Advanced testing strategy for apps - Security Checklist 1

Agile methodologies and DevOps are widely adopted by many software service providers and consulting companies. The primary driver for this adoption being, faster delivery of products, independent teams, and generally better all-around synergy between the engineering and operations team.

In this DevOps and Agile world, the traditional modes of quality assurance, like manual testing, are not as effective when it comes to quality assurance. Granted, risk analysis, test planning, and test management are still important, but to ensure the same level of quality in an Agile world as before, or even better, organizations are using new skills such as test automation, data analytics, and AI technologies amongst others.

In this two-part blog(IInd part coming soon), we provide an example of such an advanced testing strategy via a checklist for mobile app testing on the two most popular platforms, iOS and Android. We cover a wide spectrum of categories ranging from tests related to how and where to store data, testing the entire authentication flow, code quality, platform interaction scenarios, and many more. You can download the entire checklist here, or for a detailed explanation, read on.

1) Data storage and privacy

Mobile devices are a constant companion in the digital era. They are used for various purposes such as entertainment, work, personal, professional, etc. Users interact a lot with mobile devices and invariably enter or store details about themselves. Contacts, bank account, health information, habits and preferences, travel logs, etc. Hence it’s no surprise that the number one priority while testing is data storage and privacy, i.e., to ensure that the app does not “leak” any confidential information.

For Android

1. No Sensitive information is stored in AndroidManifest.xml file
2. No Sensitive information is stored in Gradle.properties file
3. No Sensitive information is stored in any strings.xml folders in apk package
4. [Shared Preferences Check] Install apk on Android phone (or emulator) and navigate to /data/data/<package-name>/shared-prefs/keys.xml. Verify no sensitive data is being stored there.
5. [SQLite Databases Check] Install apk on Android phone (or emulator) and navigate to /data/data/<package-name>/databases/. Verify no sensitive information is stored in sqlite dbs
6. [Encrypted Database] Install apk on android phone (or emulator) and navigate to /data/data/<package-name>/databases and verify databases which have sensitive data are encrypted.
7. Verify that debug logs are disabled on production build. Connect device to your machine , run the following command adb logcat | grep “$(adb shell ps | grep <package-name> | awk ‘{print $2}’)” and verify the logs when app is running
8. Verify input fields that ask for sensitive data for e.g. “Password” are masked
9. Verify input fields that ask for sensitive data for e.g. “Password” does not display auto suggestions by default.
10. Verify input fields that ask for sensitive data for e.g. “Password” , Cut, Copy, Paste options should not work on these fields
11. By Default Backups should be disabled. In Androidmanifest.xml, verify android:allowBackup is set as false.
12. If Backup is a requirement, then check that no sensitive data is backed up.

Then run a backup from adb, adb backup -apk -nosystem <package-name>

ADB should respond now with “Now unlock your device and confirm the backup operation” and you should be asked on the Android phone for a password. Approve the backup from your device by selecting the Back up my data option. After the backup process is finished, the file .ab will be in your working directory.

Run the following command to convert the

.ab file to tar. dd if=mybackup.ab bs=24 skip=1|openssl zlib -d > mybackup.tar

Analyse the backup and check if there is any sensitive data stored.

For iOS

Verify no sensitive data Is stored in App Bundles DB. Run a simulator build, and navigate to

/Library/Developer/CoreSimulator/Devices/<Simulator ID>/var/mobile/Containers/Data/Application/$APP_ID/. read .db files

and verify no sensitive data is saved here.

Verify Keychain

/Library/Developer/CoreSimulator/Devices/<Simulator ID>/data/Library/Keychains/keychain-2-debug.db.

Data stored here should be encrypted

Logs should not have any sensitive data.

Verify input fields that ask for sensitive data for

e.g. “Password” are masked

Verify input fields that ask for sensitive data for

e.g. “Password” does not display auto suggestions by default.

Verify input fields that ask for sensitive data for

e.g. “Password” , Cut, Copy, Paste options should not work on these fields

2) Cryptography Requirements

While it’s important to test if data is stored securely, it’s equally important to verify if data is stored securely, i.e., is it encrypted. This can be defined as “How is data stored” compared to testing “Where is data stored.” Confidential information like passwords, secret questions, and answers, keys should never be stored in a human-readable format. Both Android and iOS use the AES 256 Keys algorithm to encrypt confidential information, and app developers must leverage this.

For Android

1. Verify sensitive data is encrypted when stored in the device. Encryption keys used should be saved in Android. Keystore

For iOS

1. Verify sensitive data is encrypted when stored in the device. Encryption keys used should be saved in Secure Keychain

3) Authentication and Session Management

Apps usually have a sign in, signup, and authentication mechanism. Authentication identifies a user. Depending on authentication, certain resources are authorized. A user logs in, consumes services, and eventually logs out. This is known as a session. The critical thing in this flow is to ensure that the user is correctly authenticated most safely, and only those resources are allocated to him for which he is authorized.

For Android

1. Passwords should have a strong Password Policy. Comprising of Minimum password length should be 8 characters. Password should contain the combination of following characters as mentioned below

a. Lower Case (a-z)

b. Numeric (0–9)

c. Upper Case (A-Z)

d. Non-Alphanumeric (e.g.!, @, etc.)

2. If needed 2FA Authentication should be present

3. When a password is entered multiple times, then app lockout should be implemented

4. Session IDs are always exchanged over secure connections

(e.g. HTTPS).

5. Verify The server verifies the session whenever a user tries to access privileged application elements,

(a session ID must be valid and must correspond to the proper authorization level).

6. Verify The session is terminated on the server side and session information deleted within the mobile app after it times out or the user logs out.

For iOS

1. Verify no sensitive data Is stored in App Bundles DB. Run a simulator build, and navigate to

/Library/Developer/CoreSimulator/Devices/<Simulator ID>/var/mobile/Containers/Data/Application/$APP_ID/. read .db files and verify no sensitive data is saved here.

2. Verify Keychain

/Library/Developer/CoreSimulator/Devices/<Simulator ID>/data/Library/Keychains/keychain-2-debug.db.

Data stored here should be encrypted

3. No sensitive data should be printed in Logs.

4. Verify input fields that ask for sensitive data for

e.g. “Password” are masked

5. Verify input fields that ask for sensitive data for

e.g. “Password” does not display auto suggestions by default.

6. Verify input fields that ask for sensitive data for

e.g. “Password” , Cut, Copy, Paste options should not work on these fields

Conclusion

This concludes the first part of this series, where we presented a checklist for testing mobile apps in the data storage & privacy category, cryptography requirements categories, and Authentication and session management category. In the next part, we will examine the test cases for the Network communications category, Platform Interaction, Code Quality and Build setting, and Resiliency category.

 

How can enterprises benefit from Low-Code/No Code development method

  

A professor, to highlight the importance of communication, gave a simple exercise involving the whole class. He wrote a tongue twister

“Fred fed Ted bread and Ted fed Fred bread”

on a piece of paper and gave it to the first student sitting on the first row and asked him to whisper whatever he read in the next student’s ears. The second student was asked to repeat whatever he heard to the third student, and so on. This process was repeated till the student in the last row and finally, he/she was asked to say what he heard. He said,

“Fred said bake bread, Fred said eat bread”!

Talk about lost in translation!

This simple example helps us understand how much information and, importantly, meaning can be lost in communication. How difficult communication can be even in person, let alone through other mediums like digital. A similar predicament happens when business and I.T. communicate, particularly regarding requirements or expected outcomes.

Businesses and I.T. have their silos, and they speak different languages.

One, the user’s language, expectations, and markets. And the other, the language of technology, of bits and bytes and frameworks. Invariably when

“Fred feeds ted bread,”

it is understood as

“Fred said bake bread.”

In his seminal work “Business at the Speed of Thought,” Bill Gates wrote `If the 1980s were about quality and the 1990s were about reengineering, then the 2000s will be about velocity. Speed of development and quick-to-market products has never been more critical than today. Take the case of the ongoing pandemic. Every single aspect of our life has been upended. Companies and businesses are scrambling to upgrade or modify their delivery chains. In such exceptional circumstances, velocity or speed of delivery is of utmost importance.

A knee-jerk reaction to ensure delivery speed would be to hire the right engineering talent and just put them to work, right? Well, it turns out that’s not always the case. One, talent is scarce, and second, it is expensive. According to a survey by TechRepublic

https://www.techrepublic.com/article/cio-jury-83-of-cios-struggle-to-find-tech-talent/,

a whopping 83% of CIOs found it a struggle to fill positions, particularly engineering. Even if you manage to cross these hurdles, merely increasing the number of people to solve a problem never really works. One could put a case for Automation. Automation is a perfect solution to increase the speed of execution. However, automated tools will still have to be built, configured by the I.T., thereby repeating the whole development process. The challenges enterprises face in the development process, such as speed, clarity of vision, are repeated.

Challenges in current development models

• I.T. and business need a common language to convey, communicate, and understand business goals uniformly.

• Speed of development and delivery separates the winners from competitors in business.

• As long as corporate I.T. sanctions it, engineering should not be restricted to I.T. only. Ideas and solutions are not the sole purviews of engineers. Engineering can and should be inclusive, i.e., Citizen development and Citizen I.T. as well.

What is the Low-Code Platform?
Forrester defines low-code development platforms as:

“Products and/or cloud services for application development that employ visual, declarative techniques instead of programming and are available to customers at low- or no-cost in money and training time to begin, with costs rising in the proportion of the business value of the platforms.”

Gartner characterizes it as platforms that provide “rapid application development (RAD) features for development, deployment, and execution – in the cloud.”

Low-Code Development (LCD Henceforth) is an approach that involves visual development tools and an interactive development process. LCD is declarative in nature. In the declarative style of development, instead of focussing on how to do something, the focus is on what needs to be done. The logic of how to do something is abstracted behind visual components.

How does Low-Code work with visual development tools?

LCD has a strong emphasis on graphical tools. So instead of extensive coding, developers use pre-built components by simply dragging and dropping. Low-Code enables anyone, literally anyone, to build applications and engineer solutions regardless of their technical ability. This empowers the citizen’s I.T. development. Additionally, the requirements are more clearly implemented since the development can be done by the business as well. With LCD, the business and product owners can engineer solutions independently without depending on I.T. So the goals and features, and vision of the business are translated into solutions more accurately.

What are the Features of Low-Code Platform?

• At its heart, LCD aims to bring business and I.T. together to deliver on the business goals faster and better. Far too often, bottlenecks caused by inter dept communication drag the development process down. Understanding business requirements into something which can be expressed using technology is challenging. LCD is the perfect solution for this silo-induced communication bottleneck.

• With LCD, businesses or anyone authorized in the company can deliver or transform an idea or requirement into a working solution. With abstraction and Automation enabled, the time to market is reduced dramatically. Companies no longer need to depend on I.T. to engineer quick solutions such as automated tasks or prototypes.

• LCD is perfect for trying out new tools and prototype solutions. Since LCD is based on visual tools such as drag and drop components, the speed of development is fast, and the development process itself is nimble and agile.

• Not all applications and solutions can be built using the out-of-the-box solutions provided by LCD platforms. But LCD can be customized to create new components and reusable modules with the standard development process. LCD also works with complex backend and legacy systems. Along with inbuilt tools and IDEs, LCD provides connectors to set up connections to database and APIs

What are the benefits of Low-Code?

• With Low-Code or no code used to develop, the speed of development is faster, and time to market is brought down drastically. Ready-to-use components are tested and ready to be deployed. So testing time and deployment time are brought down considerably.

• LCD enables everyone to be an engineer or developer. In a limited way, of course! The concept of citizen I.T. and citizen development are reinforced with LCD. This allows requirements to be easily translated into implementation, mainly when the business uses a low-code platform.

• LCD works well with all existing development processes like Agile, Scrum. Additionally, LCD is compatible with APIs, New methods. The addition of new code to configure custom modules is also possible with LCD. The bottom line is that LCD provides an added advantage to the existing development process of an enterprise.

• Although I.T. is going nowhere and it will still be relevant, LCD enables development at a fraction of the cost. Mainly when it comes to repeated automated tasks, LCD provides tremendous cost benefits.

• The benefits of having citizen developers are manifold. Citizen IT armed with LCD helps in reducing the IT backlog and improves internal processes. Consequently, innovation and digital transformation in an organization happen at a much faster rate.

How does Low-Code work with APIs?

APIs are the building blocks of great software solutions. They are ubiquitous and everywhere. At its heart, APIs are all about abstracting complexity or business logic into a simple, easy-to-use interface.

Does this sound familiar?

Of course, it does!

That’s a key goal of Low-Code as well.

As we saw above, Low-Code aims to build rapidly complex applications with minimal code so that solutions can be delivered faster and I.T. can closely replicate what the business wants. Almost all Low-Code service providers have prebuilt APIs from various providers like Google Suite, popular Social Media sites, single sign-on. They can be easily chosen and integrated with the App that is being built. Like the drag and drop interface for building low-code apps, app integration with prebuilt APIs is a breeze.

For Custom API integration, Low-Code Apps have plugins and provisions to create high-level model extensions. Write custom code for interacting and connecting to cloud services such as AWS, Google Cloud. Almost all low- and no-code platforms provide ways for programmers to create high-level model extensions for applications. Platforms typically support these extensions through APIs.

What is the future of Low-Code development?

Gartner predicts that by 2024, an astounding 65% of application development activity will be via low-code application development.

https://www.outsystems.com/1/low-code-application-platforms-gartner/

And as per an infographic by Impactmybiz.com, LCD will be a 27 billion dollar industry by 2022.

https://www.impactmybiz.com/blog/blog-low-code-trends-2020/#:~:text=In%202019%2C%2037%25%20of%20developers,or%20no%20technical%20development%20skills

These are astounding numbers, and enterprises would do well to start investing in LCD. LCD empowers or enables everyone in the enterprise to focus on business goals than complex technology. In addition to ease of implementation, LCD helps in faster deployment of solutions, which is the critical differentiator in modern times.LCD is compatible with legacy systems as well as agile practices. Whatever is the enterprise development model, LCD integrates itself well.

How to find the right digital partner for your Enterprise

This post is a companion to our earlier blog on What is digital transformation. These articles, together, will help an enterprise evaluate the need for a digital transformation and how to go about finding a partner for the same. In this article, we present important objective & measurable ways to select your technology partner. We highlight certain requirements that are mandatory and a few “good to have” traits. As we highlighted here , Digital transformation is the planning, analysing, conducting & support of business operations via technology.

An enterprise can be considered as “Digitally compliant” if it has the following traits.

1. Customer experience, which is digital all the way. From inquiry to after-sales
2. Continuous improvement based on analytics which is powered by AI-based tools
3. Backend architecture which is almost entirely in the cloud or with minimal. on-premise/hybrid systems
4. Internal business process and core business practices which are highly automated
5. Tie-ups and collaboration with tech partners at an organisational level

Selection of a digital partner can be subjective and/or objective.

Subjective reasons to select a digital partner

1) Confidence in a particular partner because they are local and hence trusted

2) Mandated by law to provide opportunities to a specific group in your country, state etc

3) Personal relationship of any kind or previously committed to them

4) Recommendation by a trusted authority or partner

5) Influenced by size, scale, turnover and other factors and many more…

Subjective reasons are just that, and hence we wont get too much into discussing that. Whether subjective or objective, there are some mandatory checks to be done while selecting a technical partner

Mandatory Checks before selecting a partner

1) Technical competency

2) Legal checks

3) Communication modes, times, channels

4) Certified, Compliant within the context of your requirement

For the sake of brevity, let us consider that you have reached a decision to induct and infuse new technology or more technology into your business. You have your reasons, you made your decision and hence you are in the deep end now. Maybe you want to open up a new sales channel or you might want to save costs on existing IT infrastructure. Perhaps you want to take a final decision on setting up the new plant or improve training programs for your staff

1) Ask your potential digital partner “Why do I need to go the digital way?” and “How best should I leverage technology?”

Ultimately, you are trying to solve a problem or provide a service or build/change a new order or an existing order.

And you are hoping technology,

“THE ENABLER”,

will help you do so. But how?

A potential partner, and an able one, will see your existing working, identify pitfalls, understand challenges and suggest a remedial course of action or a new course of action which will not just fix or build your existing issues/process, but also help you generate new value from it.

In simple terms, they should present you a road map of taking your business to its next version. And they should help you understand how in a simple manner without a bucket load of tech jargon. The clearer they are in convincing you about solutions, proposing alternatives etc, the better they are. The quality of the answers can be gauged by simple questions likes

What modifications are required to go this route as proposed by the potential digital partner?

How sustainable is this solution they are proposing?

Is this long term?

Are there alternatives? Have they considered the competition?

Will this solution add more value?

2) Look for a domain specialist or one with relevant experience in your domain

 Consider this. Your domain or business vertical is very diverse. It has a plethora of products, services, legacy data, use cases, govt rules around those, compliance laws, trade rules, etc. What you are essentially doing is trying to take this entire ecosystem of your service or business and take it to the next level with technology. A technology service provider might not be able to understand your domain as well as you do. For a variety of reasons of course. Prior experience of a particular domain gives a unique blend of understanding and know-how.

For example, Confidentiality of patient data in a health care solution is not a “good-to-have” feature. It’s mandatory! A tech partner who has knowledge of a compliance policy like HIPAA, will be able to deliver better solutions to the customer. Depending on your need, a tech partner who is a domain expert or has experience in a similar domain might be the most important factor in driving your business forward.

3) Partnerships

In addition to providing the core requirements you have, your potential technology partner should be able to evaluate the areas where digital transformation can make a positive impact, i.e provide measurable outcomes. A digital partner should be able to highlight a diverse range of portfolios strung together in partnerships with other customers. Partnerships represent trust. And repeat business from the same partnerships implies quality plus trust.

4) Work culture

Work culture is a very good barometer of a vendor’s working style and more importantly Integrity. A vendor that creates a work culture which draws its employees to its workplace is a happy workplace. And it’s no secret that a happy workplace is a productive workplace. Work culture is the representation of the organization’s

values, beliefs and ethics. It is necessary to highlight that choosing a vendor with a work culture that is successful, might not necessarily work for you. But rather, choose a vendor with a work culture or belief system similar to yours.

5) Adaptability and Flexibility

Process in execution helps an organisation define a measurable scale. This defines the right way of execution and it measures any deviation from the defined path. In general terms, processes exist to help deliver better quality results. Whatever be the endeavour. While these are wonderful qualities in an organisation to have, not all tasks and processes can be defined with precision. Sometimes an organisation has to deviate from the normal order of execution because the situation demands it.

For ex, Imagine an overnight change in the laws of a country which increases quality checks for a said product. All things considered equal, a flexible and adapting vendor will be able to execute the process within the ambit of the new laws, on the promised timelines without getting rigidly bound to a fixed way of working. For e.g. Executing the steps in the quality check process concurrently wherever possible

6) Look for a partner, not a vendor

Finally, whatever you seek to accomplish will be driven by a group of people. Process, documentation, prior track record, compliance, recommendations etc are good measurable metrics for selecting the right partner. But as with any partnership or agreement, whether civil or business, look for a partner who believes in your goals.

What drives them or excites them? A need to make lasting change?

Does your requirement motivate them? How?

Can they find any value in this partnership which is not based on money?

Do they believe in your vision? And if so why?

If the answer to these questions is mostly yes, there is a good chance you met your perfect technology partner

Finally, a technology partner doesn’t just build solutions and leave. The right technology partner is a co-passenger in your journey. A technology partner begins by evaluating, understanding your business. They share your vision and passion. Then they provide a long term roadmap with measurable outcomes. They are engineers and designers at heart. Finding the right partner is thus a combination of right people having right knowledge with strong values