Monthly Archives: June 2015

SOFTWARE TESTING COMMUNITY CONTRIBUTION – 2014 HIGHLIGHTS

We started our journey during April 2014 and we went through lots of changes in the way we were working due to whatsoever reasons. There were boring days and at the end of the day there is no sense of accomplishment after sitting at office for 8 hours and doing something which did not make us happy. Some people joined our team initially and they left us for good. There were non-technical problems and I never wanted to spend time on non-technical part more compared to technical part of running a tech start-up. The good thing is, I always fixed the problems right-away and instructed the team to do focus on technical things, innovation and more while I take care of things that are under my control. Thereafter, we knew what we had to do collectively as a team and rock the Software Testing space.

No projects, NO BIG DEAL!

We did not have projects for many months, maybe time was the answer. Instead of cribbing about “we are not getting projects”, we said, “FUCK, let us start with some in-house projects and then started to brainstorm“. We started feeling happy and awesome about that time we spend at our startup. An idea hit us and that was, “How about open-source / freeware for software testers around the globe?” And we were like, “That’s kick-ass stuff!” Let us do it. Our rock-star developers started working on building open source apps and then we started to release them under MIT license. We do not like * (conditions apply) when its open-source / free.

Our team-members & contributors

We kick-started our journey with our first utility developed in python and that was HCE (HTML parser / HTML comment extractor). It was developed by our C, Python, and Java programmer Sandeep Tuppad. He loves neat code and with his support, we were able to release our first utility as open-source on web.

 Test Insane - Software Testing Community Contribution 2014 and 2015

Test Insane – Software Testing Community Contribution 2014 and 2015

Later, it was a surprise when our rock-star developer Karthik Kini (The C# and the Web guy) developed RTE (RestFul Test Endpoints) and said, “Hey Santhosh, here is something I have developed and we can offer as micro-service to the world which could help developers / testers to test”. And I was like, “INSANE”.

And the BIG thing of 2014 was on the way and that was an idea about “Developing software testing mind-maps and uploading them on our own platform of mind-maps repository”. Karthik Kini being the Web Guy was agile in developing the platform and then we invited / requested testers around the world to contribute. Today, we have 100+ mind-maps and 16+ contributors who develop the testing mind-maps and then we upload them in MindMaps repository.

What’s up with 2015?

We have realized that, it is time to make MONEY now & we halt these activities it is not ONE TIME activity, but a journey where we keep contributing to the Software Testing community. The simple reason is, we love the journey of being happy in our life and contributing to the testing community in terms of open-source apps, freebies makes us feel insanely happy!

Watch out for more in 2015! We are going to explode enormously in 2015 in terms of community contribution.

Follow @testinsaneapps to keep up with the insane updates. We don’t mind if you want to follow our Facebook page as well.

Career change is not easy, but this guy does it for happiness!

Posted on by 0 comment

Sathish Gowda switches his career from being assistant professor in Mechanical Engineering to become a better Software Tester. He is currently learning and being trained on various skills at Test Insane. Here is what he answers us when we throw various questions in-front of him. We don’t know where he will end up, but he is happy with his decision to make a switch to Software Testing. Lets enjoy the journey! We wish him all the best in his learning.

Please introduce yourself

Satish Gowda

Satish Gowda

Hi, I am Sathish Gowda from Bangalore: “Silicon Valley of India”. I have completed my graduation and post graduation in Engineering (Mechanical branch) from Visvesvaraya Technological University. My father is a Section Superdent in Police Department (Karnataka). My mother is a house-wife. I had been working as Assistant Professor in an Engineering College, from past 3 Years in Bangalore. And now, I am game for learning to test software.

Why were you interested to join Test Insane while you could have got good paying job elsewhere?
Test Insane is a place where they allow people to work with their “Freedom”. The previous educational institute where I worked, I was not allowed to work as I would have liked to and had to work always against my will (just needed to follow orders from the so called authority).

What are your hobbies?
My hobbies are: Playing Cricket, Riding my bike, Travelling, Going night – outs with my friends, Watching Hollywood Movies, Reading books about Indian history.

How do you know Software Testing is your passion?
I got introduced to the word, “Software Testing” by Santhosh Tuppad. Initially, I didn’t know until I and Santhosh were chatting in a restaurant, he was explaining me about Software Testing, (Ethical) Hacking etc. I just told him how I had been able to hack my ex-girlfriend’s e-mail account, and then he told me that I had a brain of a hacker and he questioned. “Why don’t you learn Software Testing?” And my response was “Okay let me do it.”

While we and you know money is important, do you think money can hold you back from doing what you love to?
Yes, money is important to fulfill our needs and desires. But, money can’t make me feel happy all the time. Can we take money with us whatever we have earned after we die? No! Not just the money, nothing can hold me back from doing things which makes me feel happy.

In 1 year from now, how do you see yourself as a software tester?

I want to be better Software Tester. I would like to see myself delivering talks about Testing, all over the globe across various conferences and software testing meet-ups.

What do you love about Test Insane? Is there anything that you hate about Test Insane?
The most important thing at Test Insane is there are no hard and fast rules. They provide us with complete freedom and allow us to do things we would like to do. There is no word called Hate about Test Insane in my dictionary.

How do you feel about other team members at Test Insane? How do they treat you?
In one word, if I want to tell about my team members at Test Insane, that would be “awesome”. My Team members at Test Insane are INSANE. Even though I am from different background they are always there to help me out regardless of whatever I ask.

What does your gut-feeling communicate about you leaving Test Insane? When do you plan to leave if you already have a date in mind? If not, why do you feel you will not quit Test Insane? 
Leaving Test Insane? My answer is NEVER. When Test Insane has provided me with the most important thing I badly needed – Freedom. Why shall I even think of quitting?

Few words about “our Founder – Santhosh Tuppad”?
Well, I know him from a very long time. I feel positive whenever I am with him. He is a source of positive energy to me. He is a “University of Testing”. The way he talks and provides motivation to whomever he meets – it’s amazing. As I know him very well he is not behind money, he does the things whatever makes him happy. He is a person who never thinks of past or future. He just lives in present. He is a guy who follows his heart always, a pure soul.

Category: Uncategorized

Sandeep Tuppad’s View & Experience On Mobile Application Security Testing

The smart phones and the availability of the connectivity has simplified many things in our lives. Whether it’s about navigating the streets or connecting with our friends and family or mobile banking or paying bills or booking movie tickets online. There is absolutely no limit. However it has also made the smart phone users and the service providers vulnerable to the security threats. It could be threat to finance or private information. So smart phone users and app developers need to be smarter to minimize the risks. However, most smart phone users are not tech savvy and even if they are they may be blissfully unaware. In such a scenario the onus is on the app developer and app security testers to ensure security. Why do I say minimize? Because there are few smartest people out there who can hack into almost any software/hardware. The mobile devices which capture

Data Theft - Web App Security Testing

Data Theft – Mobile App Security Testing

most of the market are android and iOS. Other smaller players are Windows and Black Berry. Each platform is vulnerable, some more and others less compared to other. Open source platform android is more vulnerable compared to iOS as android app and OS internals are available to be understood. I also believe the app framework of android is naturally more vulnerable for exploitation by hacker.

There are two players who can be impacted by the security of the app.
1) App “User” –
The user of the app running it on a mobile device or tablet.
2) App “Service Provider” or “Business” –
The app provider such as WhatsApp, Bank providing online services to users, online Food ordering app etc. These can be Business or non-paid service providers running the servers to serve the customers using their apps.

There are two other players who need to ensure the security of the app.
3) App “Developer” – The one who develops the app for a service provider or business
4) App “Security Tester” – The one who tests the app for its intended use and vulnerabilities. Often hired by the service provider.

Security from App Users perspective:
The Apps in which the user credentials and private information is stored on device or on the server which an unintended person can get access by some means. It can be user’s login credentials, credit card/debit card details for an online shopping or user’s private conversation as in case of a social networking app or any other user specific details at more technical level which can be used by imposter commit a fraud or harm. These are just a few examples and not limited to that.

Security from App Service Provider or Business perspective:
When the app user himself/herself attempts to exploit the vulnerabilities which can harm the app service provider or business. Imagine the app is to make online shopping. The reward points are granted based on users buying habits. What if the app user is able to modify the reward points by exploiting the app’s vulnerability? This would cause loss to business. What if an app user is able to get access and modify to other users data which he/she not intended to access. This can cause great damage to the service provider in terms of credibility.

There is also a possibility wherein the app developer himself/herself has added malicious code to eavesdrop and steal sensitive data. It could be your contacts list, messages, location details, call log or anything private and confidential.

In my experience following are some of the many areas where app could be vulnerable if not implemented with security in place.

Area What’s the risk? Incidents I have come across?
Device Logs It’s possible that during the development stages of the app various sensitive details which are directly or indirectly a risk may be printed to console or to some log files. But developer may forget to eliminate and they slip into production app. Credit card details being logged.
Rest API requests and responses logged.
Network traffic interception and tampering HTTP requests are unencrypted and can be intercepted and tampered by an intruder. With a session data stolen one can launch range of attacks. This is easily possible in public or untrusted hot spots.If the user himself/herself is intercepting the traffic whether HTTP or HTTPS (which can be unencrypted by the user if he/she has the malicious certificate installed on device) and the rest api calls are not implemented with security in mind then he/she can cause damage to business directly or indirectly by hacking into other user’s data.If the apps are caching the HTTP requests locally it can be a threat.
Insecure data storage in files/databases The app may store lot of sensitive details related to user or business on the device in files and databases. If these files can be accessed and the file contents are unencrypted it can be a risk. Private conversations in social networking app, which can be hidden in UI with password but can be read through access to database. We can modify the conversations too.
Also Found out the Lock Pattern password which is stored as an array of characters.
The C2DM registration ID which can be stolen to impose as the real user by the hacker.
Setting in file which enables rewards to a user. It can set again and again locally to get discounts.
Lack of Binary Protections and Reverse engineering If the apps sensitive code blocks are not obfuscated then they can be reverse engineered. This would give an unintended access to app’s sensitive logic which when understood can lead to possible exploitations. It can also be sensitive data being leaked not just the app logic.If the attacker is smartest he/she can modify the code with malicious logic, recompile, install and run. Think of an online shopping app which is loaded with the currency. Imagine attacker modifying the code block which verifies if the user has sufficient balance to make a purchase. The verification can be bypassed thereby allowing to shop irrespectively. Email login credentials found in reverse engineered code (SMTP Details).Critical code logics and sensitive strings discovered
App execution control flow manipulation Using GDB the app is run in debug mode. One can modify the variables and the control flow to exploit bunch of possible vulnerabilities.
Authentication and OTP codes If the authentication code or user verification codes are short and there is no limit to retries or sufficient incorrect authentication timeout before next retry then password can be hacked with automated test. In simple words its brute force attack.
Intra and Inter app data communication If the apps are placing the sensitive data in clipboard for later retrieval or to be passed to another app or within app it’s a threat. A malicious app can read the clipboard data and dump it to a file to be retrieved by the attacker remotely or locally when has the access.The data is passed between apps and within different entities within apps as in case of android app as intents. It’s possible to intercept the intent data using a malicious app installed on device if security measures not taken care while implementing an app.

Whether it’s about intercepting and tampering the network traffic or access the files and database or to launch brute force attacks or to reverse engineer and add malicious code to app or to intercept the inter app communication data, capture device logs, we need tools and utilities either running outside the device or on the device. Some of the tools are sophisticated ones and coming with our own such tool may be tough task. There are other tools which are not very complex to implement but I would rather use them if available to save my time and efforts. But those tools do have limitations in terms of the attacks I can carry out for a specific area for vulnerability. But tools limitations should not limit a security tester. She/he should go beyond the tools and perform the attacks manually with other means. If possible implement own tool which may be generic or has to be customized for every app to be tested for a specific area for vulnerability. But this would need the tester to educate himself/herself with the internals of the app framework and OS architecture. Having the knowledge of app development one can think of the possible security holes which may slip out into app. The mobile app framework (android or iOS) itself could be having limitations in terms of level of security in an area. So a real security tester should go beyond being just a tester and should be able to write or understand source code. Unless I know coding how can I exploit the app by reverse engineering? I have been developer most part of my life and at TestInsane, I am Developer in Test and Tester who brings in a different value to testing as a Developer. The security testing thrills me. Why? Because it’s challenging and feels like treasure hunt. My experience of being a developer has truly helped me in this never ending endeavor.

But the mobile devices come with user permissions which won’t let us access the protected file systems, access device shell and execute privileged commands or install new software (Only the App Store is source in case of iOS). These operations are only available to super user (also called root user).So we can’t install tools and utilities on the device meant for the security testing. But can we gain super user access? Yes we can. It’s called rooting the device. On android it’s easier. But on iOS it depends on release version. Apples iOS is not open source, so it’s the hackers who discover the iOS security loop holes to gain root access. Once rooted any third party apps and binaries can be installed and run. However rooting comes with a risk of bricking (leaving your device un-operational which is as good as brick). But successful rooting is equally rewarding considering what you can achieve as a user or a security tester. But from a developer point of view I would say the app (which needs to be implemented with high level security in place) should be capable of discovering and taking a counter measure to mitigate the risk of being exploited if device rooted ϑ

Security testing is a specialized skill beyond holding tester or developer tag.  It needs time and hunger to keep learning forever. Think of a fighter who has all lethal weapons and knowledge of the weapons. But that alone not enough to win the battle. He needs know how to fight using them (and without them) while continually exploring, acquiring or building and adding new weapons to his repertoire. So tools are like weapons, they help you fight better but they are not everything.

ABOUT SANDEEP TUPPAD

SandeepTuppad - VP, Mobile Apps Testing

SandeepTuppad – VP, Mobile Apps Testing

Sandeep Tuppad has a decade of experience in software development (Drivers & Application Software) for Consumer Electronic Devices such as Digital Television and other display devices. He has prior experience of implementing automation framework and utilities aiding software testing in the past. At TestInsane, he is responsible for exploring and implementing test automation framework, utilities, gathering knowledge and mentoring the team to enable “quality mobile apps testing”. He loves to travel and pursue outdoor adventure sports.

Follow him on LinkedIn at https://www.linkedin.com/profile/view?id=145478507

Newbie testers express their Testing Experience at Test Insane

Posted on by 1 comment

2 Newbie Testers joined Test Insane and it is less than a month, but we wanted to know their experience in learning to test till date. Pranav KS and Sandeep Hiremath speak about their experience in testing and here we go!

What does Pranav say about his testing experience till date?

I am Pranav; a newbie at Test Insane, my experience till now with Test Insane is awesome and cool. It was pretty different from other company which makes it insane. During my initial week of testing, I found it little difficult but as days passed I was gaining more comfort by learning the process from other team members.

One of the thing which I like the most is, tip of the day on software testing by Santhosh Tuppad. It really drives me to do crazy things. I am learning software testing in an insane way by creating mind map and I also Sandeep and Satish Discussing Testingenhance my testing skills using the mind-map repository of Test Insane.

Day by day I am improving my testing skills; I am learning new tools and by getting to know about new methodologies. I have also attended a webinar on automation of web application testing using selenium and I am learning how to create a framework for testing using selenium.

From my first few weeks of work experience with Test Insane I am confident that I would be a better tester in 1 year from now, exploring undiscovered areas in testing.

What does Freakish Tester (Sandeep Hiremath) say about his testing experience till date?

Hello, I am Sandeep Hiremath a.k.a Freakish Tester. I am one of the Team members at Test Insane and I feel very much proud on that. I am getting coached by Santhosh Tuppad. In my earlier days at Test Insane I have been trained on some basic skills like English Grammar, E-mail Etiquette, Creating Mind Maps and writing blogs. In the next stage of training I have been trained on Bug Reporting, Investigating, Bug Advocacy and Testing. It took some time for me to cope with but now I am pretty confident that I am writing good bug reports. I thank my coach for that.

My first project at Test Insane: I was scared; I didn’t know how to test, what to test, how to prepare the bug report. My coach taught me about what to do and how to do. First of all he told me there is nothing to get scared about, just prepare the bug report in your style. That moment I realized when we are fearless we can be more productive and I got confidence on myself. I started reporting my bugs and I got good feedback on my bug reports. I am practicing more to become better.

Sandeep Hiremath at StarbucksFocus and Practice are the two important factors to master any skill; this is what I learned at Test Insane. I am upgrading my skills; I practice whatever I learn while working, which helps me to master the skills. I am learning automation, I am learning coding and I feel like a pro techie. Learning is fun at Test Insane. We discuss things / topics over a chilled beer, pizza, juice, green tea etc. I feel like a rock-star at office. I am very happy that I can be myself at my work place.

Interesting things at Test Insane: Pizzas, Drinks, Fun, Discussions, Learning, Sharing knowledge, Helping others to grow, Working as a team, and Freedom. We have an electronics lab where we develop robots; we have dart-board, remote controlled helicopter and lots more interesting things. I forget the outside world when I am at office as its really cool place to work and learn.

Monthly meetups / workshops happen at Test Insane. The meetups / workshops are about Testing. You can learn, discuss, meet new people, and you can share your thoughts over a pizza, beer, coffee, tea, juice ☺ I love these meet ups and workshops, if you want be the part of an upcoming meet up or workshop please visit http://testmaniac.com/ and register yourself to feel the Insanity.

Santhosh Tuppad: The important question that I always ask my team members is, “Are you happy?” And I ask this a lot of times. Its a mental health-check that I do so that we have great energy filled when we are at our workplace. And if there are any issues with the happiness part, I try to help them resolve it as soon as possible. I wish these two newbie testers a  great journey in testing.

A fresh mind joins Test Insane to help it grow insanely!

Posted on by 0 comment

Pranav KS is our new team member who joins us to add value to our team. The beautiful point about Pranav is, he spoke about his technical experiences related to web apps and mobile apps, and that was found as very impressive by me (Santhosh Tuppad). Let him speak for himself while we interview him here on our blog.

Please introduce yourself

Hi! I am Pranav. I am from a vibrant town called Salem, Tamil Nadu where I completed all my schooling and graduation. I did my schooling in a renowned school, Golden Gates and I am a computer science graduate. My dad is an enthusiastic business man running a readymade garment Pranav KS Joins Test Insane Technologiesshowroom in Salem.  Mom also involved in same business. I have one elder sister working as software tester in a leading MNC  . I like practical learning than theoretical so my mark in practical exam were much higher than theory. I started my career as a technical recruiter in a CMM Level 5 company though the job was interesting it was not my passion because I felt that there was less learning in the job and it was a night shift which didn’t suit me. My sister job nature as a tester inspired me to this testing field.

Why were you interested to join Test Insane while you could have got good paying job elsewhere?
Testinsane is an innovative concern, catering to my passion testing. Money is vital but freedom and passion matter the most for me. In TestInsane I get to learn many interesting things of my passion. In TestInsane, the work atmosphere is very friendly and cordial and I never feel that I am doing something difficult. I get a feeling that I am sitting in front of desktop in my home. TestInsane is filled with many young and innovative minds which make me feel energetic. So  TestInsane is the right place for me.

What are your hobbies?
I love to play mobile games were I can learn many things such as Cisco NetInvader. I love to  travel and explore different parts of the world . I like to read tech news and keep myself updated about latest technologies and I also love to play table tennis with friends.
How do you know Software Testing is your passion?
Since my childhood I love to meddle with things for instance when I was a child I repaired a digital clock just my removing it parts and doing some changes without knowing the exact functioning of the clock fortunately the clock starting working so I feel  testing is my passion which is similar to meddling with software. While testing something I never get bored I feel like I am playing table tennis. Testing sound very interesting to me so it my passion.

While we and you know money is important, do you think money can hold you back from doing what you love to?
Yes money is important to fulfill by day to day needs but happiness is more important there is quote “Money has never made man happy”. Money can never stop me from doing things what I love because it doesn’t give me happiness and satisfaction.
In 1 year from now, how do you see yourself as a software tester?
In 1 year from now I see myself as an expert well versed in testing. I like to see myself presenting international conference in software testing, around the world. I would also like to give a new dimension to testing field, unexplored by others.

What do you love about Test Insane? Is there anything that you hate about Test Insane?
I love the work environment of test insane it is pretty unusual which make it insane . At TestInsane, I am given the freedom to take decision and there are no hard and fast rules, rankings etc. the methodologies in TestInsane are unique which I love very much. There is nothing I hate about TestInsane.

How do you feel about other team members at Test Insane? How do they treat you?
They are very friendly and cordially always there to guide me and help me out.  They don’t show any seniority and they give equal importance to everyone.

What does your gut-feeling communicate about you leaving Test Insane? When do you plan to leave if you already have a date in mind? If not, why do you feel you will not quit Test Insane?
Doing what I want to do I would never think of leaving TestInsane such a thought hasn’t come to my mind. Exploiting the field I love without any restriction is the reason behind me not leaving TestInsane. I look TestInsane as a gold mine which would take me places and achieve new heights together as a team

Few words about “Our Founder – Santhosh Tuppad”?
Santhosh Tuppad looks at the world in a different dimension. For instance my interview with him at coffee day tells how different he is. He respects people who take decision by themselves. He lives in the present doesn’t think about past and further. Santhosh Tuppad is an expert in security testing, blogging, hacking, and he is a vibrant speaker.  I see him as an icon, dada who would like to help people craft their further in a different way. I would thank him for giving me this wonderful opportunity to be a part of his unique team.  Santhosh Tuppad is incomparable which makes him idol.

We are proud to have Pranav KS in our team. While he adds value to our test team, we make sure that we help him every way to become happy in his life through his learning, thought process and finally loving himself for what he is as “Being You” is highly respected at TestInsane.