Top 10 Testing Tools for Mobile

Posted: 10/08/2017 in Apple, Apps
Tags: ,

With each passing day, the word automation is growing as the meat of the matter for organizations. And why not? Ultimately, automation saves time and energy of humans by performing monotonous work as per the pre-defined standards. Undoubtedly, automation streamlines business operations and establishes smooth organizational processes. But along with other industries, IT is also leveraging automation to simplify the various technically complex activities.

Testing is one of the very crucial parts of Information Technology. The web or mobile application without testing is not considered as a reliable one. Users might encounter with bugs, low system performance, malfunctioning of the features, etc. Eventually, it reduces the client base. So, an accurate and appropriate testing is a primary need to launch a highly efficient system.

A variety of automation testing tools is available in the market that enables developers to check out the quality and effectiveness of their web and mobile software or hardware with detailed analysis. Such automated testing software helps developers by saving time and reducing errors occur due to human intervention. Have a quick overview of the 10 best automated testing tools for mobile apps.

1. Appium

An open-source mobile test automation tool to test Android and iOS applications. Developers can test native, mobile web and Hybrid mobile apps on this software. To run the tests, Appium uses WebDriver interface. It supports C#, Java, Ruby, and many other programming languages that belong to WebDriver library.

Testers can test native apps that are written in Android and iOS SDKs, mobile web apps that can be accessible through mobile browser, and hybrid apps that contain web view. Being a cross-platform tool, it allows programmers to reuse the source code amongst Android and iOS.

2. Robotium

Again an open-source tool to test Android applications of all versions and sub-versions. It tests all Android hybrid and native apps. The tests of Robotium are written in Java. Using the tool, it is quite easy to write powerful automatic black box test cases for Android applications. It automates multiple Android activities and creates solid test cases in minimal time.

3. MonkeyRunner

MonkeyRunner is specifically designed for the testing of devices and applications at the framework/functional level. The tool contains amazing features such as multiple device control, regression testing, extensible automation, and functional testing to test Android apps and hardware. The tests of MonkeyRunner are written in Python. Developers need not to make changes in source code to automate the testing.

4. UI Automator

In order to test the user interface of an app, UI Automator creates functional Android UI test cases. It has been recently expanded by Google. The tool seamlessly interacts with all Android software and applications. It works with the all devices that support Android version 4.1 and others that are released after 4.1. In the previous version, testers need to use other testing tools. Additionally, UI Automator can lock and unlock a tablet or a smartphone.

5. Selendroid

Being one of the leading test automation software, Selendroid tests the UI of Androids based hybrid and native applications and mobile web. Client API tests are written using Selendroid 2. The tool supports plugging of hardware devices. Moreover, it holds exceptional capabilities to interact with multiple Android devices at the same time. Selendorid is highly compatible with the JSON wire protocol.

6. MonkeyTalk

MonkeyTalk automates the functional testing of Android and iOS apps. Non-technical person can also run the testing on this platform as it doesn’t require in depth knowledge of techie scripting and programming. The scripts of MonkeyTalk are quite understandable and simple. Testers can also create XML and HTML reports using this tool. Additionally, it also takes screenshots when failure happens. MonkeyTalk supports emulators, network devices, and tethered.

7. Testdroid

It’s a cloud based program for mobile app testing that helps developers in saving development cost, eliminating the unpredictable operational cost, and improving time-to-market. It is one of the best platforms to test your iOS and Android devices that are having different screen resolutions, OS versions, and HW platforms. Testdroid is a tool that reduces the risk with agile and real devices testing. It also improves the daily users of the app along with review rating.

8. Calabash

Calabash works efficiently with .NET, Ruby, Flex, Java and other programming languages. It tests native and hybrid mobile apps. Programmers can have APIs that enable native apps to run on touch screen devices. Calabash involves libraries that permit test-code to interact with hybrid and native apps programmatically. It also supports the framework Cucumber.

9. Frank

Frank allows to test only iOS applications and software. The framework combines JSON and Cucumber. The tool contains an app inspector “Symbioate” that enables developers to have detailed information about the running app. It is most suitable for web based apps and emulators. It can be integrated with CI and run the tests on the devices and simulators.

10. SeeTest

SeeTest Automation is a cross-platform solution. It allows to run the same scripts on different devices. It enables developers to run the test on several devices in parallel. Being a powerful test automation tool, it is capable of testing websites/mobile apps. It supports iOS, Android, Symbian, Blackberry, and Windows Phone. The most important features of this tool are phone testing, battery, browser testing, etc.

  • Bandicoot

    is Python toolbox to analyze mobile phone metadata. It provides a complete, easy-to-use environment for data-scientist to analyze mobile phone metadata. With only a few lines of code, load your datasets, visualize the data, perform analyses, and export the results.
  • ACF – This software enables a forensic investigator to map each connection to its originating process. It doesn’t require root privliges on the system, but do require adb & USB debugging.
  • Android Forensics – AFLogical OSE: Open source Android Forensics app and frameworkThe Open Source Edition has been released for use by non-law enforcement personnel, Android aficionados, and forensics gurus alike. It allows an examiner to extract CallLog Calls, Contacts Phones, MMS messages, MMSParts, and SMS messages from Android devices. The full AFLogical software is available free for Law Enforcement personnel. More information is available at https://www.nowsecure.com/
  • Android Data Extractor Lite
    This Python script dumps all important SQLite Databases from a connected Android smartphone to the local disk and analyzes these files in a forensically accurate workflow. If no smartphone is connected you can specify a local directory which contains the databases you want to analyze. Afterwards this script creates a clearly structured XML report. If you connect a smartphone you need a rooted and insecure kernel or a custom recovery installed on the smartphone.
  • BitPim 
    BitPim is a program that allows you to view and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers. This includes the PhoneBook, Calendar, WallPapers, RingTones (functionality varies by phone) and the Filesystem for most Qualcomm CDMA chipset based phones. To see when phones will be supported, which ones are already supported and which features are supported, see online help.
  • Fridump – Fridump (v0.1) is an open source memory dumping tool, primarily aimed to penetration testers and developers. Fridump is using the Frida framework to dump accessible memory addresses from any platform supported. It can be used from a Windows, Linux or Mac OS X system to dump the memory of an iOS, Android or Windows application.
  • LiME – A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
  • Project RetroScope
    The majority of RetroScope’s code is in the dalvik/vm/zombie directory.Please be sure to read the RetroScope paper before working with RetroScope.A demo of RetroScope recovering a suspect’s chat session from a memory image of the Telegram app is available on YouTube at: https://youtu.be/bsKTmZEgxiE.
  • PySimReader – This is a modified version of Todd Whiteman’s PySimReader code. This modified version allows users to write out arbitrary raw SMS PDUs to a SIM card. Additionally, debugging output has been added to allow the user to view all APDUs that are sent between the SIM card and PySimReader.
  • Andriller – Android Forensic Tools
    Andriller  is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. It has other features, such as powerful Lockscreen cracking for Pattern, PIN code, or Password; custom decoders for Apps data from Android (and some Apple iOS) databases for decoding communications. Extraction and decoders produce reports in HTML and Excel (.xlsx) formats.

WPS is short for Wi-Fi Protected Setup and is a method of establishing a connection between a wireless device and a wireless router that was released in 2007. Typically to connect a wireless device to a router you need to know the router name (SSID) and its password. However, with WPS you could connect to the network using any of the methods below.

  • For devices that support WPS, you can enter the eight-digit WPS PIN on your wireless router to connect to the router.
  • If your wireless device has a WPS button of its own, you can press the WPS button on the router and then press the WPS button on your device to connect it to the network.
  • Press the WPS button on the router and then using a wireless device find and select the router to connect without having to enter a password.
  • For wireless devices that have WPS, you can enter the eight-digit generated PIN in your wireless router’s setup to connect the device.

Where is the WPS PIN or WPS Key?

The WPS PIN can be found on the back or bottom of the router. With most routers, the WPS PIN is on a sticker and is an eight-digit number.

Disadvantages with WPS

Although WPS can make it easier to connect wireless devices to your network, there are some distinct disadvantages of WPS.

  • If your wireless router is in an insecure area, anyone could press the WPS button on the back of the router and be able to connect to your network.
  • Because all WPS devices have a unique eight-digit PIN (technically seven since the last digit is a checksum), a hacker can use a brute-force attack on the router to identify the WPS PIN and then be able to connect to your network.
  • The WPS router PIN cannot be changed.
  • WPS only works with WPA or WPA2 security and does not support older devices with WEP.

Although WPS can make it easier to connect wireless devices to your network because of these disadvantages you may want to disable WPS through your router setup.

Reaver implements a brute force attack against WiFi Protected Setup which can crack the WPS pin of an access point in a matter of hours and subsequently recover the WPA/WPA2 passphrase. Specifically, Reaver targets the registrar functionality of WPS, which is flawed in that it only takes 11,000 attempts to guess the correct WPS pin in order to become a WPS registrar. Once registered as a registrar with the access point, the access point will give you the WPA passphrase.

Cracking WI-FI with WPS ENABLED

  1. Start wireless card  in monitor mode
    airmon-ng start wlan0
  2. See the list of networks that support the WPS.
    wash -i wlan0mon

     

  3. Using Reaver
    reaver -i wlan0mon -vv -b XX:XX:XX:XX:XX:XX

    Description

    -i wlan0mon this interface.
    -b XX: XX: XX: XX: XX is BSSID attacked point.
    -vv -v, –verbose Display non-critical warnings

    As there are additional useful options
    -t 2 – reduces response time (5 seconds by default) in this case to 2 seconds.
    -d 0 – the pause between attempts.

  4. Key found

Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.

Included In

At its core, Inveigh is a .NET packet sniffer that listens for and responds to LLMNR/mDNS/NBNS requests while also capturing incoming NTLMv1/NTLMv2 authentication attempts over the Windows SMB service. The primary advantage of this packet sniffing method on Windows is that port conflicts with default running services are avoided. Inveigh also contains HTTP/HTTPS/Proxy listeners for capturing incoming authentication requests and performing attacks. Inveigh relies on creating multiple runspaces to load the sniffer, listeners, and control functions within a single shell and PowerShell process.

Inveigh running with elevated privilege

Inveigh

Since the .NET packet sniffer requires elevated privilege, Inveigh also contains UDP listener based LLMNR/mDNS/NBNS functions. These listeners can provide the ability to perform spoofing with only unprivileged access. Port conflicts can still be an issue with any running Windows listeners bound to 0.0.0.0. This generally impacts LLMNR. On a system with the Windows LLMNR service running, Inveigh’s unprivileged LLMNR spoofer will not be able to start. Inveigh can usually perform unprivileged NBNS spoofing on systems with the NBNS service already running since it’s often not bound to 0.0.0.0. Most of Inveigh’s other features, with the primary exceptions of the packet sniffer’s SMB capture and HTTPS (due to certificate install privilege requirements), do not require elevated privilege. Note that an enabled local firewall blocking all relevant ports, and without a listed service with open firewall access suitable for migration, can still prevent Inveigh from working with just unprivileged access since privileged access will likely be needed to modify the firewall settings.

By default, Inveigh will attempt to detect the privilege level and load the corresponding functions.

Inveigh running without elevated privilege

Unprivileged

Inveigh provides NTLMv1/NTLMv2 HTTP/HTTPS/Proxy to SMB1/SMB2 relay through the Inveigh-Relay module. This module does not require elevated privilege, again with the exception of HTTPS, on the Inveigh host. However, since the module currently only has a PSExec type command execution attack, the relayed challenge/response will need to be from an account that has remote command execution privilege on the target. The Inveigh host itself can be targeted for relay if the goal is local privilege escalation.

Inveigh and Inveigh-Relay running together to execute an Empire 2.0 launcher

Relay

Tutorials & Download

Johnny is the cross-platform Open Source GUI frontend for the popular password cracker John the Ripper. It was originally proposed and designed by Shinnok in draft, version 1.0 implementation was achieved by Aleksey Cherepanov as part of GSoC 2012 and Mathieu Laprise took Johnny further towards 2.0 and beyond as part of GSoC 2015.

Johnny’s aim is to automate and simplify the password cracking routine with the help of the tremendously versatile and robust John the Ripper, as well as add extra functionality on top of it, specific to Desktop and GUI paradigms, like improved hash and password workflow, multiple attacks and session management, easily define complex attack rules, visual feedback and statistics, all of it on top of the immense capabilities and features offered by both JtR core/proper as well as jumbo.

Features

  • Cross platform, builds and runs on all major desktop platforms
  • Based on the most powerful and robust password cracking software, supports both John core/proper and jumbo flavors
  • Exposes most useful JtR attack modes and options in a usable, yet powerful interface
  • Simplifies password/hash management and attack results via complex filtering and selection
  • Easily define new attacks and practical multiple attack session management
  • Manually guess passwords via the Guess function
  • Export Passwords table to CSV and colon password file format
  • Import many types of encrypted or password protected files via the 2john functionality
  • Fully translatable (English and French language for now)

Download

At the end of last year, Mozilla launched a privacy browser called Firefox Focus for the iOS platform, providing more comprehensive and professional protection for your Internet privacy, by default, including tracking, social and advertising tracking. And now, this privacy-oriented browser officially landed Android platform.

Download: Google Play and App Store

Compared to the regular mobile browser Firefox Focus in the function is a bit a single, only a search and URL bar, but also in the settings panel is also relatively “simple”, you can turn on/off different tracking type. This browser does not support tabs or other menus, and there is an erase button at the top of the app to clean up your online traces manually, and the app is automatically cleaned up after the application is closed.

Compared to the iOS version, Android version Firefox Focus added some additional features. Including an ad tracking count that allows the user to know how many sites each site has blocked, and to allow the user to manually turn off tracking blocking when the page is not loaded correctly, and when you run Firefox Focus in the background, Clean up the Internet history.

Image result for robots.txt

What is a robots.txt file?

Search engine through a program robot (also known as spider), automatically access the Internet page and access to web information.
You can create a plain text file, robots.txt, in your website that declares that the site does not want to be accessed by the robot so that part or all of the site’s content can not be included in the search engine, or Specifies that the search engine only includes the specified content.

Where is the robots.txt file?

The robots.txt file should be placed in the root directory of the site. For example, when a robots visit a website (such as https://www.linkedin.com ), it will first check whether the site exists https://www.linkedin.com/robots.txt this file, if the robot to find this file, it will be based on the contents of this file to determine the scope of its access.

The format of the robots.txt file

The “robots.txt” file contains one or more records, separated by blank lines (CR, CR / NL, or NL as the end), and the format of each record is as follows:

"<field>:<optionalspace><value><optionalspace>"

 

In the file can be used # for annotations, the specific use of the same practice and UNIX. The records in this file usually begin with one or more lines of User-agent, followed by a number of Disallow lines, as follows:

  • User-agent:
    The value of this item is used to describe the name of the search engine robot. In the “robots.txt” file, if there are multiple User-agent records that have multiple robots that are limited by the protocol, Say, at least one User-agent record. If the value is set to *, the protocol is valid for any robot. In the “robots.txt” file, there is only one record of “User-agent: *”.

 

  • Disallow:
    the value of the item used to describe the URL you do not want to visit, the URL can be a complete path, it can be part of any Disallow at the beginning of the URL will not be access to the robot. For example, “Disallow: /help” does not allow search engine access to /help.html and /help/index.html, and “Disallow: /help/” allows the robot to access /help.html without access to /help/index .html. Any Disallow record is empty, indicating that all parts of the site are allowed to be accessed, in the “/robots.txt” file, at least one Disallow record. If “/robots.txt” is an empty file, then for all the search engine robot, the site is open.