Cloud Computing for Mobile Application Testing
Using a public cloud has become a popular option for mobile application testing. Whether it’s a cloud-based testing-as-a service provider or devices being accessed via public cloud for in-house mobile app testing, the reason cloud-related options are so popular is obvious: all the benefits of having your own data center with none of the hassle – at a fraction of the cost.
While mobile application testing in the cloud may be an attractive option, there are a few important issues to consider when it comes to accessing mobile devices via public cloud.
Why Public Cloud Services Aren’t 100% Secure for Mobile Application Testing
As with any other process that isn’t kept strictly on-site, cloud-based device access involves security risks—often in ways that are not immediately obvious. While public clouds are a good option for some companies, those that are highly security conscious need to do their due diligence. Just like any other process that occurs outside of your four walls, public device clouds and cloud-based testing services are not 100% secure. However, there are steps you can take to ensure a public-cloud solution is as secure as possible.
For starters, you can control how you connect to your testing provider or the devices you access for testing purposes. Look for providers that give you the option to connect via secure connection. In addition, ask if data is sent data back and forth in encrypted form, since that’s the most secure approach.
Remember that a public cloud of mobile devices usually means the devices are shared and access is typically managed with a subscription-based model. Since devices are truly available for public use, other developers and testers have used or are using the same devices you’re accessing. If those devices are returned to an available status without being properly wiped or restored to their original configuration, the next user to access the device can see the things you have done on the phone or tablet. For instance, if you are testing your mobile Website, it is possible that the Web history will remain on the device. If you have loaded your app for testing, it could still be running on the device. Think of the security ramifications that can have for banking, healthcare or insurance-related data made available via that app under test.
Is Your Data Stored Securely Enough?
Most people in enterprise organizations know the importance of encrypted communications. Unfortunately, not everyone remembers to encrypt the data once it’s in its new “home.” When working with publicly hosted devices, it is important to figure out where your data and/or test cases are stored. A good strategy is to choose a cloud provider that lets you store your tests locally and execute them against the cloud-based devices. This way there is no chance that test and business requirements can be viewed by any other party that also has access to the system. In addition, you have to consider where and how your test results are stored. Sometimes the test results will contain sensitive test data that you’ll want encrypted before storage.
Along the same lines, consider the following: are your applications being stored in the cloud and loaded onto the devices? What are the data retention policies of the cloud providers you’re considering? Can your app be exposed to competitors that are using the same cloud provider? We recommend selecting a cloud provider that has a policy to delete any data remaining after device access and that all accessed devices are completely wiped. If these steps are taken, the chances of another party accessing your data via use of the same device are virtually eliminated.
All of these points are critical when running tests in the cloud. Keep in mind that there are also laws that regulate where and who can access data in an organization. For instance, when dealing with financial data SOX regulations state that there must be controls for the way the information is used and stored. In the healthcare field, HIPAA stipulates various privacy standards that include the transmission of health information in electronic, paper and oral forms. Organizations that deal with patient and health-related information need to certify they are in compliance with HIPAA requirements. These privacy-related safeguards also extend to any cloud provider(s) those organizations may use, meaning the HIPAA compliance measures need to be in place on the cloud provider’s side as well.
As you weigh your options for cloud-based services and device access, keep the following tips in mind:
- Make sure that any hosting provider you are considering has appropriate security measures in place to protect your data.
- Evaluate who manages the cloud provider’s facilities: are the facilities managed by the provider itself or by their partners? A partner-managed facility can enable yet another company to have access to your sensitive data, introducing one more possibility for a data breach.
- For providers that offer device access, ask if they can segregate the devices you access, which can ensure more secure, private use.
- Ask if cloud-based device providers offer site-to-site VPN access to the device servers in your infrastructure. This adds an additional level of protection of your data.
Why Many Cloud Testers Use Jailbroken or Rooted Devices to Facilitate Mobile App Testing – And Why You Shouldn’t Let Them
Even with cloud computing safeguards and backup plans in place, there are still risks to using the public cloud for mobile application testing. If you use a mobile app testing service that tests your app via cloud, there is a good chance your app is being tested on a device that has been jailbroken or rooted.
Jailbreaking can be considered a copyright violation per the Digital Millennium Copyright Act, depending on whether the device is a smartphone or a tablet.
In addition, an app running on a jailbroken or rooted device may perform differently on a device that hasn’t been compromised. Many early Apple® application developers learned this first-hand. Applications that worked just fine on jailbroken iOS devices ran erratically (or not at all) on non-jailbroken versions of the same device (which are more commonly used).
Even if your app failure isn’t quite as dramatic, testing on jailbroken devices doesn’t give you an accurate representation of how your application works in the field. It also involves using unsecured code that was likely created by hackers – code that your testing-as-a-service provider may not have properly reviewed.
With normal cloud computing, the information and resources you use usually are not shared with other companies. The virtual servers you deploy are deleted when use is completed and those servers are not re-used by other subscribers to the cloud. With mobile device clouds, however, this is not the case. The mobile phones and tablets are physical devices that are shared and recycled between customers. Because of this, you should usea higher level of scrutiny and caution when determining if using the public cloud meets your needs.[social-bio]