Recruitment- The Changing Trends

Use of new technology for recruitment has been around for many years, however, there is now a seismic shift that is altering the ways of interaction between job seekers and employers. Web and smartphones together are changing the level of expectations, making recruitment systems more efficient and rewarding to use. As technology is slowly paving its way in all aspects of recruitment processes, it is reducing cost and time, and increasing overall user satisfaction. There have been many years of slack hiring, and the coming year will witness intense competition in recruitment of IT talent. As a result, recruitment teams are going to be under extreme pressure, and will have to embrace the latest technological trends to stay competitive.

Some of these latest trends have been discussed below:

Advanced Metrics– Recruitment leaders have started to follow the rest of businesses in adopting advanced metrics, and this shift to real-time metrics will enable decision makers know about the latest happenings, and predictive metrics will alert about upcoming recruitment issues and opportunities. This will give the management sufficient time to plan and act appropriately.

Career Portals– With the changing technological landscape, the expectations and long term plans of Gen Y job seekers are changing as well. They want to get accurate feel about the company, want flexible working hours, and are interested in corporate social responsibility (CSR). To cater to the needs of this generation, the career portals need to focus primarily on building a strong relationship with the candidates from the early stages. Company portals must enable the job seekers to understand their interest and competencies, and what job will make perfect sense for them in the company.
blog-graph2
Big Data– Big data is the large volume of data available on the Web which includes forum threads, numbers, blogs, profiles, videos, pictures etc. Many employers are able to identify passive job seekers using external “Big data”. Advanced metrics developed using big data are shifting the recruiting trends towards a data-supported decision model. Smart organizations are using technology to track the online journey of a candidate, such as pages viewed and jobs applied for.

Go Mobile– Mobile phones allow direct application for jobs, and this will become more popular as more and more recruitment-focused mobile apps are being developed. The Mobile Web Watch report by Accenture shows that more than 85% of the people access the web via mobile at least once a day. With faster mobile internet connectivity, larger screen smartphones, and latest apps, it has become much easier to connect and engage with the candidates. Almost 23% of the Google searches that contain the word “Job” are from mobile devices. However, recruiters have not been very adept at this transition to mobile. For the coming year, the impact of mobile platforms will continue to grow and expand.

Branding– Another changing trend is the employer branding as a long-term recruitment strategy. Due to social media, it is quite easy for anyone to spread their views and comments virally. The former or current employees can easily pass on their views about the work environment. Facebook, LinkedIn, Twitter and other social media are transitioning towards smart advertising and are opting for a recommendation-based search so that organisations can approach the right candidates with more precision. Social media can help companies actively position themselves as desirable employers to attract the top talent in the marketplace. Social sharing also helps job seekers understand a company better, its strengths and values.

Impact Analysis– Another changing hiring trend is to demonstrate the direct impact that the recruitment has on business results. Revenue is one of the principal corporate goals, and the recruiters can quantify the revenue impact of great hires, as compared to weak or average hires. Revenue impacts can be monetized, and by making business cases, recruiters can speculate the required funding for the hiring surge.

Move Away from Silos– Recruitment is an integrated process, and cannot work in silos. The succession and recruitment processes must be interlinked, and should not be treated as separate portfolios. Recruitment, talent management and reporting systems need to be integrated, ways to export data must be updated, and analytics applications need to be used efficiently to turn large amounts of data into meaningful information that can provide insights to aid better decision making. Talent management must be treated as a continuous process. Technology can help recruiters pinpoint the exact match, and avoid wasting time sifting through applications.

To save on cost and time, live video interviews are steadily growing in acceptance. They have proven to be quite effective, especially for the initial interview process. Also, many senior executives resist applying for new positions simply because they do not have time to update their resume. Firms can look at their media profiles to initiate the hiring process. This allows them to target the top prospects, who might be interested in changing.
Additionally, using behavioural patterns, biometric data, online skills testing, and proprietary algorithms can also help predict the likely fit. There are behavioural biometrics tests to capture a clear picture of innate behaviours, motivation, aptitude and character that help understand the personality type, and predict the probability of success for a specific job.

Just as advanced technology has touched every part of our lives, it is influencing the professional lives as well. Behaviours, tools, landscape, expectations and generations are constantly changing around us, and recruiters must effectively use new technology to redefine the recruitment process, while improving outcomes for organizations. Recruitment technology offers detailed ways to track sources and combine metrics around time to hire, dropout rates, acceptance rates, and competency and assessment scores. The challenge for companies now is to harness the potential of these information, analyse them, and use them to their advantage to get the best match for the required job.

Promises and Challenges of IoT

Internet of things (IoT) is a phrase which is commonly used to describe a system where physical world is connected to Internet through ubiquitous sensors that communicate with each other without human interaction. Each sensor and control point generates data which can be collected, analyzed and acted-on in the real time. IoT has the potential to alter the way companies do their business by transforming the way they operate, making them more efficient and profitable. The sheer breadth of IoT knows no bounds, and is having a huge impact in enterprise, as well as consumer applications, transforming the way we live our lives. A practical example of Enterprise application is the inventory management on the production floor to save money, time and manpower. And few examples of consumer applications are health monitoring systems, home automation, beacons, wearable devices etc.

IoT Numbers
The penetration for smart devices is sky-rocketing, creating a perfect base for exponential growth for the IoT. It is estimated that by 2020, there will be almost 26 billion interconnected devices (some even say it could be more than 100 billion). As per latest statistics, IoT offer $8 trillion worth of economic opportunity. According to CBInsight, IoT companies attracted over $1billion in 2013 in venture capital, which is 11% increase from the previous year. Purchase of Nest Labs by Google and Body Media by Jawbone has further accelerated the IoT buzz. However, it is not just hype, and the connections are already soaring, growing at the rate of 19% compounded annual growth for the past three years.

Some of the key technologies that are emerging for IOT are lightweight protocols so that devices can communicate and work together, cybersecurity, extensible and unique identifiers for billions for devices that involve remote sensing, intelligent monitoring, advanced analytics and real-time data processing. With the ease of connectivity through broadband internet, more and more devices with in built sensors, Bluetooth, IR and Wi-Fi capabilities are able to connect with each other with lower connecting cost.

IoT in Real Life
So what is the practical aspect of IoT, why we should bother about so many connected devices talking with each other? On the personal level, imagine a world where your car, house keys, television, alarm clock, microwave etc. are all interconnected, giving notifications and feedback when required, executing remote instructions, and improving the overall efficiency of your life. IoT can be associated with kitchen and home appliances, safety and security monitoring devices, lighting and heating products, health and fitness products, waste management systems, intelligent traffic management system and so on. Doctors can immediately analyze the heartbeat data sent from the intelligent devices to diagnose and treat. Real-time traffic data can be sent to the consumer’s GPS. Intelligent devices can quickly make changes in the production system based on the preferences of the consumers, producing a broader mix of differentiated products all across the globe and just in time. From the global perspective, IoT can help us understand how we work and live, and improve the processes, and reduce waste.

There are currently more than a billion Machine-to-Machine (M2M) devices at work in smart meters, sensors, mobile healthcare assets, industrial control systems, smart building, video surveillance, telematics solutions and much more. These are definitely a lot of connections, creating a massive IoT network between people-people, things-things and people-things. Several open standard projects are supported by free open source software and hence this combination works quite well. Giant technologies can further build on the open projects, encouraging widespread use and adaptation.

Challenges
IoT has potential to impact the way we live our lives, however it has lots of complexities and challenges associated with it. Security is one of the most talked about concerns of IoT, mainly due to billions of connected devices. Another important concern could be the massive amount of data that will be produced. Companies will have to find a way to store, analyze, track and interpret vast amounts of data in real time. Some other challenges are connectivity, security, power management, complexity, rapid evaluation without common standards, quality of services, lack of shared infrastructure among players in the IoT eco systems, fragmented M2M and system vendor landscape, and interoperability and easy of deployment. Extensive number of systems are required to manage all the data, enforce access control and enable all the interconnected devices to communicate with each other. This issue can be addressed by using big data analytics which is a process of collecting, organizing and analyzing large amount of data to extract useful information, get fresh insight into data, analyze patterns and identify data which is important in business decision making.

Existing Internet and software methods are modular, highly distributed and loosely coupled. For Internet of Things, we need an open system which is easy to join and transparent to review, open source for quick iterations and easy contributions for rapid development, and stringent IPR rules, neutral government and balanced participation.

IoT offers endless connections and opportunities to take places, however, as of today, it is not possible to comprehend and understand its total impact. There must also be a strong foundation to address the growth challenges in terms of talent gaps, open standards, technology complexities and data policies. When evaluating an IoT solution, the businesses needs to consider four major enabling technologies- Cloud computing, wireless connectivity, Big Data and IT security. For now, we can just educate ourselves, and find innovative ways to reduce loss, waste and cost with the help of IoT.

Improving Testing Effectiveness

Organisations spend significant money, time and effort in testing their applications so that they can get a good return on their investment, and earn goodwill of the customer by providing them a product that offers a flawless experience. This experience can only be assured if the product has been designed well that matches with the customer’s expectations and requirements, and has been tested comprehensively, covering most real-life scenarios.

If the product is released by the company and any bugs are reported by the end users, there is usually a feeling of disappointment, and testing team feels the pressure as they now need to answer several questions from the management regarding their testing procedures and methods. This happens mainly because when the requirements are given to the testing team, the team members tend to intuitively think about the features and start writing their own perception of the functionality and features as test cases. Hence, test cases are entirely based on the level of knowledge and thinking capacity of the testing team, or a testing individual. The reviewers have also limited scope to correct these test cases, or add something substantial to them. The derivative is quite limited, with the possibility that the testing team might have missed or overlooked some important aspects of usability or behavioural issues.

At times, this intuitive or exploratory testing can be quite effective in bringing out quality bugs; however, it is beneficial only when there is expertise in technology, domain and other factors. Additionally, exploratory tests are not documented for regression and the bugs can get re-introduced in the later stages without getting noticed. Hence, it is essential to follow a systematic testing approach to have efficient and effective test cases that can be executed regressively.

This improvement to testing processes starts by providing a complete understanding of the project to each stakeholder. As a part of testing strategy, the best practice is to form a team, comprising of Subject Matter Expert, Product Architect, Senior Developers, Product Manager, Developers, and Automation and Manual Testers for the given product. When all these people work together as a team, more perceptions come out based on the expertise of each, and these perceptions can be documented, that can be used as a reference by the Requirement managers to write the functional specifications, by developers to design and develop the features and by testers to make their test cases.

The quality of testing to a large extent depends on the quality of these test cases that are documented and tested automatically or manually. Although there is not a linear relationship between the efficiency of tests and number of bugs found, however, by adopting the well-defined and documented processes and procedures, the developers become more efficient in reducing the number of bugs, and testing teams can become more effective in finding the bugs at the right stage of development cycle. However, documenting each minor detail can be quite inefficient, and pounding the same path with automation or regression scripts may only give little of any new information. Hence, add deterministic techniques to the testing, and make a practice to communicate and collaborate early. This gives the chance to find most critical bugs. Output of the session based test management of the exploratory tests can be used for regression, and if any bugs are found, they can be turned into automated tests.

To improve testing processes, the testers must also be involved in all the discussions, conversations and meetings regarding the project. QA must be made a part of the software development life cycle, and there should be continuous improvement in the testing processes and testing skills. The testers must be flexible and receptive to the change, and there should be willingness to try new methods and latest cutting edge technologies of testing.

The testing quality definitely depends on who looks, and when and where. It is impossible to have 100% bug free application, however involving several teams in user cases/acceptant tests design or review helps QA to have more comprehensive coverage. This does not mean that everyone should leave their work and get involved in testing. However, some key people can add value to the tests, and participation from the experts reduces lots of rework and penalties that companies have to pay at the cost of goodwill.

Is Production Environment Really Sacred?Testing in Production

I was once tasked with testing a service that was integrated with ATM. We approached a 3rd party ATM Integrator to set up an ATM in our staging environment to test this scenario. The cost involved was very high and our testing budget did not permit us to use a third part ATM integrator. So what was the alternative? It was an unanimous decision in the program steering group to test in production, since the feature was tested properly in the previous version. A couple of internal users were tasked with testing this feature immediately after deploying the newer version to production.

Recently, I have been noticing that testing in production is becoming a popular practice, as part of the defect and incident analysis, or as a concluding test before going live, aiming to eliminate uncertainty, and give confidence to management and operations teams.

There are many factors why organizations are forced to test particular scenarios in production. First, with shrinking IT budgets, organizations are having difficulty in creating test environments that represent the full functionality the production environment contains, some of these include, load balancers, ATMs, SMS Gateways, billing, etc. Most of these aspects are tested using simulators in test environments, but ideally organizations would like actual integration with all these hardwares/softwares in the staging environment, to perform UAT before moving to production. At the same time, business process are becoming more and more integrated, which in turn demands test environments that are connected end-to-end. It is always a challenge to create a test environment that is equal to production.

With advancement of technology, the nature of services that are rolled out is complex. One of the projects I was worked on involved a mobile payment service for financial inclusion, that spanned across multiple organizations, 3rd party integrators, geographically distributed teams, and many stakeholders in the service. For example, we had to work with different stakeholders such as banks, merchants, SMS Integrators, ATMs, payment terminal vendors, billing payment aggregators and mobile payment platform provider. Add to this, all hardwares in data centers like servers, load balancers. Testing particular scenarios in such an integrated environment is possible only in the production environment (or spend huge sums of money to set up and maintain a staging environment with such a complicated integration).

Of course there are many risks associated with this practice such as creating and maintaining test accounts and test data in production, security controls and accountability, testing in production can cause production incidents, postponing real testing until deployment. (a separate blog is required to address these risks). but Testing in Production (TiP) when performed in a controlled manner within the organization’s IT policy, is a better way to ensure elimination of any remaining risks or uncertainity before GTM.

Adopting Agile Testing

The term agile is sometimes used to represent anything that is dynamic or an unstructured way of working with others. However, as per the document “Agile Manifesto” conceived by a group of software engineers, it is a focused and yet rapidly iterative software process adhering to a set of principles, and aims to promote a more efficient, humane and collaborative way of developing computer programs and IT systems.  Agile testing is the practice of software testing for bugs or performance issues that are within the context of the agile workflow. It focuses on the concept of  Whole Team, getting as much feedback as possible on code, and building the quality as early as possible. Agile testing has shorter feedback loop between product owner and team members. Agile testers are an integral part of the cross-functional team, and have their say in all the phases of SDLC (Software Development Life Cycle). The flow of information is uninterrupted due to collocated teams. Let us take a closer look at some of the key features of agile testing methodology, and why more and more companies are adopting it.

Why Become Agile?

Agile and traditional waterfall methodologies differ in terms of mentality of teams, role of testers in the team, and at what stage the testing begins.

  • In conventional testing, test execution does not start until after the complete functional development.
  • In traditional testing methods, there is usually significant delay between when the software is written and developers get the feedback. Defects and bugs are found quite late in the process which can cause serious issues if any major changes are required.
  • If the business requirement changes, it affects the already developed test cases.
  • As the communication and testing is siloed, the chances are that different groups will have different final product expectations.
  • Also, as testing is the last activity before the decided release date, the quality of testing suffers.

Traditional QA engineers rely heavily on documents, however, generating test cases may not be as cut-and-dried in agile, as agile testing QA engineers do not get big requirements documents as a base for test cases, and do not get months to write the test cases. They directly become the part of the communication streams which can be written, verbal or virtual, and collect the information they require. In agile, it is accepted that the change is healthy.  Some of the key features of agile testing are:

  1. In the Agile approach, testers and developers are seen as two sides of the same production coin that meet regularly and compare notes daily. Testers, developers and quality-assurance personnel work closely together replacing siloed functions. The split between software testers and software developers in the traditional waterfall process positions them as separate entities at different points along the production cycle, and this is the most fundamental problem that agile helps resolve.
  2. Agile testing is testing when possible, even as early as requirements gathering phase and there is Test Driven Development (TDD). Agile testing drives development by questioning stories and refining acceptance criteria during the iteration planning. It starts by working on stories, and continues with the TDD.
  3. Agile requires continuous and elaborate collaboration between stakeholders throughout the company, throughout the production process. In each and every phase of the development, testing is an essential component, and quality is built in at every stage through constant feedback from all who are responsible for the final product. Hence, the working versions with essential features of the final system are frequently produced. Each of these working systems are fully integrated and carefully tested, just like final delivery.
  4. It is a team effort where anyone can pick-up and execute a testing task. Developers and design experts also think about the testability of the product and testers can give their inputs in the early stages of software architecture or designing interface.
  5. Testing starts when the Sprint starts and entire team is responsible for the result. Testing includes test planning, build acceptance testing, functional testing, regression testing, demo testing and test automation.
  6. Testers are an integral part of the team, and their experience is fully utilized where they participate in planning and requirement analysis.
  7. The feedback loop is short and testers actively participate in the Retrospective and Planning meetings.
  8. Pair testing can be used together with the developer or other tester. Testers can also help developers create automated tests or design tests which are beneficial for both.
  9. There is continuous integration for every change committed to the source code repository.
  10. Teams switch to agile due to simplicity of the principles, transparent communication with customers and accurate planning.
  11. Agile testing may seem complex, however if implemented successfully, it leads to greater simplicity as it is more risk and priority focused, faster, adaptable, flexible and efficient.

Critics of Agile

The experience of Agile can vary, and for some, it just results in lower quality, chaotic processes, miscommunication, and a bundle of several other issues. A research was conducted by Voke Media with 200 software companies on their attempt to embrace Agile, and their report stated:

Out of over 200 participants, 64 percent said that switching to Agile Development was harder than it initially seemed.  Forty percent of respondents did not identify an obvious benefit to the practice.  Out of those who did, 14 percent thought it resulted in faster releases, and 13 percent—that it created more feedback.  Seven percent of participants noted that Agile developers were happier due to reduced future planning and documentation.

There is no doubt that there are certain challenges involved in implementing agile testing methodology. As testing happens on the fly, there is minimum documentation, which can cause problem if the team member is unfamiliar with the project. In such case, handing over the project to someone completely new can be disastrous as only senior executives are capable of taking the decisions required in agile testing. If the customer is not clear about the final outcome they want, the project can easily get taken off the track.

Additionally, agile testing principles can be quite demanding on the developers’ time, and require their commitment for collaboration throughout the project. Agile testing also requires more effort from the entire team as testing continuously gets modified or interrupted to fit the need of the situation. Agile can be quite time consuming as developers and testers spend a lot of time through the iterations to ensure the best quality throughout the project.

In the agile environment, there are frequent changes in the system, and to test each change, regression testing is required to ensure that there are no new defects in the previously developed features. Planning regression testing is difficult as agile testers are busy testing new stories for current sprint. Hence, it is necessary to have automated tests for previous sprints checked into the source repository.

Inadaptability to Agile could be due to difficulty in leaving the traditional understanding of the roles, and resistance to change. Agile is not a panacea that will solve all testing problems, however, its principles are great tools to reveal several problems, and it is up to people how effectively they are able to resolve them. Agile development and agile testing go hand in hand, and together they complete the idea of agile methodology. Frequent testing along the lines of iterative guidelines are the benchmarks of the agile testing. For the best chances of success, the testing engineers must become embedded agile team members, and embrace agile team dynamics.

Mobile Application Security Testing for Startups

Any startup company developing mobile or web applications go through a great deal of ordeal to deliver these projects. There is always so much to do, always a deadline to meet, and always a crunch of resources (financial and human). While combating all these challenges, it is easy for entrepreneurs to overlook some mission-critical tasks and one of such tasks is Application Security Testing.

Onboard the right resources: For any startup, it is extremely essential to get a good start to the testing culture. So where does this process begin? Well, it starts right from the hiring process. Look for candidates who are curious about technology, are insightful and show willingness to accept and adapt. The candidate should have a passion for testing and should appreciate the challenges involved. It is equally essential that you have a testing team with diverse skills, including platforms, languages, hardware and software.

Identify the target Platform: Keep in mind that the testing matrix can be quite big and complex. Choose your platforms carefully if you have limited resources and time. Ensure that your app works perfectly well on a few selected platforms. Also, as there will always be a limited testing budget and rapidly-evolving application, manual testing is a better approach (until your product stabilizes) as it can help find real bugs and can be altered quickly with the changing features.

Do not miss out on Usability: For a startup planning to launch a mobile application, usability testing is one of the most vital tasks. Evaluate the page layout and color schemes. Ensure that the layout is intuitive. Users should be instinctively drawn to the main features of the application. Important features such as Search, About, Help and other instructions should be easily visible and accessible. If the application is to be launched in non-English speaking markets, ensure that your application shows consistency in terms of messages, symbols and text. Usability testing should be done once the application is ready, but before it is made available to end users or paying customers.

Data testing is important: Data test must be a part of the test strategy and include data archival and deletion in the scope of testing. Even the most basic of applications must be tested for different carriers and operating systems, as the performance can greatly vary. For any mobile application, keep in mind the screen size discrepancies. Also, check your application for performance at different battery levels and when the user gets a message, call or MMS. The displayed messages must be concise, clear and actionable.

Learn from others’ mistakes: While developing and testing your mobile application, look at similar apps and find out, as a user, what you like and what you don’t. You can use this knowledge to include additional features and avoid mistakes. Also find out user reviews about competitor’s applications and take advantage of their weak spots. There are also some free tools available that shows the developers how well their application functions in real-world conditions. The tools score the application based on download, installation and usage, and reports the issues.

Secure applications gain customer confidence: For a startup, security testing can be daunting, and can become highly complex. However, availability, authentication, authorization, integrity, confidentiality and non-repudiation are some of the most basic testing concepts. Keep in mind that security testing can be challenging. However, investing in security testing will eventually gain customer confidence. Some of the free security testing tools and resource include Open Web Application Security Project (OWASP), Paros Proxy, Wireshark, Tamper Data, Burp Suite and SQL inject Me.

An unsuccessful first launch will cost you a lot of money and reputation. Ensure a successful launch and make a name for yourself by planning well and Testing well!

Can Automation replace manual testers?

“Is Test Automation going to help my business?”

We received this question from our customers for the umpteenth time:

To answer that question, we take a methodical approach… we assess the maturity level of the customer’s quality assurance organization. Many of the organizations do not treat Test Automation as a core practice but a supporting practice within the practice. Changing this perception and adopting Test Automation as core practice requires great shift in thinking and visualizing the benefits.

Once we are convinced with their existing practice, process and team’s mindset we recommend the test automation to our client. At this point, we face the next question:

“What is the ROI from Test Automation?”

For most of the project managers this is just a quantifiable number in terms of running more tests faster with fewer people. This number is used to justify the adoption of Test Automation in their projects. How do we arrive at this figure? There are many simple calculations in software testing organization to calculate the ROI, one such calculation is:

ROI = (Cost of manual testing – Cost of test automation)/cost of test automation

This looks simple, straight-forward and easy… this entire exercise builds a business case “We will run more test cases faster, with fewer people.

Many of the thought leaders do not completely agree with the business case and have a plethora of questions like:

“Do running more tests, faster produce better software?”

“Does manual testing and manual testers can be replaced by test automation?”

“Can we compare the cost of multiple executions of automation tests against manual tests?”

“Can we devalue the tester’s role in software testing? “

We at Idexcel believe that, Test Automation (once proven ROI is established) must be used to optimize the testing efforts but at the same time balance the Automation and Manual elements. Test Managers should not get sucked by the ROI black-hole. They should utilize their human (manual testers) element to test changes to the application (new and incremental functionality), cases that requires human judgment, situations that involve complex and implicit business knowledge. And utilize the Automation element for tests that are explicit, repetitive and black & white.

Now, coming to the subject of the blog:

“Can Automation replace manual testers?”

Our answer is a resounding NO!, especially when we are talking about applications and systems that are incrementally maturing.

When we address the automation needs of our clients, we don’t only convince our client solely on ROI. But we provide the detailed analysis of how we combine right set of tool with right set of people and process which can improve

• Reduce time to market
• Increase test efficiency
• Increase test effectiveness
• Improve test repeatability
• Decrease test defects escaping to production
• Select right set of test suite for a particular cycle
• Optimizing the test cases as software evolves
• More importantly Quality

MOBILE APPLICATIONS SECURITY TESTING- TEST FOR THE WORST

We all love apps, especially, the fancy, colourful apps, that promise all-your-problems-end here kind of euphoria. You wish! Really, as if the world could be so simple. However, some apps undoubtedly make our lives much simpler (Ahem, no pun intended).

So what types of applications are we talking about here? Well, that’s not the point. What I would like to elaborate here are the risks that come as a package with our life saving (sometimes literally) mobile apps, which threaten our identity, productivity and other areas critical for our day to day communication.

Why? What’s wrong with those lovely looking apps?

In simple terms, A LOT. In more complex terms, if your device or credentials have been compromised, you got a lot to lose. Now, picture this on a bigger scale, at the business or corporate level. The extent of loss is unfathomable if even a single employee downloads the app that gives the access of internal resources to malicious users who can then access the individual systems and get hold of confidential information. Phishers and hackers are constantly inventing newer ways to compromise such vulnerabilities related to web security. Users want more and more apps, and companies try to develop and deploy these apps quickly, which puts security in the back seat.

Top Mobile apps vulnerabilities and Dealing with them

As per the tests run by HP Fortify, 86% of apps that accessed potentially private data sources such as Bluetooth connections or address books, lacked security measures to protect the data from access. 86% of the apps lacked binary hardening protection, 75% apps did not encrypt data before storing it on the device and 18% of apps transmitted data over the network without using SSL encryption. Another 18% used SSL, but did so incorrectly.

The report compiled by WhiteHat shows that whilst many different attack methods exist, XSS (Cross Site Scripting) is the most popular, followed by Content Spoofing. To add to this, many other attack methods, such as SQL Injections, Information Leakage, and Stolen Credentials could all be the side-effects of an XSS attack.

Reference: WhiteHat-Security Statistics report 2012 (https://www.whitehatsec.com/resource/stats.html)

The 2013 Threat Report from the Websense ® Security Labs (WSL) also revealed how often malicious apps abuse permissions, especially in the use of SMS communications, something very few legitimate apps do. Risks increased as the mobile devices are used for web surfing and social media more often than actually making the calls.

So let’s dig a little deeper, and understand these vulnerabilities, and best practices to deal with them.

1. Excessive Permissions and Privileges– This is one of the most serious and common vulnerability that creates a great deal of privacy concerns in the mobile devices. Applications that have more access are easy target for attackers due to broad attack surface. Applications that reside on the mobile device have excessive access privileges and permissions such as access to contact list, receiving and sending messages, update rights, location and access to other devices such as microphone, camera etc.

Best Practice– App Developers should restrict granting privileges and permissions to the applications. Users should periodically check the device setting and apps for any excess permission, and if they feel that any application has excessive access, and should invoke the access rights.

2. Malware– Just like web apps, mobile applications also use web services and HTTP requests to communicate between server and client. Common vulnerabilities such as SQL injection, cross-site scripting, XML bomb, buffer overflow etc. get discovered during dynamic analysis. This enables attacker to propagate malware and gain access to devices information without having the privileges.

Best Practices– Applications should validate all form inputs and convert scripts and script tags to a non-executable form. Ensure that the executables on your server do not return scripts in executable form. You can convert HTML and JavaScript tags into alternate HTML encoding.

3. Ineffective Session Termination– When the user clicks logout button, the session gets terminated only locally on the client side, without terminating the session at the server end. This coding flaw makes the server susceptible to unauthorized access where attacker can access victim’s session and this can lead to identity threat.

Best Practice– After logout, always invalidate the session at the server and client side. If session has not been active for more than 15-20 minutes, terminate the session. Long sessions must be re-authenticated.

4. Buffer Overflow– Attacker uses buffer overflows to corrupt the execution stack of the application. Attacker sends the carefully crafted input to the application, and causes it to execute arbitrary code which can take over the device. The attack relies on writing data to particular memory address, or have the OS mishandle data types.

Best Practice– Buffer overflow protection techniques can be used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables as soon after they occur, and prevent them from becoming serious security vulnerabilities. You can also scan your application with scanner that looks for buffer overflow flaws.

5. SQL Injection– It is used by hackers to steal data from the applications where user input is not validated. As a result, the user can inject SQL statements into the database and have them executed.

Best Practice– The only way to check if your application is vulnerable to SQL injection is by scanning it with the automated web application security scanner.

6. Bad Data Storage Practice– Insecure or bad data storage occurs when developers assume that users will not have access to the device file system, and hence they store sensitive information in data-stores in the devices. If data is not protected property, jailbreaking or rooting the device circumvents any encryption protections, leading to loss of data including username, password, cookies, location data, personal information and application data. SQLite databases, Plist files, Log files, Binary data stores, XML data stores, SD card, cookie stores and cloud synced are the places where data is stored most insecurely.

Best Practice– Do not store data unless absolutely necessary. Scrutinize the data security API’s of the platform, and ensure that they are being called appropriately. Do not store credentials on the device file system.

7. Cross Site Scripting– This attack requires the user to execute a malicious URL which could have been crafted in a manner that appears to be legitimate. Attacker then effectively executes something malicious in the user’s browser.

Best Practice– Use web vulnerability scanner that checks for the XXS vulnerabilities. It will show which scripts/URLs are vulnerable to these attacks.

Some of the other common vulnerabilities include weak server side controls, poor authentication and authorization, weak or broken encryption, insufficient transport layer protection and broken cryptography. The solution to deal with these threats lies in employing a vulnerability analysis solution that can automate security quality testing.

Testing Techniques to Deal with these Vulnerabilities

The mobile applications need to be exhaustively tested for vulnerabilities that put data and device at risk. Threat-profile based test cases are used, and threat profiles are derived from different types of mobile applications. Once the vulnerabilities are identified, these need to be patched, and retested. Some of the most common testing techniques include:
Black box/Dynamic Testing– Also known as behavioral testing. It analyzes code as it runs to identify vulnerabilities that any hacker can find when the application is running in the production. This testing identifies if any weakness can be exploited, or identifies the type of weakness so that human penetration tester can verify this exploitability manually.

Code Review– It identifies the vulnerabilities at the source-code level. It can detect injection flaws, backdoors or suspicious code, hardcoded passwords and secret keys, weak algorithm usage and hardcoded keys and data storage definitions.

Penetration Testing– For any mobile application, one of the most critical tests can be penetration test. It is an ethical attack simulation intended to expose security controls of the application by highlighting risks posed by exploitable vulnerabilities. The vulnerabilities identified by penetration testing include input validation, buffer overflow, cross site scripting, SQL injection, URL manipulation, hidden variable manipulation, authentication bypass, cookie modification, code execution, and few other common software attacks.

Mobile Application Security Assessment– It is a holistic security assessment of mobile applications, the associated backend systems and data flows and interactions between them.

Failures occur, for different reasons such as poor design, faulty code, inefficient security measures or a combination of the above. However, the fact remains that it is important to identify these security risks and minimize security breaches. To protect your users from the attacks, you need to stay updated with the latest threats, and ways to deal with them. Hence, it is essential to stay in touch with the latest vulnerabilities, patches and hacks to ensure that the mobile applications are safe. When it comes to application testing, there is no silver bullet, and no single approach does it all. You need multiple approaches looking from different angles to have the confidence that your application is secure.

Hope for the Best, but Test for the Worst.