Does Your Mobile App Have a Human Problem?

People using cell phones   Original Filename: people cell phones.jpgYou’ve tested every aspect of your mobile app – functionality, usability, security, performance and other types. You’ve tested it with simulators and in the wild. You think you’ve covered almost every angle and that it’s essentially bulletproof, but you forgot the biggest cause of app failure: People.

Yeah, those guys. According to PC World, nearly 80 percent of the vulnerabilities discovered in mobile apps are not the fault of the application code itself, but rather the result of human error.

According to the HP 2013 Cyber Risk Report, though, the application itself is not to blame for most vulnerabilities—you are. HP compiled data from 2,200 applications scanned by HP Fortify on Demand and reports that 80 percent of the vulnerabilities discovered were not the fault of the application code itself.

“Many vulnerabilities were related to server misconfiguration, improper file settings, sample content, outdated software versions, and other items related to insecure deployment,” the report states.

In other words, it’s not your fault! That said, there are some things you can do as testers and developers to minimize the risk of human error. Let’s take a closer look at some the causes mentioned in the article:

Encryption Capabilities
Both the iOS and Android platforms give developers the ability to encrypt data that’s stored within the mobile app. The problems is, many developers neglect to include this feature and many testers fail to account for it as well. These days, apps that do NOT store some type of personal data are the exception, so if you want to save users from themselves, it’s best to consider encryption as the default option.

Continue Reading

Essential Guide to Mobile App Testing

Protecting Yourself Against the Heartbleed Bug

heartbleed-bugBy now, you’ve probably heard about the massive security flaw known as the Heartbleed bug. If you haven’t, then here’s a quick summary:

Heartbleed is a flaw in OpenSSL. Occasionally, one computer may want to check on another computer to ensure that there is a secure connection on the other. In order to do so, it will send out a small packet of data that will ask for a response – like a heartbeat.

However, researchers discovered that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end into sending data stored in its memory. To make matters worse, it has recently been realized that the code in SSL has been opened for the past two years and doesn’t leave much of a trace.

This raises several important questions, not only for testers and developers, but also for the average web user. Let’s take a look at a few in particular:

1. Are You Affected?
Probably. Since hundreds of thousands of sites were affected, chances are that you have used at least of them on a fairly regular basis. While there is no way to tell with 100% certainty, many experts are urging people to take the necessary precautions, which leads us to our next key question…

2. How Can You Protect Yourself?
According to Business Insider, the best way to tackle this problem is to assume that the worst has already happened.  Most major service providers are already updating their sites and taking proactive security measures, but you should also go through and change your passwords as well and assume that your accounts have already been compromised (as awful as that sounds).

Continue Reading

Essential Guide to Mobile App Testing

Major Security Loophole in an Estimated Two-Thirds of Web Servers

Lock backgroundIf you haven’t already heard, today brought a huge piece of security news to the tech world.

Researchers reported that an estimated 66% of the world’s servers have been affected by a real world crypto bug that could expose all types of sensitive data. This hits everything from online retailers, to banks who offer online banking – you name it.

According to Dan Goodin of ARS Technica, the defect is in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other data:

The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there’s no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.

‘Bugs in single software or library come and go and are fixed by new versions,’ the researchers who discovered the vulnerability wrote in a blog post published Monday. ‘However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously.’

Continue Reading

Essential Guide to Mobile App Testing

How Testers Can Help Regain the Trust of Users

trustStop me if you’ve heard this before: Users are becoming increasingly uneasy with the way in which apps collect, store and share their personal information. It’s a story we’ve discussed a lot here on the uTest Blog over the years (and more recently, on the Applause Blog), but it’s a story that isn’t going away anytime soon unfortunately.

Late last week, MEF Global Chairman Andrew Bud penned a thoughtful guest post for VentureBeat on this very topic, where he argued that trust in apps is on a downward trajectory. In his view, it all has to do with personal information.

In many ways, the apps economy runs on personal information. It’s the currency – the lifeblood – and the main reason why apps can succeed with a freemium model. As Bud argues, it’s also the reason why trust is quickly declining. He writes:

What underpins this transactional relationship is consumer trust and it follows that, for the mobile industry, this should be the watchword for how mobile businesses build and retain customers.  The less confidence people have in their mobile device, the less they will use it and the apps on it. That’s bad news for everyone.

Yet for almost as long as apps have been on the market, consumers have been bombarded with stories in the press and across social media platforms that raise privacy concerns about the way apps gather and store and use personal information.  As an industry we have a long way to go.

He backs his opinion with some hard figures from a recent MEF/AVG Technologies study, which found that:

40 percent of consumers cite a lack of trust as the reason they don’t purchase more via their mobile — by far the most significant barrier. And it’s getting worse. In 2012, 35 percent named trust as an obstacle compared to 27 percent in 2011.

Second, 37 percent claim a lack of trust prevents them from using apps once they’ve installed them on their phone. Third, 65 percent of consumers say they are not happy sharing their personal information with an app.

Hard to argue with numbers like that. So what’s to be done? While Bud places a small amount of the burden on users – arguing that they should be more aware of the threats – he places most of it on the industry as whole: marketers, developers, publishers, aggregators, executives and so forth.

And to that I would add software testers.

Continue Reading

Essential Guide to Mobile App Testing

4 Security Lessons From the Great Bitcoin Bug

bitcoinThink twice before trusting us with your personal information…said no 21st century business ever. Whether it’s the swipe of a card at a local convenience store, or that social media app you always find yourself on, using software that could potentially compromise your information is the norm, not the exception.

We’d go insane if we worried about every single transaction that could lead to identity theft or a depleted bank account. So instead, we put our trust in the technical leadership of brands to avoid these disasters on our behalf. Most of the time, there’s nothing to worry about. Most of the time.

Mt.Gox, the world’s largest Bitcoin (digital currency) exchange, recently lost track of 740,000 Bitcoins, resulting in a projected $350 million dollar loss after hackers allegedly planted a bug into the system. Here’s the scoop:

“In its announcement on Monday, Mt. Gox said that a bug in the Bitcoin software made it possible for someone to use the Bitcoin network to alter transaction details to make it appear that a Bitcoin transfer had not taken place when, in fact, it had.”

Mt.Gox reportedly handled about 80% of the world digital currency! Trading and withdrawals were halted, and users returned to a blank page on their website, and the “cryptocurrency” industry is now dealing with a major blow to its validity. There are lessons to be learned from this heist into the Bitcoin network, both for software developers and for consumers alike. Here are four, in no particular order:

Lesson 1: If a system can be hacked, it will be hacked. Someone will always try to get their hands on valuable information. Whether it’s the stealing of credit card numbers directly, or the selling of emails and passwords on the internet, criminal hacking is a business – a very big business in fact. So stealing Bitcoins (a currency stored in virtual wallets and not backed by any country’s currency) and exchanging them for another currency? An internet thief’s dream come true. The same is true for any company really: If there is sensitive data to be had, it’s only a matter of time before someone goes looking for it.

Continue Reading

Essential Guide to Mobile App Testing