Optimising mobile testing security with no quality sacrifice

When it comes to mobile applications, finance businesses have two priorities that aren't always easy to align.

On the one hand, banks and other financial services organisations want to ensure that they test mobile apps thoroughly to deliver a great user experience. They have high quality standards, and mobile testing is critical to meeting them.

On the other hand, finance companies need to meet very strict security requirements, and conventional approaches to mobile testing don't always jive with that goal.

Fortunately, there's a way to square this circle such that mobile apps can be rigorously tested in a secure way. The solution is to use an air-gapped testing environment. This article explains what such an environment looks like and how it benefits finance companies in particular.

The what and why of air-gapped mobile testing

An air-gapped mobile testing environment is one where engineers can run tests without connecting devices or applications to external networks in any way. All testing is performed using a local area network (LAN) that is totally disconnected from the internet. The LAN can also be disconnected from other internal network resources that the business operates, if desired.

From a security perspective, air-gapped testing environments provide banks and other highly regulated businesses with key security advantages. They ensure that security issues that exist elsewhere within a bank's IT infrastructure can't bleed over into mobile tests. They also minimise the risk that an internet-borne attack, or a vulnerability lurking somewhere else in the company's IT estate, can serve as a vector through which malicious parties can access sensitive data that is stored on mobile apps or devices during testing.

In other words, if your testing environment is totally disconnected at the network level, it's essentially immune to security problems that originate anywhere else.

In this respect, air-gapped testing provides a level of security assurance that's just not possible to achieve in other ways. Engineers could rely on tools like firewalls or virtual private networks to try to isolate mobile testing environments from other resources, but there could be ways for attackers to get past those vectors. At the end of the day, totally disconnecting is the only way to ensure the highest possible degree of security during mobile testing.

Getting the most from disconnected testing

The challenge that banks and similar organisations often run into when building air-gapped testing environments is that, in many cases, software testing platforms don't deliver the same level of performance for air-gapped testing that they provide in cloud-based testing environments, which are the go-to testing infrastructure for businesses with less strict security requirements.

As a result, finance companies may find themselves trading test coverage and rigour for security – which is a problem if they want to optimise the user experience while also maximising security.

That said, there are exceptions. When selecting a mobile testing solution that offers an air-gapped option, businesses should verify that the air-gapped implementation supports the following essential features:

• The ability to run accessibility and performance tests using AI/ML automations. Without these tests, organisations risk delivering software that doesn't meet user expectations because they weren't able to test it as rigorously.
• Support for complete disconnection, if desired. To maximise security, air-gapped testing services should be able to set up LANs that are completely disconnected from any other network when users require it.
• Support for scriptless automation. Scriptless automation is another feature that helps businesses get the most out of mobile testing, but which is sometimes not available with air-gapped testing.
• Support for running UI tests. User Interface (UI) tests, too, are essential for optimising application quality, and businesses shouldn't have to skimp on UI quality assurance in order to use air-gapped testing.

Put simply, organisations should ensure that they get the same features and functionality from air-gapped tests that they would get from a conventional test cloud. That way, there's no need to let security become the enemy of quality or performance.

Air-gapped testing without compromises

Air-gapped testing is a great way to enhance security. That makes air-gapped tests especially valuable in industries like finance where security requirements are very high, and where businesses are constantly probed by attackers for vulnerabilities that they can exploit.

However, air-gapped testing shouldn't come at the expense of test functionality. When devising an air-gapped testing strategy, it's critical to ensure that you get the same features in your on-premises testing environment that you would get from an online mobile testing solution. That's the only way to guarantee quality and security at the same time.

About the author: Frank Moyer is CTO of Kobiton.