Security Checklist II

This is the second part of the Mobile App testing checklist series. The first part is presented here. Continuing the series, we present a checklist of test cases for some more categories.

Network Communication Requirements

Apps serve as the front end and frequently make network calls to backend systems. This interaction involves exchanging critical information like personal details, bank information. Communication with external systems, particularly over the WWW, requires that the data sent should be over a secure channel to prevent it from being compromised.

For Android and iOS

Verify All network traffic goes via SSL

Verify SSL Pinning is enabled.

i.e. Using MITM tools like Charles, verify that the https traffic cannot be decrypted Platform Interaction Requirements

Platform Interaction Requirements

Modern smartphones offer a bevy of features. Camera, location, Bluetooth, gyroscope, and many more. Apps that use any such feature have to ask for the user’s consent to use the same. It is necessary to verify if the user is prompted to wilfully permit the app to use any feature outside of itself.

For Android

• Verify for dangerous permissions, for all the below permissions an explicit prompt should be displayed to the user
• READ_CALENDAR
• WRITE_CALENDAR
• READ_CALL_LOG
• WRITE_CALL_LOG
• PROCESS_OUTGOING_CALLS
• CAMERA
• READ_CONTACTS
• WRITE_CONTACTS
• GET_ACCOUNTS
• ACCESS_FINE_LOCATION
• ACCESS_COARSE_LOCATION
• RECORD_AUDIO
• READ_PHONE_STATE
• READ_PHONE_NUMBERS
• CALL_PHONE
• ANSWER_PHONE_CALLS
• ADD_VOICEMAIL
• USE_SIP
• BODY_SENSORS
• SEND_SMS
• RECEIVE_SMS
• READ_SMS
• RECEIVE_WAP_PUSH
• RECEIVE_MMS
• READ_EXTERNAL_STORAGE
• WRITE_EXTERNAL_STORAGE
• Verify unnecessary permission are not added in Android.manifest file
• Verify app authentication is required when using Deep Links in the app
• If webviews are displayed inside the app, ensure the url is https, and cannot be decrypted via Charles
• Disable local file access in Code. Check with the developer and see if these restrictions are in place.
• webView.getSettings().setAllowFileAccess(false);
• webView.getSettings().setAllowFileAccessFromFileURLs(false);
• webView.getSettings().setAllowUniversalAccessFromFileURLs(false);
• webView.getSettings().setAllowContentAccess(false);
• Verify that App can be force updated.

For iOS

• Verify app ask user permissions for the following
• Bluetooth peripherals
• Calendar data
• Camera
• Contacts
• Health sharing
• Health updating
• HomeKit
• Location
• Microphone
• Motion Music and the media library
• Photos
• Reminders
• Siri
• Speech recognition
• the TV provider
• Verify app authentication is required when using Deep Links in the app
• Verify webviews only load https content. Check the code for WKWebView and verify the following flag “hasOnlySecureContent” is set to true
• Verify Webviews cannot be decrypted via Charles
• Verify Both allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs are set to “0”, on webviews are set. Check with developers
• Verify that App can be force updated.

Code Quality and Build setting requirements

Apps have a minimum of two configurations; a debug version where the app is not yet optimized for release or customer use.

For example, logs would be enabled in the debug version to track bugs while developing. In the debug version, the app can get away with being slower and “fatter”. Apps also have a production version, meant for end-users. Here the app is “thinned” down for the target device on which the app is running. This version is optimized. So when it comes to the production version of the app, it is essential to test the build settings and other aspects used only for the debug version such that it does not leak into the production version.

For Android

• Verify APK is Signed correctly.
• Test using the following command,
• apksigner verify –verbose Desktop/example.apk,

Following output should be displayed

for example,

Verified using v1 scheme (JAR signing): true

Verified using v2 scheme (APK Signature Scheme v2): true

Verified using v3 scheme (APK Signature Scheme v3): true

Number of signers: 1

• Verify the store build is generated as a “Release” build and not “Debug” build.
• Using apktool decompile apk and check AndroidManifest.xml, android:debuggable should false
• Verify APK is Obfuscated (i.e, Proguard is enabled) and no sensitive data is visible.Decompile the apk using apktool. Convert classes.dex to .jar using d2j-dextojar. View the jar file via JDGUI
• Verify all debug logs are disabled. Run adb logcat and check if the apk is displaying any sensitive information

For iOS

• Check the ipa is Release Mode and not in Debug Mode. Use Xcode and Check if the app can be debugged.
• Check all debug logs are disabled and no sensitive information is logged in Xcode
• Verify “Strip Debug Symbols During Copy”, “Strip Linked Product”, “Strip Swift Symbols” are set to Yes in Xcode build settings
• Check for vulnerabilities in 3rd party Pods. Run OWASPs tool
• dependency-check –enableExperimental –out . –scan Podfile.lock
• Resiliency

For Android

• Verify apk does not launch on rooted devices.
• Checksum of apks should be created and validated against the server every time it’s launched.

For iOS

• Verify app does not launch on Jailbroken phones
• Obfuscate code with iXGuard and verify via MachoView tool

How does MQTT work in IoT projects?

 

If you think that the internet has changed your life, think again. The IoT is about to change it all over again!

What Is IoT?

The Internet of Things, or IoT, refers to the billions of physical devices around the world connected to each other via the Internet. Collecting and sharing data. Connecting up all these different objects and adding sensors to them adds a level of intelligence to these devices, enabling them to communicate real-time data without involving a human being. These devices range from ordinary household objects like bulbs, thermostats to sophisticated industrial tools, computers, etc. Previously Bluetooth and RF (radio frequency) were used to control IoT applications, but they were limited to a short distance. Adding MQTT capabilities can help in overcoming inter-communication problems by securely automating IoT appliances.

What Is MQTT?

MQTT is one of the most commonly used protocols in IoT projects. MQTT (Message Queuing Telemetry Transport) is a messaging protocol that works on top of the TCP/IP protocol. MQTT can also run on SSL/TLS. SSL/TLS is a secure protocol built on TCP/IP to ensure that all data communication between devices is encrypted and secure. MQTT is a lightweight protocol that uses publish/subscribe operations to exchange data between clients and the server. Furthermore, its small size, low power usage, minimized data packets and ease of implementation make the protocol ideal for the “machine-to-machine” or “Internet of Things” world. Unlike HTTP’s request/response paradigm, MQTT is event-driven, and clients receive published messages. This type of architecture decouples the clients from each other to enable a highly scalable solution without dependencies between data producers and data consumers.

How does MQTT work?

MQTT uses your existing Internet home network to send messages to your IoT devices and respond to the messages.

At the core of MQTT is the MQTT broker and the MQTT clients. The broker is responsible for dispatching messages between the sender and the rightful receivers. An MQTT client publishes a message to a broker and other clients can subscribe to the broker to receive messages. Each MQTT message includes a topic. A client publishes a message to a specific topic and MQTT clients subscribe to the topics they want to receive. The MQTT broker uses the topics and the subscriber list to dispatch messages to appropriate clients. If the connection from a subscribing client to a broker is broken, then the broker will buffer messages and push them out to the subscriber when it is back online. If the connection from the publishing client to the broker is disconnected without notice, then the broker can close the connection and send subscribers a cached message with instructions from the publisher.

MQTT Components:

In MQTT there are a few basic concepts that you need to understand:

Broker – The broker is the server that distributes the information to the interested clients connected to the server. This is the heart of the publish/subscribe protocol. The MQTT Broker is optimally designed to handle many thousands of concurrently connected MQTT clients.

Client – The device that connects to broker to send or receive information. The MQTT Client, be it Subscriber or Publisher (or both in one device) is any device from small Microcontroller up to a fully-fledged server, that has an MQTT library running and is connected to an MQTT Broker over any kind of network.

Topic – Messages make their way from a publisher, through a broker, to one or more subscribers using topics. Topics are hierarchical UTF-8 strings. Clients publish, subscribe, or do both to a topic. In other words, topics are the way you register interest for incoming messages or how you specify where you want to publish the message.

Publish – Clients that send information to the broker to distribute to interested clients based on the topic name.

Subscribe – Clients tell the broker which topic(s) they’re interested in. When a client subscribes to a topic, any message published to the broker is distributed to the subscribers of that topic. Clients can also unsubscribe to stop receiving messages from the broker about that topic.

QoS – Quality of Service. Each connection can specify a quality of service to the broker with an integer value ranging from 0-2. The QoS does not affect the handling of the TCP data transmissions, only between the MQTT clients.

1. specifies at most once, or once and only once without requiring an acknowledgment of delivery. This is often referred to as fire and forget.

2. specifies at least once. The message is sent multiple times until an acknowledgment is received, known otherwise as acknowledged delivery.

3. specifies exactly once. The sender and receiver clients use a two-level handshake to ensure only one copy of the message is received, known as assured delivery.

How to Use MQTT in Home Automation?

In today’s world, automation has become important and is being used in many applications in our daily life. A Home Automation System (HAS) is a system where in home appliances or environment is controlled without much human involvement. It saves power, time and efforts and is more efficient than the conventional systems. Home environmental monitoring is a major Internet of Things (IoT) application, which involves monitoring the inside and outside environment of the home. By using IoT technology, user can create advanced Home Automations Systems that can improve the quality of the life.

Let’s take one such example.

Example:

Let’s say our Home Automation System consists of an electric light bulb that can be controlled with the help of a mobile device. User will use mobile application to toggle light switch and this state will be sent to the mqtt broker. On the other side, electric light bulb with help of microcontroller receives the state sent by user. For this to happen, the mobile device will first define the topic it wants to publish on, then only it will publish the message. Meanwhile, the microcontroller attached to the light bulb subscribes to the same topic. Then once it receives the message that the device has published, it toggles light based on the state. It might also want to publish to another topic so that other clients can monitor the state of that light. Again, the broker role here is to take the message and deliver it to subscribed clients.

Topics are the way you register interest for incoming messages or how you specify where you want to publish the message. Topics are represented with strings separated by a forward slash. Each forward slash indicates a topic level. And also remember topics are case-sensitive. If you want to control multiple light across multiple rooms, you will need to come up with unique topic for these lights. Let’s suppose If we want to toggle bedroom light, the topic will be home/bedroom/lamp.

Now that we have 2 clients the first mobile application will publish to the topic “home/bedroom/lamp” with a message of “on” or “off” every time we push a button from app. In our demo we are using “MyMqtt” app from google play store. The second client will subscribe to “home/bedroom/lamp” and respond to the message by turning a light bulb on or off. And later it will publish with a message of “on” or “off” to another topic like “bedroom/lamp/state” so that other clients can monitor the state of that light.

Cloud for MQTT brokers?

MQTT on-premise broker is a rather time-consuming and demanding solution for any project. If we are talking about the quick launch of the solution for the Internet of things, then launching your own data center with a server for the MQTT broker will require resources for the initial launch and installation. Plus, expanding and scaling the on-premises broker creates a lot of problems when migrating to new servers.

Now let’s compare this solution with a cloud service, where for a minimal cost you can quickly connect your project to high-quality service and start using the MQTT protocol. With a cloud service, you also get support for your project and an already configured security system on the server and the ability to increase your capacities almost without limit. Placing the MQTT broker in the cloud can be a successful strategy both for small projects and for corporate-level projects.

Cloud-based MQTT brokers are many, like:

• Amazon
• Cloud MQTT
• Google Cloud IoT Core
• Heroku
• IBM
• Microsoft Azure IoT

Conclusion

MQTT is a communication protocol based on a publish and subscribe system. It is simple to use and it is great for Internet of Things and Home Automation projects. On the other hand, choosing a right cloud provider to service MQTT also gives you a lot of options now and you can use the message broker in your existing cloud, or choose the most suitable for your task.

How to remain productivity working from home

 

What exactly is the workplace?

Historically, a workplace was a physical location where a group of people, contractually bound, assembled to perform a set of tasks in return for something. Like a factory, a tannery, a wood cutting mill, etc Workplaces also had or provided tools, resources, machinery, and instruments that would be required to perform the tasks. Then came the digital era, or the start of computers and the internet. In this era, a new wave of jobs was created which redefined the workplace as we knew from the previous era. Instead of physical labor and the use of huge complex machinery, work began to be accomplished behind desks and desktops, laptops. Moore’s law captured this evolution very well. As electronic devices became smaller and yet more effective, digitalization revolutionized every aspect of our lives. Workplace as well.

The workplace was always defined as essential for getting things done. It enforced accountability, helped in focussing, made essentials for working available, and all in all enabled productivity. But as we saw above, the evolution of the workforce, made organizations rethink this policy of enforcing workplace as the only way or rather place of working

Remote Working is a mode of working which allows the professional to work from any location. Usually, flexible timings for work are closely associated with remote working. There are variations of remote working as well such as working from home. And the definition of a remote worker may change depending on their employment status. i.e Are they a full-time employee or contractual employee. And irrespective of what kind of employee they are, how can a remote worker ensure the same level of productivity.

Let’s find out…

COVID and the New Normal

The COVID-19 pandemic has completely altered the meaning of the workplace. Particularly in the information technology sector which is almost 100% digitized. Earlier where companies would allow and authorize remote working in varying degrees, based on factors like requirements, logistics, security, etc, companies are now forced to come up with frameworks for allowing remote working as much as possible to keep the wheels moving. It is also becoming apparent that this is going to be the new normal for a long time and hence remote working and work from home is no longer going to be an employee privilege but rather a way of life

Remote Working vs Work from Home

Remote working is a working system where an employee is not mandated by contract to be present in a physical, authorized location of the employer. The reason for such an arrangement could be many. E.g. A global workforce. An employer in India hires a consultant in the US. In the internet age, proximity and information is just a click away.

Work from Home can be considered as an arrangement where an employee is entitled to work from home subject to certain restrictions and rules. Work from Home makes an exception to the requirement that an employee should be physically present as and when required under certain circumstances.

Drivers of Remote Working

Let’s explore what are the drivers of remote working.

Why does somebody work remotely in the first place?

• Happier Employee — More Productivity
• Technology
• Current Norm
• Reduced Cost
• Social Benefits

Happier Employee — More Productivity

Allowing an employee to work in a location where he is more comfortable i.e his home or any other preferred location, puts him in a happier and calmer mindset. This invariably leads to a more productive employee. Plus the support extended by the organisation to the employee in letting him work from home or remotely builds loyalty in the minds of the employee toward the organisation

Technology

Employees work from home; simply because they can! Technology is a great enabler and distances and physical presence no longer matter in many sectors. This offers the additional benefit to the employer of having access to the employee, company data at any point of time. Video discussions, conference calls are already used in organisations which have teams spread across the globe. Remote working/Work from home simply extends those technologies locally

Current Norm

Companies around the globe are always trying to improve their employee engagement program to make them more productive. With modern lifestyle, the pressures of work can affect the work-life balance. Hence to provide some balance to the employee when it comes to their personal lives, companies have accepted WFH or remote working as a norm

Reduced Cost

Having an employee working remotely or working from home, has measurable financial benefits for the company. Such as savings on office space, physical infrastructure, transportation, conveyance allowance etc

Social Benefits

In addition to the benefits to both the employee and employer, there are lots of social benefits associated with remote working and working from home. Reduced traffic, reduced noise, reduced environmental impact associated with pollution generation, reduced spending in commute, etc

Remote working best practice

Now that we have a good idea about what remote working is and we have seen the benefits of the same, let’s have a look at how we can maximise our productivity working from home

Reachability

Set up the environment

Proactive with potential Distractions

Take Scheduled Breaks

Call Over Chat

Solicit Feedback

1. Reachability

When an employee works from home, the most important thing is his reachability. It is the responsibility of the employee to inform his team, subordinates, superiors when is he available, when is he on break and when will he log off. Do not make colleagues ping you multiple times waiting for your response while you have switched off. Stick to the normal work hours. Be available on the authorized communication channels

2. Set up the environment

An employee must set up an environment which is similar to his work environment. This is not limited to tools and technology.It extends to mundane things like tables, chairs, settings etc. Ensure that all the authorised, required tools, permissions, configurations, provisioning certificates are available and working on your system before you start. Similarly have a physical environment similar to your office setup. Dress for the occasion, have the same environment and desk setup so you will be focussed on the work like the workplace

3. Proactive with potential distractions

Working from home has more potential for distractions. It might be amusing and cute to see your cat dart across the keyboard, but when you are in the middle of a serious discussion over a video call, it can appear awkward. Home delivery, a family member popping in to ask something, kids throwing tantrums and a million and one awkward scenarios like that. Avoid all this by defining a boundary. Time and space wise. Let your family know you are unavailable between these timings. Keep the door shut if you will. Do whatever is required based on your home setup, but ensure that personal distractions don’t impede your work

4. Take scheduled breaks

It is easy to be “always-on” when you are working from home. But just like the way someone takes regular breaks in their workplace, schedule breaks when you are working at home as well.

Just ensure that your team members are aware. A simple status update on your communication channel which indicates that you are away would be a good example. Similarly, ensure non-work tasks are scheduled at a fixed time and it does not interfere with your working hours.

5. Calls over chat

In a working environment, help or clarification or answer to problems is just a desk away. You might swing by your colleague’s desk to get some clarification. But when you are working remotely and you are connected with your colleagues virtually, discussions and clarifications might get difficult over chats. Do not hesitate to reach out to your team to discuss any contentious issue over the phone when you find yourself going round in circles with chat-based discussions

6. Solicit feedback

Periodically talk to your team. Your subordinates, your superiors about how they are finding your current setup.

Are you easily accessible?

Are you properly audible?

Do they have any suggestions on how you can be more productive when working from home?

This goes a long way in enforcing your commitment and professionalism when it comes to working from home

What to avoid

Casual Nature

Non-Adherence to Time

Not Informing in Advance

Not Being Prepared

1. Casual nature

Remote working or work from home is a privilege or a grant to accomplish your work better while balancing other priorities. The time you are working from home is accountable to the employee for the work you are supposed to deliver. Often, the comfortable and familiar environment of homes can induce a sense of casualness in an employee. Work from home is nothing but simply working from home. Maintain the same level of professionalism as in the workplace

2. Non-adherence to time

Adherence to time is mandatory when it comes to working from home. Since an employee is not physically present, it becomes imperative that the same person maintains time when it comes to meetings, calls, discussion, etc.

3. Not informing in advance

In the event of an employee being dragged into some personal work, it is necessary to intimate the team members about any nonavailability. If the user is stepping out for a while, he/she should notify their subordinates, superiors about the same. Similarly, if someone is on leave, ensure that the connected people are informed in advance

4. Not being prepared

Do not show up to a meeting with a faulty microphone or webcam and fix things during call. Do dry runs of every interaction to make sure everything works as expected. Being prepared with no logistical issues is necessary because its professional, and respectful of others time

Challenges of Remote Working

Tech Availability

More Prone to Distraction

Difficulty in Switching off

Need to over-communicate and Reachability

Tech availability

A workplace is equipped with the latest and the required tools, hardware, and software to perform one’s work effectively. Having access to the same kind of setup might be difficult in a remote location. This leads to ineffective substitute which might lead to lower productivity depending on the substitute

More prone to distraction

A work culture that is centered around focus helps an employee to work efficiently in the office. But at home or remotely an employees attention is more prone to get distracted with mundane tasks not directly related to work

Difficulty in switching off

Work from home creates an “Alway On” expectation. People take it for granted that since someone is working from home they are going to be always available. It is essential to take regular breaks and draw a definite boundary between personal and professional time.

Need to over-communicate and reachability

No matter how much technology simplifies communication and accessibility, nothing beats a personal touch when it comes to discussing, collaborating, and communicating. In a connected world, due to lack of understanding, time difference, cultural differences, etc, remote working or work from home might necessitate over communication to simplify matters

Conclusion

Remote working is a system that was an effective, additional way to do work before the COVID pandemic. But life as we know has completely changed. What was a good thing previously is now a necessity and might become the way of life in the future. If performed in the right manner with diligence and care, working from home and remote working is as effective as working at the workplace; if not better. Hence each person must follow a certain code, a certain personal ethic, and professionalism to make this successful and to handle a part of this crisis.

Happy Working