Automated testing is essential for today’s CI/CD pipelines, but secured mobile apps present unique challenges that traditional methods often can’t address. Karen Hsu, SVP of Mobile DevOps and Security Solutions at Appdome, will share strategies for automating the testing of mobile apps with advanced security features.
Learn how to streamline testing for both protected and unprotected builds, enhance coverage across various devices and OS versions, and boost efficiency by automating tests and getting immediate feedback. Karen will also demonstrate a real-world automation flow using LambdaTest, providing practical solutions to overcome security challenges.
Don’t miss this opportunity to transform your mobile app testing process! 
Still not registered? Secure your spot now: Register Now!
Already registered? Share your questions in the thread below 
1 Like
Hi there,
If you couldn’t catch the session live, don’t worry! You can watch the recording here:
Here are some of the Q&As from this session:
Do we as testers need to become part time cyber security experts in order to keep up with industry demand?
Karen Hsu: While testers don’t necessarily need to become full-fledged cybersecurity experts, having a strong understanding of cybersecurity principles is increasingly important. As the industry emphasizes security, testers need to be aware of common vulnerabilities and security best practices to ensure that the applications they test are robust against potential threats. This knowledge helps testers collaborate more effectively with security teams and contributes to more secure software development overall.
Is appdome compatible with chaos engineering practices, which can sometimes seem like a risky strategy for testing (especially with compliance considerations)?
Karen Hsu: Yes, Appdome can be compatible with chaos engineering practices. However, it’s important to carefully manage the risks, especially concerning compliance. Chaos engineering involves intentionally introducing failures to test the system’s resilience, which can be valuable in assessing the security and stability of mobile apps. When using Appdome, it’s essential to ensure that these practices do not conflict with security and compliance requirements, and that they are implemented in a controlled and well-monitored environment.
Here are the some Unanswered Question of the session
How can we avoid flaky tests ?
What are some common pitfalls in automating the testing of secured mobile apps, and how can they be avoided?
What strategies can be employed to automate penetration testing for secured mobile apps?
How do you address the challenges of automating tests for multi-factor authentication and biometric security features in mobile apps?
Do we need Security Testing for the builds which are going to be deployed in totaly offline environments/ dark sites?
Are the current OWASP Top Ten still relevant in 2024 in your opinion?
Hi Karen , In mobile automation, we often rely on various dependencies such as Maven, Gradle, npm packages, and plugins. How can we effectively assess and ensure the security of these dependencies to safeguard our automation processes?
What data visualization tools are the most helpful and/or efficient for testers of secured apps?
Here is the Answer of the Above Question:-
Flaky tests in mobile app automation, particularly in secured mobile apps, can stem from various causes like unreliable network conditions, timing issues, or complex security workflows. Karen emphasized the importance of leveraging robust frameworks with clear retry mechanisms and ensuring test isolation. Avoiding unnecessary dependencies and using mock services or stubs can help mitigate environmental flakiness. Additionally, synchronizing tests with app behaviors through proper waits (explicit or fluent waits) rather than hard-coded delays can improve test reliability. She also recommended regular test maintenance and reviewing failing tests to distinguish between real issues and flakiness.
Karen pointed out several pitfalls:
-
Overlooking Security Features: Automation often focuses on functionality, but for secured apps, it’s critical to also validate encryption, secure storage, and communication protocols. She suggested automating end-to-end security checks alongside functional tests.
-
Complex Authentication Flows: Handling multiple authentication layers like MFA and biometric security can be complex in automation. Karen recommended incorporating API-level testing to bypass certain manual steps and reduce complexity.
-
Lack of Device Coverage: Secured apps need to be tested across different OS versions and devices to account for varying security implementations. She advised using cloud-based testing platforms like LambdaTest to simulate various environments efficiently.
-
Test Data Leakage: Storing sensitive data in test logs can be dangerous. Karen advised adopting data masking and secure storage practices, ensuring no sensitive data is exposed during automation.
As per my own experience, Automating penetration testing requires specific tools and strategies to simulate real-world attacks while ensuring app integrity. Karen mentioned the importance of integrating dynamic application security testing (DAST) tools that are designed to test apps in real-time by attacking them during runtime. She also suggested integrating security scanners in CI/CD pipelines to catch vulnerabilities early. Leveraging Appdome’s security solutions, which automate security verifications as part of the mobile DevOps process, was highlighted as a way to streamline penetration testing without manual intervention.
Automating MFA and biometric authentication can be challenging due to the manual nature of these features. Karen suggested:
-
Mocking Authentication: For MFA, she recommended mocking the second-factor authentication, especially in test environments. APIs can be used to simulate OTPs or push notifications, allowing tests to continue without manual input.
-
Biometric Testing Frameworks: For biometric security, frameworks like Appium’s biometric authentication features can simulate fingerprint or face recognition, making it possible to test these flows automatically.
-
Cloud Platforms: Testing on cloud platforms like LambdaTest ensures you can automate across a range of devices that support these authentication methods.
I Think Yes, security testing is still essential even for builds deployed in offline or dark site environments. Karen emphasized that offline environments can still be vulnerable to internal threats, such as physical access, USB-based attacks, or insider threats. Therefore, ensuring that the app’s local encryption, secure data storage, and device-level protections are robust is crucial. Regular penetration tests and code audits are needed, even for offline builds, to identify potential security loopholes.
According to the session of Karen, while the OWASP Top Ten continues to be a solid foundation for understanding common security vulnerabilities, it’s essential to recognize emerging threats, especially with the rise of mobile app attacks. OWASP Mobile Top Ten is more focused on mobile-specific threats such as improper platform usage, insecure data storage, and lack of binary protections. Karen emphasized that while the OWASP Top Ten remains relevant, security teams should also adapt to evolving threats in the mobile app ecosystem, focusing on cryptographic failures, supply chain risks, and API security in 2024.
