Few things a tester should say more often!

I planned to type it but then I would want to share how thoughts are written and looks in reality.

Here is 15 things testers should say more often: (credits : kid president)

image

We say many things often but there are always few which impact the day to day activities and those are the things that we usually don’t realize.

Ignore if formatting issue observed, I am posting this from my mobile app.

Reverse engineering :: Android App

Reverse engineering is a process of examining, analysing the structure, information and data being used by the software. We just don’t break software, we help our customers understand the risk of having information and details exposed. Let’s see how an android (.apk) file can be reverse engineered

Source code has it all, algorithms, API’s, Server configurations, Hint for the database, structure etc.

Tools required:

1. Dex2Jar (Dalvik executable to .jar)

2. JD-GUI (Java decompiler with Graphical user interface)

 

What are we going to investigate:

1. Investigate whether the app uses 9 patch images (Learn about 9 patch images here)

2. Source code encryption

3. 3rd party API’s and version (People don’t have a habit of updating the 3rd party API’s) – check the latest API’s here:

  1. Facebook
  2. Twitter
  3. Google

4. Pro-guard – Encryption tool for android apps.

 

Firstly, a brief about what APK is and what it consists off.

APK (Application package) and when any app is downloaded from play store, it would be stored as apk in the filesystem. The system files, resources and data are placed appropriately in the android system and executed when the app is used.

Step 1:

Get the apk of the app that you need to work on. There are several way that you can extract the apk. However, the simplest way is to download (APK extractor)

from play store and select the app to extract the apk and copy it to you local system.

Step 2:

Extract the apk. Use 7zip to extract the apk and place the folder to the place where it is easily accessible (We have real good habit of clicking “next” and don’t worry about any messages that software is try convey us)

Step 3:

To verify whether 9 Patch images are being used.

Open the extracted folder and you would find a folder named “res” (Resources)
Resources will have all the icons / images / Graphical elements. Here is an example.

Read about different image density, image resolution to be used here: Supporting different screen size

When 9 patch images are used, resources will contain 9 patch images (Folder) with few of the above folders eliminated.

9 Patch images can be recommended to decrease the size of the application and this is more helpful when we project the use of the resources by the competitors.

 

Dependencies:

Android being open-source, there are several screen sizes and situations where 9 patch images might not work. Request technical team reason behind the 9 patch images not being used and if we could help them understand the effort, time and problem that could be solved using 9 patch images, boom! Value…

Source-code encryption:

Android uses DVM (Dalvik virtual machine) to execute the program. When any android code is compiled, they create appropriate images for the system to detect and execute. While for the source code .dex (Dalvik executable) file will be created.

 

Check out some information here: Design and structure, code / wiki / other documentation

 

Please proceed with step 1 and 2.

When the extracted folder is opened, a DEX File has it all.

Copy the dex file, Open DEX 2 JAR  place the .dex file into dex2jar folder.

Finding classes.dex

Finding classes.dex

Open command prompt:

Navigate directory to the dex2jar folder

Tip: Hold ctrl + shift and right click, you could open command prompt directly from the folder.

Enter the below command:

 

dex2jar.bat classes.dex

 

The decompiling has started and you would see success at the end. Now there are several scenarios it would fail (Example: The dex file may be huge with several classes of them may be encrypted or unlinked from the actual source). Please share the failures with me or google, we could fix it together.

Opening the .jar file.

A jar file with classes_dex2jar.jar will be created inside dex2jar folder.

Classes.dex

 

It’s time to look at the source…

Open JD-GUI and just drag and drop the .jar file

You would see all the classes name and the source with the API’s thats being used and several information. Please dig more about the understanding the source.

Encrypted source: If the source is already encrypted, you would see “a, b, c, 1, 2, 3” as the main class names and subclasses, abstracts, public class would hit “A, b and c” or desired classes.

 

Hey wait, are we done? We got the source, should we just report them?

We could recommend a possible and available answer, Pro-guardwhich optimizes by removing unwanted code, obfuscates making it hard for someone to understand, shrinks by removing methods, fields and fuddles the code. It’s just few lines of code injection and crackers!

 

Verify third party APIs for the versions and other details.

 

Third_party_APIs

The build properties may vary from SDK to SDK. For facebook, it’s just on the top most layer named, Facebook SDK version. It’s similar to most of the SDK’s.

SDK_version

The current facebook version can be verified with respective to what was being used. When we are recommending them to use the latest version, we would also be responsible for telling the stakeholders “Why”. We could just project the changelog or fixes for the latest facebook SDK version comparing it with previous one. Moreover, we don’t have to do it, we just have to copy paste the link in which the SDK’s are released.

Share your thoughts and we could discuss more about it.  I will write more about testing android apps in the coming days.

Have a great day ahead!

 

Google Shames Apple’s iOS For Adding What Android Did Years Ago

TechCrunch

Apple’s Tim Cook insulted Google at WWDC earlier this month saying “Android dominates the market in malware”, and quoted an article calling the fragmented open operating system a “toxic hellstew of vulnerabilities.” Well Google punched back this morning at its I/O conference when Sundar Pichai put up a slide showing Android’s progess over the years, noting “If you look at what other platforms are getting now, widgets, custom keyboards, many of these things came to Android four, maybe five years ago.”

And the Google fanboys and fangirls went wild.

View original post

“Test” Crash Investigation

Hello Readers,

I would like to share few of my moments that I thought has a huge connection between the way we are and the way we are supposed to be. I have been watching Air crash investigation since the age of 11, no matter I understood or what. But it has always been interesting for me to watch every episode of it.

 

Investigation seemed “Testing after” the risk arrival for me

 

The investigation that takes place after every complex incidents has been vital and crucial clue for every accidents that could happen as a chain reaction. Ever since the “Bug” is found and reported has helped to evolve every part of aviation, clearly a new dimension of testing for every risk that takes place.

For Air crash investigation, every part of the plane and every clue could help them understand the whole of the problem and could solve / change the architecture. The investigators have been articulating every moment, coming up with great ideas, emulate the process of the accident. This gained more attention to me, exactly, every part of it is crucial and even a slight change would end up in severe loss of life.

While computers play majority role of aviation. It is split into 2 different errors that could generally happen. “HUMAN (Pilot) ERROR” and “SYSTEM ERROR” and the same with everything in this world.

We have been testing softwares that is being used by millions and has huge impact over the peoples emotion, business, market etc. While we have everything under our control before it impacts 100 whereas, it’s not the same with aircraft. The simultaneous decision making and different levels of plan help the pilots to enter the safe zone.

It’s no different from 100 people death

  • Recover black box (Flight data recorder)

Our backbox is nothing but our test design. While our product is live and observe a high severity bug. Our black box  should help us determine where exactly our data has been misplaced, the missing piece of our design may have caused this bug, we recover them and crack the puzzle of fixing them.

  • Proofs & witnesses

Well, sometimes we testers convey a bug to the developers / the team and not really document them. There has to be some proof with few acceptance from the opposite party in order to be really precise and may help finding the clue of happenings.

  • Join the pieces

While the investigators tried to put the whole of the plane to understand the cause. We would want to join the pieces of information and to determine and help our business understand the severity, while we do that we also clear up the priorities by eliminating the unrequired factors. This is the approach that every investigator would take to solve the problem.

  • Specialization

As there are more than a factor and fields that would need investigation, for example: “Bird strike” on On September 22, 1995 boeing hit by bird lost both of it’s engine and lead to a huge disaster while there were 50+ accidents happened in the name of bird strike, this one was unique. It was hit by a lightweight goose with the difference in the structure of it’s bone caused this incident. This particular scenario needed different level of expertise, Biology. Finding the right expertise at the right time could distinguish the matter of time, plan and the accidents.

  • Take off and landing

While most of the flying is taken care by the aeroplane itself, it always needs human effort on landing and takeoff. The value that human defines is critical, no matter what! Humans are blamed finally and not the system. Even when the system is blamed and is being designed by human. We define the system and not allow machines to overwrite.

1st aircraft designed by Air france which was designed to overwrite human inputs. This took away 30+ lives On 26 June 1988. However, this particular went through lots of crisis and political matters the fact that the overwriteand the delay in flights reaction led to this incident. You could watch the episode here.

  • Team and reporting

Investigators have an habit of dividing the task specific to specific person as they could get the coverage & to near the solution with given and estimated time. This gives them a whole lot of power to explore the deepest and widest. Clearly the best way to tackle the problems. Our team and tasks decides the coverage and depth of our investigation towards solving our customers problem.

  • Reporting and conclusion

After months of investigation, the final report from different sources with great insight and highlight of the problem that was found in the aircraft which is responsible for the problem has to be really precise and impact over different organization, methods, design and practices with compared to the existing ones.

Everything should change over the period of time

  • Recognition and penalty

Investigators are often punished for the reaction in which the problem was handled, unexpected and inevitable. While the opposite of it has to be praised to which the story of theirs become lessons to others.

I am always interested in Air-crash investigation and I would want to do it one day (Soon or then). However, I am already an investigator helping my customers understand the risks and various influential factor. I have been practicing by picking up a crash / accident, come up with scenarios / stories / tools / possibilities etc and this had helped me improve in several areas.

Thank you for reading this post. Comments and suggestions are welcomed.

Have a great day!

 

Pho”test” o’graphy!

Wooohoo,

I added a new category “Photography”, this has been my interest and I feel peaceful when I do so. When I learned about photography – I could relate photography with testing.

Here is how,

When I started with both photography and testing, I had no idea what exactly both of them was supposed to work and how. But I had a mindset to learn it and become dear.  I faced lots of hindrances and was lacking resources. I found every single and simple opportunity will overcome all the obstacles starting from teacher, tools, environment and courage to do things at right situation. It’s clearly my responsibility to fix it and I have been trying to treasure hunt on every activity that I do, I have been trying to hack hidden treasures!

I has nothing to do only with photography, it’s again a life hack to connect dots, I did it with my interest with interest! 🙂

Message is,

We are all being provided opportunity knowingly or unknowingly, we need to find it and use them wisely. After the above lecture. Don’t forget to see my photos captured using my phone (Moto G to be specific) with some editing. I learned, RULE OF 3RD & RULES OF COMPOSITION.

All the photos may not append to the rules directly, I have tried my best to learn.

Device used: Moto G

Captured using Moto G

Captured using Moto G

Watch!

This was taken at 12 PM with f/2.4, Exposure : 1/926, Dimension: 2592 x 1456

 

Autogreen!

F/S remains the same as the above picture, Exposure: 1/10

Violence against women and girls!

F/S remains the same, Exposure 1/264

Yummy, Donuts

F/S remains the same, Exposure 1/17

Hell freezes over eagles, Hotel California

F/S remains the same, Exposure 1/17

Donut, Choco filled!

F/S remains the same, Exposure 1/180

Drawings!

F/S remains the same, Exposure – 1/10

Ugadi special, Leaves!

F/S remains the same, Exposure – 1/20

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Happy learning! 🙂