Category Archives: Mobile App Testing

Mobile security reality check: What you really need for protecting your phone

To hear the headlines scream it, mobile security is already a lost cause. Android is the king of mobile malware! Umpteen gazillion rogue apps found! THE HACKERS ARE SNOOPING YOUR SNAPCHATS AND SEXTING YOUR GRANDMA!

It’s enough to make you want to wrap your phone in tinfoil and cower in a corner somewhere—but don’t believe the hype.

The sky isn’t falling, and your phone isn’t sending illicit photos to your grandmother. While you may want to slap a security app on your phone, it probably isn’t for the reason you think. And those rogue apps? If you aren’t an idiot, the odds of your installing a malicious mobile app are almost infinitesimally small.

Welcome to your mobile security reality check.

Much ado about (very slightly more than) nothing
Here’s the thing about all those ominous-sounding reports: Most of them originate from the very antivirus companies looking to sell you security solutions—so they’re not exactly impartial.

Fortunately, I managed to track down honest, straightforward experts from three noted security firms: Lookout, which offers a popular security app for Android devices; McAfee, which needs no introduction; and AV-Test, a highly respected independent institute that specializes in technology security.

All sang the same tune when it came to malicious mobile threats.

"If you follow simple precautions such as sticking to the Google Play Store, not downloading things from suspicious sites, and not clicking on suspicious links in emails you weren’t expecting, then you’re pretty safe," says Marc Rogers, the principal security analyst at Lookout. "Google has a very effective app vetting process in place."

Fear not, iOS lovers: Apple’s approval process is even more stringent.

Andreas Marx, the CEO of AV-Test, agrees with Rogers. "The mobile malware situation for US and European users is not yet problematic; the majority of malware is spreading in China and Russia only.

"Google Play is not entirely safe to use," Marx continues, "but it’s well maintained and even when malicious Apps are able to ‘enter’ the market—criminals are working hard on this—the apps are getting removed quickly. Google can also remotely wipe malicious apps from your phone if they see a very big risk."

But…
Sweet! So you can leave your phone AV-free and carry on with life blissfully stress-free, right? Not quite.

All three organizations reported that they’ve been seeing an increase in targeted malware that skirt the precautions Google, Apple, and other platform protectors have installed—think malicious websites, third-party app stores offering free versions of popular paid apps, and phishing emails containing poisoned links or apps.

While the threat to the average person is still small, the bad guys are definitely getting smarter. Lookout recently identified the BadNews malware family, which disguised itself as an everyday ad network to sneak 32 apps into Google Play, and then began acting maliciously only after those apps had been downloaded between 2 million and 9 million times. The damage was limited mostly to Russian users, however.

Built-in app store security doesn’t protect against trickery like that. Now for some not-so-delicious irony: Android typically gets hammered as being the more vulnerable operating system, compared with iOS, but Marx says iOS is actually more vulnerable to phishing attacks since Apple’s App Store has few viable antimalware apps.

What’s more, the contents of our mobile devices all but ensure that those unfriendly efforts will continue.

"Think about it: Your phone is, for all intents and purposes, a computer," says Luis Blando, vice president of mobile product development at McAfee. "It has every single bit of corporate data that your company wants to protect. Much more worrisome, it has your calendar, your Amazon account, God knows what else. As a target, phones are absolutely irresistible [to hackers]."

Slightly hyberbolic? Maybe. But it’s also very true, and that has led AV-Test to revise its recommendations for mobile security.

"The situation is changing," says Marx. "More and more attacks are targeting mobile users in the US, so it’s getting more risky. Therefore, we recommend using security software on your Android. Last year, we said ‘It’s an optional component, but it will get more essential in the future.’ Now we argue: Use it."

Don’t misunderstand: If you’re smart and careful, the threat of infection is still fairly small. But with more and more bad guys trying to sneak their way onto your phone outside of the app stores, running Android unprotected is a risk.

Even if you don’t have much cash, you can keep your phone fairly secure using one of the freebie Android security apps that are out there, including offerings from Lookout, AVG, Avast, and others. However, sticking to no-cost solutions usually leaves you out in the cold when it comes to security features that are arguably the most handy-dandy.

The real reason you want a security app
Even if you barely surf the Web and rock impeccable security habits, it’s still recommended that you pick up a security app.

Mobile security, you see, isn’t all about malware.

Mobile security apps are more important for their non-malware-related tools.

"One of the biggest mobile security risks is actually losing your phone," Blando says. "When you lose your phone, it’s not only the cost of the device, but also the cost and hassle of losing its data."

That’s especially so when your phone is stolen. People’s entire lives are stored on their handset, open to anyone that picks it up. Study after study shows that few people lock their phones, and losing mobile devices is an all-too-common occurrence.

In the past year, the "Find My Phone" feature in Lookout’s mobile app was used more than 9 million times, or roughly every 3.5 seconds. Half of all robberies in San Francisco and 42 percent of all robberies in Washington, D.C. are related to smartphone theft, the New York Times recently reported.

Apple’s iPhones have robust features against phone loss that can be set up with minimal hassle, including remote locking, wiping, and phone-finding capabilities. Android’s antitheft options aren’t quite as beefy, prompting experts to recommend picking up a third-party security solution.

"The question ‘What can you realistically expect from a mobile security suite?’ is easy to answer," says Marx. "To help you when your phone is stolen or lost, to either help find it and/or destroy the data on it."

While free security solutions sometimes work a few anti-theft tools into the mix—witness Lookout’s Find My Phone—virtually all security providers tuck the most helpful backup, location-finding, and remote control options into their paid-for offerings.

In other words, while careful users can usually get by with a free security program on their PCs, cheaping out on your mobile Android security means you won’t have access to the features that you’d really, really need if you ever lost your phone.

The no-nonsense recommendation
So that’s where we stand today. What does it mean in terms of actual product recommendations?

If you’re walking around with an iPhone in your pocket, there’s no pressing need to buy a mobile security solution. Not because iOS is inherently safer than Android—if you’re even the slightest bit cautious, all mobile operating systems are highly secure—but because Apple already offers phone-finding and back-up features, and because none of the scant security options available in the app store can really protect against the increasing risk of phishing attacks and other “back door”–type malware.

The situation’s a bit different on Android. You’re going to want a free security app at the very least, and we recommend paying extra for a premium security app to gain access to those crucial remote security features. (Again: If you need ever them, you’ll really, really need them.)

Which app should you buy? Our mobile security app roundup can help answer that question, as can AV-Test’s superb (and independent) Android testing results.

But save your money if you’re using a BlackBerry phone. Robbers don’t want your device anyway.

Parting words of wisdom
“But wait!” you cry. “What about metrics! You didn’t delve into the hard stats! I read this report…”

Hopefully, this reality check made sense sans all the numerical gobbly-gook. But regardless of whether or not you’re a stat freak, consider these parting words of wisdom from Lookout’s Rogers, and keep them in mind the next time you read a hysterically screaming report about mobile security.

"A lot of people have latched onto the idea that there’s a large variety of Android malware that’s out there, kind of implying that there’s been some kind of huge explosion—but that’s not really the case," he says. "…Don’t get hung up on the numbers."

And when you do see numbers, give ‘em a thorough eyeing. "Android threat doubles in the past year!" sounds scary, but if that means there are now 10 malicious apps where there were once five, it’s not worth worrying about. A good rule of thumb from the Lookout team: If you see percentages in an Android malware report, ignore it completely unless hard numbers back up the sensational headline.

Source: http://www.pcworld.com/article/2038836/mobile-security-reality-check-what-you-really-need-for-protecting-your-phone.html

Did you like this? Share it:

Microsoft testing new Facebook app for Windows Phone

Microsoft has announced that it is testing a new Facebook application for Windows Phone devices.

The software giant is encouraging users to sign up for the service’s beta test and report any bugs they encounter.

Facebook is undergoing a radical overhaul on Windows Phone, with new features including support for high-res photos, post sharing and Facebook Timeline added.

The new application is similar in look and feel to the latest Android and iOS editions of the social networking service.

The existing Facebook version 4.2.1 will remain available through the Windows Store until its successor is rolled out.

Microsoft is yet to announce a release date for the new Facebook app.

Source: http://www.digitalspy.co.uk/tech/news/a477737/microsoft-testing-new-facebook-app-for-windows-phone.html

Did you like this? Share it:

The mobile testing challenge: How to improve your UX and prepare for the future

It’s one of the biggest headaches for mobile developers and organizations launching mobile initiatives, and one where the most capital can be wasted: mobile testing.

Since testing can amount to as much as 10 percent of a mobile development budget, this headache can quickly avalanche into a disaster without the right direction and tools.

So what options are available to help companies get through this frustrating period before launching a mobile application? It’s easiest if you consider the four types of testing — unit, functional, data, and user experience — as building blocks that can be put together to create more comprehensive testing.

Unit testing: the basics

Put simply, unit testing is about testing individual functions in isolation. By testing each part of an application on its own, developers can detect problems before they reach the tester and ensure that QA and uniformity are part of the process from the beginning.

Functional testing: going through the motions

As a mobile “tester” goes through each motion in a test case, functional testing monitors the behavior of the application by examining the inputs and returns from each action that was called by the user — every swipe, tap, input, and other gesture.

As any developer would tell you, a poorly written defect is frustrating, and understanding what a tester did to produce an error is important. Using a concept we call “restrospection,” you can visually track what testers do and record a complete history of their actions that include lifecycle events.

Data testing: validating and integrating

With data testing, a mobile developer is looking to ensure integration quality and to validate the data before it reaches the application. This is one of the more critical steps for developers, as it can be a major hold up for mobile applications if backend systems are live but not functioning as expected, using a different version of code, or are undergoing development or updates themselves.

There’s nothing like opening up 50 or 60 tickets from testers when a backend system isn’t working like it should. So the holy grail here is to validate the data before it reaches the application, regardless of whether backend systems are live.

UX testing: getting it right the first time

There are several approaches to user experience testing out there that focus on text overruns/the location of a specific object on the screen including image comparisons using screenshots; but in my opinion the best approach is to do a user interface (UI) testing layout that focuses on the how items are aligned on a page.

When combined with a powerful mobile visualizer, you can truly compare and contrast the changes a developer has made to the layout of a mobile application. Further, user experience done well can help developers eliminate the challenges posed by using human testers.

The multi-channel problem: what’s coming down the road

As businesses start to move towards a multi-channel mobile strategy that aligns everything from a website to mobile apps to kiosks, they’re also going to need a way to test apps for all these channels. But if you thought just building a multi-channel app was hard, try finding a good way to test it.

At my company, one of our clients reported that prior to working with us, they spent a third of their launch timeline on testing. That’s just not going to be feasible as we move into a world where consumers and organizations want updated, fully functional mobile presences at the drop of a hat.

The reality is there are a plethora of products on the market that do portions of testing, but they often require you to buy separate testing suites for each channel — one for web, a bolt-on for mobile, etc. You also have to buy these tools from separate vendors, which adds the complexity of making sure they integrate and communicate well with each other.

What we’re going to see is a radically new and different approach to mobile testing. It’s an area ripe for innovation, where mobile testing will become significantly more automated. This will enable developers to leverage smaller building blocks earlier and give them the ability to build larger, consistent, and repeatable tests that are less costly and catch bugs early.

Source: http://venturebeat.com/2013/05/10/mobile-testing/

Did you like this? Share it:

Are mobile apps truly enterprise-secure?

Many companies have embraced the BYOD trend. They may even have developed applications that enable employees to have 24/7 access to business data and tools. The benefits can be counted in productivity boosts and flexibility, but there is a real and present danger that is being ignored all too often.

How many of these enterprise apps have undergone security penetration testing? Could the mobile apps your business uses be jeopardising your data security or even regulatory compliance?

What are the risks?

We are seeing a dramatic rise in the number of threats challenging IT departments globally through mobile platforms. Malware has become commonplace and Trojans are used to collect sensitive data from the host device.

There is also a worrying growth in the number of online attacks that seek to exploit vulnerabilities in software. A staggering 56% of exploits blocked by Kaspersky in Q3 of 2012 used Java vulnerabilities.

Malware can find its way onto your employee’s smartphone via emails, text messages, spoofed websites, browser hijacks, and apps or other content they willingly download. If you consider that the device is a potential access point to your network, and that it’s likely configured for automatic entry, then you can start to see the risk.

Many app solutions are not secure

It’s important to have secure apps that are easy to use. Many employees will seek out their own tools for collaboration and may use popular cloud-based apps that are designed for the mass market. The trouble is that these apps are not designed for enterprise use and they don’t have enterprise level encryption.

Even when developers are engaged to create apps for businesses the security credentials are often an afterthought. You can’t assume that the developer will provide the level of security you require. It must be explicitly agreed in your contract and it must be tested and verified by a third-party. You cannot afford blind trust; there must be some form of due diligence.

Tips for secure apps

Consider how the app is accessing your network. You need to authenticate the user and encrypt data in transit and at rest. The process must be secure and fully tested for all of the mobile platforms that you intend to support, whether it’s Windows Phone, BlackBerry, Android, or iPhone iOS.

Access to the app should necessitate some authentication from the user. Remote lock and wipe of data from mobile devices is essential in case the device falls into the wrong hands and passwords are pointless if automatic log-on is possible. You have to strike a balance between convenience and security.

You might be confident in your company firewall within the wired network of your office, but what happens when an employee connects to a public Wi-Fi hotspot? You need to consider deep packet inspection at the network gateway.

Application traffic must be monitored carefully. Maintain an audit trail for all data access. Monitoring and reporting is often an important factor in meeting regulatory requirements. It’s also important to consider other device features such as SMS or Bluetooth, which could mix with the application layer.

Testing is essential

It’s one thing to outline your requirements, but quite another to verify that your shiny new enterprise app meets them fully. The only way to be certain is to conduct proper mobile security penetration testing. The ideal approach is to engage a third-party with no vested interest to put your app to the test.

They will bring the right blend of skills and experience to bear. It’s not just about employing manual and automatic tools to audit your mobile application, but also the know-how in probing for weaknesses and to uncover vulnerabilities that can be exploited.

If you want to believe that your mobile apps are secure enough for enterprise use then you must put them through penetration testing. App developers can benefit enormously by including this process as part of the development cycle but since getting the app to market overrides concerns for security, far too few bother with pen testing.

A few rounds of testing and tweaking can result in a secure app that’s fully credentialed and compliant with industry regulations. As a prospective buyer, you should demand nothing less.

Source: http://www.appstechnews.com/news/2013/may/02/are-mobile-apps-truly-enterprise-secure/

Did you like this? Share it:

IBM Makes Enterprise Mobile Security Move

Samsung Galaxy S 4: 11 Clever Tricks

Since purchasing Worklight in January 2012, IBM has quickly made the app-building platform the centerpiece of its enterprise mobility catalog, now one of the most comprehensive on the market. Big Blue continued that trend Monday, partnering with mobile security vendor Arxan Technologies to make apps created with Worklight more impervious to malware and other attacks.

As a standalone news item, the deal adds another ostensibly attractive piece to IBM’s offerings. Perhaps just as significantly, it also adds a new fork to the increasingly complicated path businesses must weave as they attempt to integrate smartphones, tablets and the bring-your-own-device (BYOD) phenomenon into the workplace.

For Worklight developers, the new product — tongue-twistingly called Arxan Mobile Application Integrity Protection for IBM Worklight Apps — adds beefed-up mobile app security without disrupting existing workflows. Though iOS’s centralized app store gives it a security advantage over Android’s looser rules and malware-prone unofficial marketplaces, Arxan VP of business development Jukka Alanen said in an interview that virtually any mobile app can be cracked in just a few minutes. Virus-injected versions of popular apps are freely available, and blithely installed by users, he said, from sources throughout cyberspace.

The IBM-Arxan union seeks to protect Worklight apps from these threats via a variety of defenses. Apps can detect illicit behavior, for example, and both shut themselves down if they observe a problem and also issue alerts.

In addition to thwarting attacks while they happen, the product is also designed to make apps tougher to crack in the first place. Alanen said that even unskilled hackers can make progress against unfortified apps thanks to rootkits and other black market malware tools. But with the randomization applied by the Arxan-infused Worklight, he said, the task of decompiling and cracking apps turns into an intense and time-consuming technical challenge that few malware authors can manage.

This protection is applied via "guards" in the binary code that obfuscate the app’s programming, apply extra encryption and otherwise make it more difficult for hackers to see how the app can be exploited. Hundreds of these guards can be implemented into a single app, if the developer chooses, with each one occupying a small, seemingly innocuous footprint that is difficult to detect within the overall body of code. The fact that each guard can independently apply obfuscation only extends this effect; each one can disguise itself in thousands of ways, meaning multi-guard networks can offer millions of permutations of defense.

To businesses such as financial institutions, whose apps transmit particularly sensitive data, products such as Worklight have an obvious place. But is this sort of proactive security a necessity for all enterprises? That’s the urgent, and potentially expensive, question many businesses face as they attempt to turn smartphones and tablets from employee-friendly endpoints into productivity-enabling business devices.

The decisions are numerous. For a company whose mobile needs involve mostly document-sharing or light collaboration, Worklight represents a particularly costly and complicated solution. Depending on the sensitivity of the data, Dropbox, Teambox, Office 365 and other cloud-based approaches might be a better investment. When mobility plans start to include more complicated apps that need to hook into varied corporate backends, however, the challenges multiply. Are off-the-shelf apps adequate? If they need to be independently developed, is it better to work in-house or to hire a contractor? Should the apps be native, or is it practical to avoid OS fragmentation by relying on HTML5?

Source: http://www.informationweek.com/security/mobile/ibm-makes-enterprise-mobile-security-mov/240153882

Did you like this? Share it:

Lassen Sie die Mobile-App-Testing- Service von chinesischen Unternehmen erledigen

Jeder Defekt in den mobilen Anwendung kann Benutzer frustrieren und zum Zeit-und Produktivitätverlust führen. Der wichtigste Vorteil der Anwendungsentwickler liegt in der Zuverlässigkeit und der Qualität von mobilen Software-Produkten.

Die Auslagerung der Mobile-App-Testing-Services erbringt vielfältige Vorteile. Die meisten Tests- Unternehmen bieten rund um die Uhr das Testing an, das Ihnen die Zeit für die Entlassung der Produkte sparen kann. Und als Experten auf diesem Gebiet verfügen Offshore-mobile Anwendung Tester über vordefinierte Tests Modelle und Fehlernachverfolgung Mechanismen. In den meisten Fällen kommen sie die wirksamen und alternative Lösungen effizienter erbringen können.

In China tritt das Software-Test allgemein in Aufschwung. Mobile-Apps-Tester werden systematisch trainiert. Zahlreiche Institutionen wurden in China eingerichtet, um die Mobile-Apps-Tester zu trainieren, was die Fähigkeiten der Tester verstärken kann. Darüber hinaus sichert die Auslagerung der Mobile-Apps-Testing-Services nach China die Qualität der Produkte. Außerdem sind Tests Unternehmen hier mit fortschrittener Prüftechnik ausgestattet, was bedeutet, dass die Softwarefunktionen durch das Outsourcing der Mobilen-Anwendung-Testen-Service nach China innerhalb eines kurzen Zeitraums verbessert werden können. Und es ist sehr preisgünstig. Alles in allem wird das Outsourcing der Mobile-Apps-Testing-Services nach China Sie nicht enttäuschen.

UniTesting ist eine professionelle und unabhängige Software-Testing-Anbieter und bietet vielfältige Software-Testing-Services in China an, einschließlich Mobile Testing/ Wireless Testing / Mobile Application Testing wie zum Beispiel iPhone-App-Testing, Android-App-Testing und Windows-App-Testing, usw.. Lassen Sie die Software-Testing-Arbeit einfach nach UniTesting auslagern, weil unsere Firma die Qualität der Software garantiert.

Did you like this? Share it:

Why Software Testing for mobile applications is different? Top 10 reasons

We have witnessed transition from desktop to web and are witnessing another transition from web to mobile. I have been thinking about a blog series around testing mobile applications for a while and this is the first blog post in the series. In the coming few weeks, I will try to cover various topics / products / approaches related to testing mobile applications. I will focus on Android to start with and will move on to other platforms.

Before I dwell deeper into the subject – it is important to understand how testing mobile applications is different from testing browser / desktop applications. If we understand the distinction and challenges of testing mobile apps, it will be a bit more easier to tackle them.

1. Supported platforms & devices – you have more combinations to test
Desktop apps were usually targeted for specific platforms and it was relatively easy to access those platforms. Web based applications made it a bit more challenging by adding another dimension – browsers.

Mobile applications take complexity of supported platforms to the next level by adding devices. Ensuring that mobile apps are working on all type of devices (SmartPhone, Tablets and Phablets) supplied by major brands (various models from Samsung, Sony, Nokia, HTC, Apple etc) and on all the platforms (iOS, Android, Windows, BlackBerry etc) is challenging. On top of that, new devices are hitting market so often that it becomes impossible to cover all the major devices.

In the mobile world, it is important to create something on the lines of graded browser support used by Yahoo to ensure that major platforms are covered.

2. Adaptability & Limited space – Screen size is changing constantly
Pretty much all the major players are changing screen sizes of their phones, tablets and phablets to figure out what works or in response to the competition. How applications adapts themselves for various screen sizes, layout and configuration is a challenging task.

Apart from adaptability to different screen sizes, mobile applications have to deal with the limited screen size. Limited screen size means that user can not be given 30 different options on a single screen – usability, similar experience, on-screen help, inability to use search or other applications easily etc poses different challenges and as a tester we need to think beyond what is developed and always think of who will use it and in what circumstances.

3. Complex user interaction – More than one way to do everything
User interaction in desktop and browser based applications was pretty much limited to mouse and keyboard. Mobile applications on the other hand are trying to make user interaction as fluid as possible. We had touch screen and with new phones from Samsung, you can just wave your hand to give commands. Siri is becoming more and more advanced and gives us a glimpse of future that voice commands may become part of every application in future. Devices are smart enough to understand complex gestures, eye movement, direction, tilt, movement, acceleration, GPS coordinates, surroundings, sound and so on.

As a tester, we need to ensure that application works as expected when user interacts with the app in different ways.

4. Application Type – HTML5, Native or Hybrid?
In the desktop and browser world, applications were straightforward. They were either desktop or web based applications. However, with the adoption and support of HTML5 – applications are merging. On all the mobile devices, it is not difficult to find HTML5 applications, Native applications and hybrid applications. Testing for hybrid application would be different from testing native applications and it is important to understand that difference.

5. Dependency on emulator / simulator – Get devices
For the desktop and browsers, developers always had access to the platform or browsers they were targeting with their applications. Also, virtualization has become more or less commonplace and can be trusted for desktop and browsers.

Mobile devices on the other hand relies on emulator and simulators. However, they are still not true representation of the devices. It is also not possible to replicate advanced user interaction on these simulators. As a tester, we have to be aware of the capabilities and limitations of these emulators / simulators and figure out what can be tested (reliability) on them and what can not.

6. Security & Privacy – You can’t touch me but I can.
Though most mobile applications live in their own sandbox but many platform features are accessible to them. For example, applications such as phone book, pictures and videos are accessible to many other applications. These are all personal user data – and any defect around the misuse (unintentional) of this data can jeopardize trust of the application.

In mobile world, it is important to ensure that applications are secure from the intruders, and it is equally important to ensure that applications are not intruding or accessing data unintentionally.

7. Dependency on Network / carrier – more variations
In desktop and web world, most users were either on LAN or Wireless. These network were not predictable, but compare to mobile networks, they were very predictable. Many connected mobile applications rely on the network – how application responds to 3G, 4G, weak signals, no signals, powerful signals, Switching from cellular to wireless and vice-versa or when user is moving at different speeds etc can affect how application will behave. It is often not possible to come up with or simulate real life situations for mobile applications.

Apart from the variation in signal strength and type, mobile apps can respond differently to different carriers. As a tester, it is important to understand if there are any difference or not and whether application works for all the major carriers or not.

8. Installation, removal and upgrade – Would you come back?
Mobile apps are installed, removed or updated more frequently than desktop applications. Also, underlying OS and platform is updated more frequently as well. As an app developer and tester in the mobile world, you have to be on top of what changes are coming in the next revision of OS / Platform and how it might affect application.

Usually for most of the applications, user data is stored on the servers and not on the devices. It makes installation a bit tricky – what if user has multiple devices, what if multiple devices have different version of applications and so on.

Things like backward compatibility, simultaneous support for multiple versions, data preservation, restoring state and data, ability to install / upgrade multiple times etc are all part of important checks for mobile application testing.

9. Session Management & Interruptions – Who’s calling?
Handling Interruptions are the way of life for mobile applications. Apps and users are constantly interrupted by calls, SMS, push notifications and so on. How applications handle these interruptions, how they maintain their state etc are important, but it is also important to see how much interruptions application is generating and what triggers those interruptions.

As a tester, it is important to ensure that application behaves properly when it is interrupted and it is also important to ensure that application does not interrupt unnecessary and works according to the boundary defined by platform or users.

10. Mobile specific Non-functional testing – and you thought it’s over.
Mobile applications add many more dimensions to the non-functional testing. Old school performance of the application is the obvious one, but there are many other factors as well which should be considered.

How much data your application is consuming? How much it would cost user (data usage) to use this application? How much battery is consumed by applications? Does it behave differently in high battery and low battery conditions? How much space it is occupying? How much trail it is leaving? How it is clearing the trails / logs etc are important non-functional factors which should be considered as part of mobile testing strategy.

So these are my top 10 reasons – and I am sure there are more reasons. What else makes testing mobile applications different from testing desktop or browser based applications? Let’s discuss.

Source: http://www.testinggeek.com/why-software-testing-for-mobile-applications-is-different-top-10-reasons

Did you like this? Share it:

Verify the security of your mobile apps

The enterprise is increasingly turning to mobile app developers for solutions to leverage interest in BYOD. Gartner estimates that 70% of mobile professionals will conduct their work on personal smart devices by 2018. The app development boom has fostered a competitive environment for developers and there is a focus on speed. But In the rush to deploy enterprise apps and start reaping the benefits, it is easy to overlook key security risks that could cause irreparable damage to your business.

As developers create apps to run on multiple platforms and plug into existing ERP systems, vulnerabilities grow. From insecure data storage to improper session handling, from side channel data leakage to weak server-side controls, there are many risks to consider and robust penetration testing is an absolute must.

Start at the beginning
Security should not be an afterthought. If you place too much emphasis on speedy delivery then pressured developers are liable to sideline security concerns. They may have the expertise to create the functionality you need, but all too often developers lack the knowledge to deliver enterprise-standard security that stands up to regulatory compliance standards. The earlier in the process that security is factored in, the more time and resources you’ll save down the line.

There are also major differences between the main mobile platforms and the level of security they offer for app developers. It’s worth considering operating system-based points of attack when you make your choice, whether it’s jailbreaking on iOS, rooting on Android, or known vulnerabilities in encryption mechanisms.

With a focus on security implemented at the start of development you can alleviate doubt when it comes to deployment. You should think about automated unit testing, regular code reviews, using standardized libraries with security credentials wherever possible, and insisting on penetration testing as part of the QA process. Do your due diligence and get assurances about your security concerns at the outset, before development begins.

Cracking the cloud
The majority of mobile applications are going to connect to Web applications and exchange data so developers cannot afford to forget the Web application layer. Developers need to consider the services that mobile apps are using in the cloud and ensure that encryption covers the data on every step of its journey. Storing sensitive data like unencrypted passwords in data cache files is all too common. In the cloud, in transit and on the local device, there must be encryption and protection at all times. Integration is at the core of the issue. You can’t focus on the mobile app to the detriment of remote authentication or the cloud platform. Third-party services and systems must be assessed in terms of their security as well as their utility. A chain is only as strong as its weakest link.

It’s vital that attempts to break that chain are not half-hearted. Only a third-party organization with no vested interest in the development can provide the peace of mind you need when it comes to thorough security testing.

Testing techniques
One of the reasons that secure development for mobile apps is so challenging is the lack of established standards and the scarcity of useful tools and resources. Security expertise on one platform does not guarantee expertise on the next. Threats must be modeled and a methodology is required for security testers on each platform.

Without an expert understanding of potential weaknesses it is very hard to verify the security of a mobile app. A glance at the Open Web Application Security Project gives you some idea of the enormity of the task. It is a serious challenge, but not an insurmountable one. Attacks can be focused on the browser, the device, the app, the platform, the network, or even your web server and database. In order to uncover vulnerabilities and expose loopholes you need several rounds of expert mobile security testing.

Fixes during development can introduce new issues so don’t engage one test cycle, plug the gaps and then assume the app is secure and fit for deployment.

The good news is that secure development for mobile apps is achievable and it can be done at a fraction of the cost of a major security breach for your company.

Source: http://www.networkworld.com/news/tech/2013/031413-mobile-app-security-267732.html

Did you like this? Share it:

Apple Is Beta-Testing An Update That Kills Evasi0n Jailbreak

All good jailbreaks must come to an end.

Late last week Apple released an update for iOS to developers in beta that prevents the use of the popular jailbreak software evasi0n, according to one of evasi0n’s creators who tested the patch over the weekend, David Wang.

Wang tells me that he’s analyzed the 6.1.3 beta 2 update and found that it patches at least one of the five bugs the jailbreak exploits, namely a flaw in the operating system’s time zone settings. The beta update likely signals the end of using evasi0n to hack new or updated devices after the update is released to users, says Wang, who says he’s still testing the patch to see which other vulnerabilities exploited by the jailbreak might no longer exist in the new operating system.

“If one of the vulnerabilities doesn’t work, evasi0n doesn’t work,” he says. “We could replace that part with a different vulnerability, but [Apple] will probably fix most if not all of the bugs we’ve used when 6.1.3 comes out.”

That impending patch doesn’t mean evasi0n’s time is up, says Wang. Judging by Apple’s usual schedule of releasing beta updates to users, he predicts that it may take as long as another month before the patch is widely released.

When evasi0n hit the Web earlier this month, it quickly became the most popular jailbreak of all time as users jumped at their first chance to jailbreak the iPhone 5 and other most-recent versions of Apple’s hardware. The hacking tool was used on close to seven million devices in just its first four days online.

Despite that frenzy, Apple has hardly scrambled to stop the jailbreaking. Evasi0n has already gone unpatched for three weeks. That’s far longer, for instance, than the nine days it took Apple to release a fix for Jailbreakme 3.0, the jailbreak tool released in the summer of 2011 for the iPhone 4, which was by some measures the last jailbreak to approach Evasi0n’s popularity.

Apple’s slow response to Evasi0n is explained in part by the relatively low security risk that the tool poses. Unlike Jailbreakme, which allowed users to merely visit a website and have their device’s restrictions instantly broken, Evasi0n requires users to plug their gadget into a PC with a USB cable. That cable setup makes it far tougher for malicious hackers to borrow Evasi0n’s tricks to remotely install malware on a user’s phone or tablet.

Security researchers have nonetheless pointed out that Evasi0n could give criminals or spies some nasty ideas. The tool uses five distinct bugs in iOS, all of which might be appropriated and combined with other techniques for malicious ends. And F-Secure researcher Mikko Hypponen points out that if a hacker used a Mac or Windows exploit to compromise a user’s PC, he or she could simply wait for the target to plug in an iPhone or iPad and use evasi0n to take over that device as well.

More likely, perhaps, is a scenario described by German iPhone security researcher Stefan Esser. He argues that a hacker could use a secret exploit to gain access to an iPhone or iPad and then install evasi0n, using the jailbreaking tool to hide his or her tracks and keep the secret exploit technique undiscovered by Apple and unpatched. “That way they protect their investment and leave no exploit code that could be analyzed for origin,” Esser wrote on Twitter.

Apple already has a more pressing security reason to push out its latest update. The patch also fixes a bug discovered earlier this month that allows anyone who gains physical access to a phone to bypass its lockscreen in seconds and access contacts and photos.

When Apple’s update arrives, the team of jailbreakers known as the evad3rs may still have more tricks in store. Wang tells me that the group has discovered enough bugs in Apple’s mobile operating system to nearly build a new iOS jailbreak even if all the bugs they currently use are fixed.

But then again, Wang says he hasn’t yet been able to check Apple’s patch for every bug it might fix–either the ones evasi0n employs or those he and his fellow hackers had hoped to keep secret for their next jailbreak. “If they patch most of the bugs,” Wang says, “Then we’re starting from scratch.”

Source: http://www.forbes.com/sites/andygreenberg/2013/02/25/apple-is-beta-testing-a-fix-for-evasi0n-jailbreak/

Did you like this? Share it:

IBM brings iPhone mobile security to the enterprise

IBM has launched new software to help developers secure code and data in iPhone and iPad apps.

AppScan Source 8.7 for iOS searches through app code and alerts developers when it finds flaws.

The software also analyses apps that employees may want to use on Apple devices for vulnerabilities and alerts IT security staff to potential threats.

Big blue said the software would improve security without sacrificing the time to market for mobile apps.

Citing Gartner figures, IBM said more than 45.6 billion mobile apps were downloaded in 2012, which is why securing smartphones and other endpoint devices should be a top priority for organisations.

IBM developed AppScan Source by looking at over 40,000 mobile APIs for iOS apps using Apple’s iOS Software Development Kit.

These API profiles have been added to the IBM AppScan Source Security Knowledgebase and tied to the analysis engine.

The software also features complete language support for Objective-C, JavaScript and Java and includes the ability to do call and data flow analysis that will generate trace information. This new capability enables organisations to build secure enterprise mobile apps, regardless of technology choice, for employees and partners.

One of the companies that has been trying out AppScan Source for IOS is mobile technology firm KiwiTech.

Rakesh Gupta, chief executive of KiwiTech, said his firm had developed hundreds of apps for iOS and Android and as the risk from mobile malware and data leakage grows, “our customers are looking for ways to secure their iOS and Android apps and protect corporate data.”

Gupta said the software would help his company “proactively secure mobile apps and automate security testing to ensure our customers can keep pace with constant updates."

Caleb Barlow, director of Application, Data and Mobile Security at IBM, said the new capability would help clients incorporate “security into their infrastructure and solutions from the design, development and testing phases rather than leaving security to become an afterthought.”

AppScan Source for iOS will be available from 25 March. IBM launched its AppScan range of products in 2008, following the $2.1 billion acquisition of Rational Software. It has previously launched a version of the software that scans Android apps.

Source: http://www.itpro.co.uk/smartphones/19276/ibm-brings-iphone-mobile-security-enterprise

Did you like this? Share it:

May 2013
M	T	W	T	F	S	S
« Apr
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31