Sunday, April 20, 2008

Testing J2ME applications

Some tips about testing your J2ME mobile application

if you plan to sign your application:
  1. most probably there will be problem with various vendors and operators (because there is no standard what root certificates must be installed on phones). Be sure to check if it is possible to install your application of target phones and markets.
  2. If there is no specific reason why to sign application, leave it unsigned. You will save money and time for testing.
If your application will use network:
  1. check how application behaves on different networks, as there could be differences (time out settings, port restrictions etc). Especially if you use socket connections.
  2. Analyze data usage of your application (Http connections will typically use more data than socket connections)
  3. Check how your connection behaves on various phone events (calls, suspended application, phone "sleep" mode, calendar events, network loss, etc)
If your application will store data on memory:
  1. check if you don't store sensitive user data.
  2. If you need to store sensitive user data, check that they are encrypted.
  3. Use oxygen phone manager to extract RMS data. For some phones (like Nokia N95) you can view RMS data by viewing hidden memory card contents via PC.

Gmail MIDlet security

Did you know, that your GMail application mail texts are stored in java rms memory as plain-text?

It is easy to extract phone RMS data, you just need to have access to phone for couple of minutes.

Here is example of RMS data of GMail (windows notepad is used to open it):



Sometimes there could be very sensitive data in mails, such as passwords or bank data.

Btw, there are applications that store also login credentials as plain-text in RMS memory.

Don't underestimate those security risks, when developing applications.


Mobile GPS tracking

It would be interesting to show your exact location on internet, won't it?

For example if you are traveling somewhere you can share your location details to your friends and family.

There are some solutions for this on internet, some are for free, some are commercial.

I think best of all solutions is http://www.gmap-track.com/

Some simple instructions:

1) download mgmaps software on your phone. go to http://wap.mgmaps.com/, or use use this bar code:

:

2) go to http://www.gmap-track.com and create your account.
3) enter your tracking details in mobile application
4) share your name with friends

see example:


Nokia N95 as external bluetooth GPS device

link.

Very interesting application, that allows you to use your Nokia N95 with integrated GPS, as external bluetooth GPS device.

quote from their page:

Symarctic ExtGPS allows you to use your phone's built-in GPS module externally on laptop via Bluetooth. It is mainly targeted for Nokia N95, E90, 6110 Navigator handsets, allowing you to use existing, more sophisticated GIS applications.

use barcode to download:



Wednesday, April 9, 2008

RMS security in J2ME

Many mobile applications require username and password to sign-in some services.
Very often those applications allows you to save username/password data in phone's memory to allow automatic sign-in.

I believe that many software developers doesn't consider risk, that mostly MIDlet RMS data on phone are not encrypted. That means that someone with some knowledge could easily extract RMS data from phone. If password is not encrypted it can be easily viewed (using windows notepad!!!!).

What attacker would probably do:
  • download oxygen phone manager
  • while someone left their phone unattended, he will connect to it via bluetooth and extract all phone data.
  • attacker will read all data that are stored in application memory.

that's it!

check - bouncy castle

Tuesday, April 8, 2008

SIM card writer

SIM Max 12 in 1 SIM Card Reader & Writer

looks very interesting.

Mobile software developement process

Some ideas how I see mobile (java midlet) software development process:

  1. Write concept document (describe general idea of your product)
  2. Feasibility study (do some research how feasible it is, does java technology allows what you want, what will be main devices, what are issues with them, will you need to sign application, costs, incomes, http vc socket connections, risks, etc)
  3. If you think that project is realistic, then create specification document, describing how application should be created.
  4. If necessary create detailed technical design document.
  5. Development and unit testing.
  6. Create generic version.
  7. QA should run tests against generic version to find all bugs and check if everything is developed according to specifications. (emulator could be used to test generic version) Test cases should cover everything written in specification documents.
  8. After generic version is in acceptable quality, start creating device specific builds (for example one build for SE JP-7, SE JP-8, Nokia S60v1)
  9. Do testing at least on each device from one group, for example one S60v1 device. If you have resources do testing on all devices.
  10. Remember to maintain also documentation after every change in software.
  11. Remember to maintain test cases
  12. Remember to to regression tests after every new build.

How to create application, that will work on all java enabled mobile phones?

Impossible. Unless this application is "Hello world".

Some simple tips:
  • forget "write once, run anywhere", this doesn't work on mobile devices.
  • Devices has various screen sizes, that means if you want that your application will look good, you will need separate builds for different screen sizes.
  • Devices has various java implementations (CLDC, MIDP, included JSRs, ..), that means what will work on one device , most probably won't work on other device)
  • Manufacturers are trying to help developers and testers by creating groups of devices with one java implementation. For example - Sony Ericsson java platform strategy. Theoretically you can create build for one device on each platform and screen resolution and assume that it will work on other ones. Nokia has something similar - they have developer platforms (like S60v3).
  • Devices could have some specific bugs or issues, J2ME Polish have quite good database. So most probably you it won't be enough to create generic build for some group of devices.
  • It's not all over. Many operators like AT&T or T-mobile like to change java implementations on phones, most probably they will restrict installing your Verisign signed application or deny making socket connections.

Remote device access

If you wonder how to test your application on real devices and real networks, here are some useful links:

Nokia and Sony Ericsson remote device access.

Device anywhere solution.

Basically you will control actual devices on real networks.

After testing your application don't forget to clear device memory, unless you want that someone else will steal and spread it over internet.

Automated MIDlet testing on Symbian phones

I have been digging internet to search some tool, that would help me to make automated functional testing solution for java application on mobile phone. There are some solutions in internet, like http://deviceanywhere.com or http://www.testquest.com/, but those are very expensive.

The best tool what i found is mVNC (vnc server on Symbian phone) together with Vnc robot.
Whole solution costs 24 EUR (for mVNC only, because vnc robot is freeware).


Next steps:
  • start mVNC server on phone
  • connect to it using vnc robot
  • write (really easy) or record test scripts. Capture and compare images.
  • playback your scripts as many times as you need.
I think this is very good solution for automated testing of mobile applications