Test Outside the Box by Rooting Your Devices: An Interview with Alan Crouch

[interview]
Summary:

In this interview, Alan Crouch, a director of mobile testing at Coveros, explains how rooting can help you look at mobile testing differently. He talks about the concepts behind rooting, how to pick the right mobile testing tool, and why experimentation in testing is key.

Josiah Renaudin: Welcome back to another TechWell interview. Today I am joined by Alan Crouch, a director of mobile testing with Coveros and a keynote speaker at this year's Mobile Dev + Test Conference. Alan, thank you so much for joining us today.

Alan Crouch: Thanks for having me.

Josiah Renaudin: Absolutely. First, before we actually dig into the concept behind the keynote, can you tell us a bit about your experience in the industry?

Alan Crouch: I've been doing mobile testing for probably five or six years in the Washington, D.C., area with a lot of startups and federal clients.

Josiah Renaudin: How and why—and this is a lot about what your keynote's about—has the mobile landscape altered how companies think of information technology?

Alan Crouch: I think mainly, it flips a lot of the traditional software development paradigms on their head. It makes us develop with the concept of mobile first, and that concept is pretty simple. It just puts into action a plan to develop thinking small, thinking of mobile, and adding functionality as screens and interfaces get larger. It seems pretty simple, but it's complicated in practice. It typically makes us rethink about our design process, how we think about handling the computing needs of security versus usability and how we test applications efficiently and effectively.

Josiah Renaudin: Speaking of things that seem simple but are actually pretty complicated, I mean, with how big mobile has become, how difficult can it be to find the exact right testing tool for your team? Every team's different. Every application's different. Mobile's done differently, there's so many different platforms. How much research needs to go into that process to make sure you're not choosing something that'll actually be more detrimental than helpful for your team?

Alan Crouch: In my experience, it's always been important to choose in particularly testing tools for three things. The people doing development and testing, the process by which you're developing your app, and the technologies you're using in your app. There's a lot of competing tools in the marketplace. Some are open source. Some are COTS. It's not necessarily easy to select the right one, but select one that's good enough and continue evaluating. The truth of the matter is the right one is more like the right one for right now because the tools will change over time often as rapidly as the mobile industry.

It's nice, at least at Mobile Dev+ Test, there are a lot of vendors who will make that research process a lot easier, who'll be on site to do some demos and to ask questions. You can get a good idea and a feel for what the tools offer.

Josiah Renaudin: If you do, let's say, choose what ends up being the wrong tool early on, does it take a while to kind of uproot that and slip something different in? Because I'm guessing once you get the certain tool in there, the team gets comfortable with it and then it might not work out. Does it take a while to switch from tool to tool?

Alan Crouch: I think it depends on how much you integrate it into your process. If you allow the tool to define your process, it's a lot harder. If the tool is helping your development process and is a part of your development process but doesn't define it, it's a lot easier to just you know rip out one to the other. That's considering, of course, the cost of people buying licenses.

Josiah Renaudin: Absolutely.

Alan Crouch: Which typically is one of those defining reasons for sticking with the tool.

Josiah Renaudin: Your keynote's going to discuss rooting, which is something I find interesting. Can you explain the process of rooting your mobile device and why that can allow for more creativity in actually how you're testing these mobile apps?

Alan Crouch: Rooting is the process to break the limitations of the Android operating system that it puts on its users. At this point, rooting has become really trivial to do. It's downloading a root kit, running it on your Android phone or tablet, and then suddenly, within a couple minutes, you have full root privilege to the entire operating system to do anything you want. You're not stuck in the paradigm that the operating system allows you to use.

The advantages are that it can allow you to expose additional testing interfaces besides the GUI. You can alter or replace system applications, run specialized apps, or even access normally inaccessible data. What this allows us to do are things like seeding test data into our mobile apps, seeing what kind of data is exposed outside and inside the application sandbox. We can check for code obfuscation protection and even changing your location from, let's say, Washington, D.C., to Tokyo so you can try to collect all those super elusive Pokémon in Pokémon Go.

Josiah Renaudin: Man, I might need to actually root my own phone. When I was in college, I remember talking to people and seeing people who, you know another term for rooting is jail-breaking, and jail-breaking is something a lot of people would do, and suddenly they’re inside certain apps like you mentioned with Pokémon Go and they have all these different Pokémon you can't get in certain areas. When you explore the realm of rooting in software testing, is there any—do you at all sort of tiptoe toward dangerous territory? Is rooting looked down upon at all similar to how it is outside of the testing world, or like you said, is it trivial and just a necessary part of this process?

Alan Crouch: There are some legal ramifications. It can void your warranty on your phone and you may expose your phone to viruses and trojans. However, in most cases we're talking about a test phone in a test environment and not something that has critical user data on, it so it's probably okay. In addition, no carrier has ever blocked a rooted phone on their network in the United States. While they might frown on it, it's still legal.

Getting to the question is it looked down on, I'm not really sure if it's looked down on as much as people are scared of what they might not understand. Rooting becomes critically important when conducting security testing on your mobile app. If you're not rooting your device and doing testing, it's the equivalent of going to a gun fight with a knife. Hackers are going to root the device. They have all the tools possible to expose and break your app so why wouldn't you want to have those tools at your own disposal?

Josiah Renaudin: Yeah. Absolutely. Something I think we forget sometimes is that mobile is still new. I mean, it's one of those things that we all have. We've had multiple different smartphones so it feels like it's been around for a while, but in the grand scheme of things, mobile is a new thing. Has mobile application quality caught up with the rest of the industry, or do you really feel like there's this considerable room for growth for the actual quality of mobile applications?

Alan Crouch: I think there's always room to grow. However, the ability to be agile and develop small changes fairly quickly allows mobile apps to adapt to user needs and fix issues much more rapidly than the traditional app. Comparing it to traditional software applications, it's a little like comparing an apple and an orange because in many ways mobile has exceeded the rest of the software industry in things like usability. At the same time, they've failed to come close to the industry in things like security.

Josiah Renaudin: Something you also tackle that I think is interesting is experimentation in your keynote. How critical is it to both introduce and establish a culture of experimentation within your testing team? People like the knowns way more than they like the unknowns, so how difficult is it to accept the unknown in this manner for most testers?

Alan Crouch: It's an absolute must. We have to try new things and check out new technologies and not be afraid to take a risk. It's the only way to really compete in the mobile marketplace because there are more competitors and there's new things coming up all the time. I tend to think with our traditional idea of a silo tester, many of them are more resistant to change and slower to adapt than their development counterparts, say a developer. I'd say for those folks, it's a difficult uphill climb because change is hard especially grand cultural change is a lot harder.

On the flip side, for a lot of people who had started out just in mobile with the adoption of like agile and DevOps principles, we typically see instead of a silo tester we see a full stack developer tester and for those engineers who find themselves in that boat, it's less difficult to accept the unknown and more of a challenge for how are you going to test this effectively because they're the ones taking the risk on the development side so they're willing to take the risk on the testing side. In many cases, those folks are already experimenting and so adopting a culture of experimenting with testing and kind of constantly researching those tools that we talked about earlier can help them add things to their testing arsenal.

Josiah Renaudin: Can there be over-experimentation where you are so worried about what's coming next, you're trying new things all the time, you're looking at different tools, you're looking at new methodologies that might stick might not stick? Is there a certain extent where you're not building on your foundation instead you're constantly trying new things and nothing's really sticking?

Alan Crouch: Yeah. There's always that fear. Right? We always are playing around and we never actually do anything. There is a fine balance between how much experimentation I should accept and how much I shouldn't. How much that is probably depends a lot on the organizational culture and what are the needs of the particular app? What is the business value?

Josiah Renaudin: I don't want to spoil your entire keynote, but kind of just to close this out: More than anything, what central message, what main message, do you want to leave with your keynote audience?

Alan Crouch: To quote G.I. Joe, "Knowing is half the battle." Realizing that rooting can offer a whole lot of additional test surfaces and frankly tools to test is key to realizing how to best test your mobile app.

Josiah Renaudin: I really hope there are more G.I. Joe quotes during this keynote. Thank you very much, Alan. I appreciate it. I'm looking forward to hearing the whole thing in Mobile Dev + Test this year.

Alan Crouch: Thank you. Have a good one. 

Alan CrouchAlan Crouch is a director of mobile testing with Coveros Inc., which helps companies build better applications using agile, DevOps, and security best practices. Alan works with C-level and senior management at private companies and federal agencies to transform and adopt a more “mobile-first” approach to information technology. Alan has worked with Departments of Homeland Security, Defense, and Health and Human Services; Symantec; and mobile start-ups to build and test Android, iOS, and responsive web applications. His passion is the intersection of mobile testing and information security. Spare time finds Alan traveling the globe and creating adventures for his son and daughter. Follow Alan on Twitter @coveros_alan or on LinkedIn.

User Comments

2 comments
JJ Hill's picture

I loved the article but I have to disagree. This equates roughly to test driving a car by hot wiring it. Sure, there's always going to be some group out there that releases a way to root every device almost the instant it hits shelves, but is that really the target audience for most of our mobile test cases? There are inherent security features that are bypassed when rooted, and I'm concerned that more people want a new shiny OS that can have ten billion wall papers, but is fundamentally flawed and left vulnerable from a security perspective. 

March 8, 2017 - 12:20am
Richard Nixon's picture

@JJHill,

I don't really think this is akin to hotwiring... that implies criminal intent... think more like being able to tap into the ECU to examine performance data.

Rooting doesn't disable the security features... it just adds a mechanism to escalate privelege to gain full control of the environment when its required. Rooting normally just adds an `su` command to execute specific things with root privs just like in Unix/Linux.

Being able to setup pre-conditions and stub things out has been a fundamental part of testing for years.

Being able to examine ALL the results (including results in private parts of the system) has also been fundamental.

March 24, 2017 - 8:50am

About the author

Upcoming Events

Jan 30
Apr 29
Jun 03
Jun 25