The client is a US-based private company owning and managing a set of commercial real estate assets in the heart of New York City.
With no QA activities in place, they chose a1qa to establish QA processes from scratch and enhance the quality of IoT-based solutions designed for streamlining navigation inside the buildings and granting multi-level access to them.
a1qa was engaged to help ensure the top quality of an iOS and Android mobile app as well as an administrative web portal. These IT products allow end users to manage staff and client access across buildings (e.g., elevators, building entry points, meeting rooms), navigate in the building through interactive maps and track upcoming events and news. The back-end assists companies that rent offices from the client in managing employees with multi-level access to the system.
In order to enter the building, staff members can benefit from an IoT-based system and link personal IDs to their profiles through a mobile app or a QR code.
The dedicated QA team started by setting up and configuring Scrum-based QA processes from scratch.
a1qa managed workload and quickly resolved emerging issues by maintaining regular communication with both the client and the developers. Utilizing typical Scrum ceremonies, such as bug triage and retrospectives, enabled them to effectively prioritize tasks and plan accurately.
They also established a reporting practice to increase process transparency and allow the client to access project status and spot drawbacks in real-time.
The core of the solution is an application that allows administration of the processes of entering the building such as setting up access permissions, monitoring and approving all arriving guests by a security team.
In order to fine-tune the integration of the building’s server side with this app, a1qa leveraged a special lab used for scanning employees’ key cards (simulating entry situations on different floors) as well as employees’ and guests’ QR codes.
As for key cards, a1qa verified that data was read and correctly displayed in the appropriate security systems to provide the relevant access.
When it came to QR codes, a1qa took several steps to test their functionality. Firstly, they automatically generated QR codes that were identical to the ones that are typically sent to guests via email or saved in their profiles upon registering in the app. Then, a1qa utilized configured QR code readers to verify the accuracy of the scanning process for these codes.
To speed up testing activities and cover the extensive smoke testing scope, a1qa brought test automation best practices to the table.
To simulate the actions of real users while processing guests’ invitations, automated tests interacted with the SDK of 3rd party systems through a protocol and sent a signal for accepting or declining the access to the building or its specific area. At the same time, the engineers checked that the corresponding message was displayed in the mobile application for end users.
The QA team also validated QR codes with the help of automated tests.
To get access to real mobile devices and run tests in browsers without developing separate infrastructure, the QA experts set up an AWS device farm for testing mobile applications.
The early introduction of test automation in the development process helped to significantly reduce the time required for conducting QA activities and free up client’s resources to focus on core business objectives.
The QA team evaluated the system behavior of a mobile app version under a certain load and increased the level over time.
They applied a user behavior approach to test the IoT-based system — scanning a QR code to simulate entering the building or a meeting room. It formed the basis for user journeys’ development simulating realistic load and further script preparation covering the major API requests and system functionality, including QR code generation and new guest registration.
Server-side testing encompassed the following types of checks:
As a result of the performance testing, the QA team identified a range of critical flaws: long authorization and response time, errors associated with HTTP response codes 400, 502, 504, and other. So, a1qa recommended changing the structure of heavy API requests and optimizing the embedded elements on the main page to overcome this.
Client-side testing, in its turn, served to determine front-end speed, understand possible user experience problems, and report front-end elements for optimization.
Due to initial bugs in the software development process, the team marked that the product under test was highly vulnerable to cyberattacks.
To define the overall security level, the a1qa experts performed a vulnerability assessment based on OWASP Web and Mobile Security Testing Guides. In terms of the web application, they checked configuration, authentication, authorization, session, multiple injections, business logic, the download of diverse type files, including malicious data.
As for mobile applications, the team helped ensure high quality of their configuration, assessing the probability of traffic interception or software download under unconfirmed SSL certificates. The QA specialists also deconstructed the app to review the source code and analyze encryption algorithms to detect any keys, logins, or passwords visible in the code.
As a result, the team spotted a range of critical system flaws:
Upon completion of testing activities, they provided the client with a report on the security level of the solution based on the CVSS calculator (estimates figures based on objective criteria): security of the web app was assessed as low and medium for mobile systems.
For each detected vulnerability, the QA team proposed recommendations for improvement to enhance the overall security level of the system.
The client is highly satisfied with the delivered outcomes and appreciates the team’s commitment to helping bring stellar software performance and ensure high security level in the solution.
