensitive data such as user credentials or personal information in application security. If the mechanism of the operating system is not used correctly, sensitive data can be unintentionally exposed.
Definition of sensitive data:
Table 1. Data Protection security description and reference links
If there is a feature to log-in to the remote service by the user, it must be configured through security design. Even when most of the logic is operating on a remote service, the device must also meet security requirements on how to manage user accounts and sessions.
Table 2. Authentication security description
An application can access a resource only if it has access to it.
Table 3. Access Control security description and reference links
When the network is used, the application should not display the transmitted/received content using a secured channel.
Table 4. Communications security description and reference links
You must defend the command insertion attack through validating the validity of input value. Input value validation should be considered at all stages of development.
Table 5. Input Validation security description and reference links
In case of application with different user password, security settings are required for them.
Table 6. Password Management security description and reference links
A session is a technique for controlling and maintaining the status of a user or device interacting with one user in a Web application. A session has a unique value for each user and cannot guess or share that value.
Table 7. Session Manager security description and reference links
The purpose of error handling is to allow applications to provide security events related to monitoring, status check, and increase in permission, and not just creating logs.
Table 8. Error Handling security description
Check the following before releasing the application.
Table 9. Release security description