Agile methodologies and DevOps are widely adopted by many software service providers and consulting companies. The primary driver for this adoption being, faster delivery of products, independent teams, and generally better all-around synergy between the engineering and operations team.
In this DevOps and Agile world, the traditional modes of quality assurance, like manual testing, are not as effective when it comes to quality assurance. Granted, risk analysis, test planning, and test management are still important, but to ensure the same level of quality in an Agile world as before, or even better, organizations are using new skills such as test automation, data analytics, and AI technologies amongst others.
In this two-part blog(IInd part coming soon), we provide an example of such an advanced testing strategy via a checklist for mobile app testing on the two most popular platforms, iOS and Android. We cover a wide spectrum of categories ranging from tests related to how and where to store data, testing the entire authentication flow, code quality, platform interaction scenarios, and many more. You can download the entire checklist here, or for a detailed explanation, read on.
1) Data storage and privacy
Mobile devices are a constant companion in the digital era and are used for various purposes such as entertainment, work, personal, professional, etc. Users interact a lot with mobile devices and invariably enter or store details about themselves. Contacts, bank account, health information, habits and preferences, travel logs, etc. Hence it’s no surprise that the number one priority while testing is data storage and privacy, i.e., to ensure that the app does not “leak” any confidential information.
For Android
No Sensitive information is stored in AndroidManifest.xml file
No Sensitive information is stored in Gradle.properties file
No Sensitive information is stored in any strings.xml folders in apk package
[Shared Preferences Check] Install apk on Android phone (or emulator) and navigate to /data/data//shared-prefs/keys.xml. Verify no sensitive data is being stored there.
[SQLite Databases Check] Install apk on Android phone (or emulator) and navigate to /data/data//databases/. Verify no sensitive information is stored in sqlite dbs
[Encrypted Database] Install apk on android phone (or emulator) and navigate to /data/data//databases and verify databases which have sensitive data are encrypted.
Verify debug logs are disabled on production build. Connect device to your machine , run the following command adb logcat | grep **“$(adb shell ps | grep | awk ‘{print $2}’)” **and verify the logs when app is running
-
Verify input fields that ask for sensitive data for
e.g. “Password” are masked
-
Verify input fields that ask for sensitive data for
e.g. “Password” does not display auto suggestions by default.
-
Verify input fields that ask for sensitive data for
e.g. “Password” , Cut, Copy, Paste options should not work on these fields
By Default Backups should be disabled. In Androidmanifest.xml, verify android:allowBackup is set as false.
If Backup is a requirement, then check that no sensitive data is backed up.
Then run a backup from adb, adb backup -apk -nosystem
ADB should respond now with “Now unlock your device and confirm the backup operation” and you should be asked on the Android phone for a password. Approve the backup from your device by selecting the Back up my data option. After the backup process is finished, the file .ab will be in your working directory.
Run the following command to convert the
.ab file to tar. dd if=mybackup.ab bs=24 skip=1|openssl zlib -d > mybackup.tar
Analyze the backup and check if there is any sensitive data stored.
For iOS
Verify no sensitive data Is stored in App Bundles DB. Run a simulator build, and navigate to
/Library/Developer/CoreSimulator/Devices//var/mobile/Containers/Data/Application/$APP_ID/. read .db files
and verify no sensitive data is saved here.
Verify Keychain
/Library/Developer/CoreSimulator/Devices//data/Library/Keychains/keychain-2-debug.db.
Data stored here should be encrypted
Logs should not have any sensitive data.
Verify input fields that ask for sensitive data for
e.g. “Password” are masked
Verify input fields that ask for sensitive data for
e.g. “Password” does not display auto suggestions by default.
Verify input fields that ask for sensitive data for
e.g. “Password” , Cut, Copy, Paste options should not work on these fields
2) Cryptography Requirements
While it’s important to test if data is stored securely, it’s equally important to verify if data is stored securely, i.e., is it encrypted. This can be defined as “How is data stored” compared to testing “Where is data stored.” Confidential information like passwords, secret questions, and answers, keys should never be stored in a human-readable format. Both Android and iOS use the AES 256 Key algorithm to encrypt confidential information, and app developers must leverage this.
For Android
Verify sensitive data is encrypted when stored in the device. Encryption keys used should be saved in Android. Keystore
For iOS
Verify sensitive data is encrypted when stored in the device. Encryption keys used should be saved in Secure Keychain
3) Authentication and Session Management
Apps usually have a sign in, signup, and authentication mechanism. Authentication identifies a user. Depending on authentication, certain resources are authorized. A user logs in, consumes services, and eventually logs out. This is known as a session. The critical thing in this flow is to ensure that the user is correctly authenticated most safely, and only those resources are allocated to him for which he is authorized.
For Android
- Passwords should have a strong Password Policy. Comprising of Minimum password length should be 8 characters. Password should contain the combination of following characters as mentioned below
a. Lower Case (a-z)
b. Numeric (0–9)
c. Upper Case (A-Z)
d. Non-Alphanumeric (e.g.!, @, etc.)
- If needed 2FA Authentication should be present
- When a password is entered multiple times, then app lockout should be implemented
- Session IDs are always exchanged over secure connections
(e.g. HTTPS).
- Verify The server verifies the session whenever a user tries to access privileged application elements,
(a session ID must be valid and must correspond to the proper authorization level).
- Verify The session is terminated on the server side and session information deleted within the mobile app after it times out or the user logs out.
For iOS
- Verify no sensitive data Is stored in App Bundles DB. Run a simulator build, and navigate to
/Library/Developer/CoreSimulator/Devices//var/mobile/Containers/Data/Application/$APP_ID/. read .db files and verify no sensitive data is saved here.
- Verify Keychain
/Library/Developer/CoreSimulator/Devices//data/Library/Keychains/keychain-2-debug.db.
Data stored here should be encrypted
- No sensitive data should be printed in Logs.
- Verify input fields that ask for sensitive data for
e.g. “Password” are masked
- Verify input fields that ask for sensitive data for
e.g. “Password” does not display auto suggestions by default.
- Verify input fields that ask for sensitive data for
e.g. “Password” , Cut, Copy, Paste options should not work on these fields
Conclusion
This concludes the first part of this series, where we presented a checklist for testing mobile apps in the data storage & privacy category, cryptography requirements categories, and Authentication and session management category. In the next part, we will examine the test cases for the Network communications category, Platform Interaction, Code Quality and Build setting, and Resiliency category.
Original Source: Security Checklist 1
Top comments (0)