TC ID

FEATURE

TEST CASES/STEPS

EXP RESULT

TC_SECURITY_11

PASSWORD STORAGE

Objective: To validate how the new password is stored/saved on the database after the user changes the password during the ‘Change Password’ screen

Pre-req:
1. Latest version of the app is downloaded & installed on the device
2. WiFi/4G/3G/2G is turned ON on the test device
3. Valid user account is created with <Email Address> and <Password>

Test Steps:
1. Tap to launch the app and login to the app with valid UN/PWD
2. Tap on ‘Change Password’
3. Enter the correct password in the ‘Old Password’ text box
4. Enter the matching text in ‘New Password’ and ‘Confirm New Password’ text boxes
5. Tap on Save/Submit button
6. Ensure the password is changed successfully
7. Validate how the password is stored on the database/cloud

1. The password should not be stored as plain text

2. The password has to be stored as hashed/encrypted

TC_SECURITY_12

PASSWORD STORAGE

Objective: To validate how the new password is stored/saved on the database after the user changes the password during the ‘Forgot Password’ screen
 
Pre-req:
1. Latest version of the app is downloaded & installed on the device
2. WiFi/4G/3G/2G is turned ON on the test device
 
Test Steps:
1. Tap to launch the app
2. Tap on ‘Forgot Password’ button
3. Input a registered email id in the ‘Email’ textbox (eg. [email protected])
4. Tap on Submit button
5. Observe the app behavior
6. Access the email inbox of the user entered in step 3
7. Open the email received as part of ‘Forgot Password’ process (step 4)
8. Click on the URL/link inside the email
9. Enter the temporary password
10. Enter the new password
11. Re-enter/Confirm the new password
12. Tap on Save/Submit button
13. Ensure the password is changed successfully
14. Validate how the password is stored on the database/cloud

1. The password should not be stored as plain text

2. The password has to be stored as hashed/encrypted

TC_SECURITY_13

APP SESSION

Objective: To validate if the app logsout the user automatically when the user changes the password using ‘Change Password’ feature

Pre-req:
1. Latest version of the app is downloaded & installed on the device
2. WiFi/4G/3G/2G is turned ON on the test device
3. Valid user account is created with <Email Address> and <Password>
4. The ‘User A’ is already logged in on Device2 & Web

Test steps:
1. Tap to launch the app and login to the app with valid UN/PWD as ‘User A’ on Device1
2. Tap on ‘Change Password’
3. Input the current password
4. Input the new password
5. Input the confirm – new password
6. Tap on OK/Submit button to change the password
7. Observe where the user is navigated to (after change password is successful)
8. Observe the user login sessions on other devices (Device2 & Web)

1. The ‘User A’ has to be logged out automatically after successfully changing the password

2. The ‘User A’ has to be redirected to login screen

3. The ‘User A’ has to be logged out automatically in all the sessions where the user was earlier logged in

TC_SECURITY_14

PASSWORD QUALITY

Objective: To validate if the app logsout the user automatically when the user changes the password using ‘Forgot Password’ feature

Pre-req:
1. Latest version of the app is downloaded & installed on the device
2. WiFi/4G/3G/2G is turned ON on the test device
3. Valid user account is created with <Email Address> and <Password>
4. The ‘User A’ is already logged in on Device2 & Web

Test steps:
1. Tap to launch the app on Device1
2. Tap on ‘Forgot Password’
3. Complete the ‘Forgot Password’ process for ‘User A’ email address
4. Ensure the new password is generated and user has changed the password successfully
5. Observe the user login sessions on other devices (Device2 & Web)

1. The ‘User A’ has to be logged out automatically after successfully changing the password

2. The ‘User A’ has to be redirected to login screen

3. The ‘User A’ has to be logged out automatically in all the sessions where the user was earlier logged in

TC_SECURITY_15

PASSWORD RESET

Objective: To ensure the app doesn’t reset the password without validating few related information, as per the existing records

Pre-req:
1. Latest version of the app is downloaded & installed on the device
2. WiFi/4G/3G/2G is turned ON on the test device
3. Valid user account is created with <Email Address> and <Password>

Test steps:
1. Tap to launch the app
2. Tap on ‘Forgot Password’
3. Observe the sequence of questions/steps to be followed, while resetting the password

1. The end user must be asked to input his/her secret question, followed by secret answer, and similar kind of questions & answers eg. DOB, Mobile # & Email address, as per the application existing records.

2. After the same is validated, the user must be asked to input his new password followed by reconfirm password.

3. This new password must not be emailed to the user, in the interest of not disclosing the password information, accidentally to others.

4. An email about ‘Password change’ has to be sent to the user without revealing the new password information in the email

TC_SECURITY_16

PASSWORD LOCKOUT

Objective: To ensure that the app doesn’t allows an attacker to reset or lockout users’ accounts

Pre-req:
1. Latest version of the app is downloaded & installed on the device
2. WiFi/4G/3G/2G is turned ON on the test device
3. Valid user account is created with <Email Address> and <Password>

Test steps:
1. Tap to launch the app
2. Attempt to login to the app with invalid credentials continuously (more than 3 times)
3. Observe the app behavior

1. The app should not allow the attacker to reset or lockout users’ accounts

2. CAPTCHA has to be implemented from 2nd wrong attempt onwards

TC_SECURITY_17

PASSWORD LOCKOUT

Objective: To ensure that the app/system is safe from Brute Force Attacks

Pre-req:
1. Latest version of the app is downloaded & installed on the device
2. WiFi/4G/3G/2G is turned ON on the test device
3. Valid user account is created with <Email Address> and <Password>

Test steps:
1. Tap to launch the app
2. Attempt to login to the app with invalid credentials continuously (more than 3 times)
3. Observe the app behavior

1. The user account has to be locked for sometime or till the administrator resets the password

2. The user has to be notified about the same

TC_SECURITY_18

BLANK PASSWORDS

Objective: To ensure passwords can’t be left blank during account registration or sign up or change password or forgot password process

Pre-req:
1. Latest version of the app is downloaded & installed on the device
2. WiFi/4G/3G/2G is turned ON on the test device
3. Valid user account is created with <Email Address> and <Password>

Test steps:
1. Tap to launch the app
2. Input a blank or empty password while registering as a new user during ‘Sign Up’ process
3. Observe the app behavior
4. Input a blank or empty password while changing the password during ‘Change Password’ process
5. Observe the app behavior
6. Input a blank or empty password while resetting the password during ‘Forgot Password’ process
7. Observe the app behavior

1. Blank or empty password should not be accepted by the app/server/database

2. The app has to display the below toast message:

“Password must contain one uppercase letter, one lowercase letter, one number and 8-256 characters”

TC_SECURITY_19

PASSWORD STRUCTURE

Objective: To ensure password doesn’t accept special meta characters

Pre-req:
1. Latest version of the app is downloaded & installed on the device
2. WiFi/4G/3G/2G is turned ON on the test device
3. Valid user account is created with <Email Address> and <Password>

Test Data: ^ $ \ / ( ) | ? + * [ ] { } , 

Test steps:
1. Tap to launch the app
2. Input special meta characters (refer the test data) in the Password field during Sign Up or Change Password or Forgot Password process
3. Observe the app behavior

Meta Characters should not be accepted & an appropriate error message has to be displayed.

This is required, when performing SQL Injection.

TC_SECURITY_20

APP SESSION TIMEOUT

Objective: To ensure the session tokens are valid for a predetermined time, after a recent user request

Pre-req:
1. Latest version of the app is downloaded & installed on the device
2. WiFi/4G/3G/2G is turned ON on the test device
3. Valid user account is created with <Email Address> and <Password>

Test steps:
1. Tap to launch the app
2. Login to the app
3. Leave the app idle for sometime
4. Observe the app session behavior

The session has to terminate automatically after observing an idle time of 5-10 min

TC_SECURITY_21

CUSTOM ERROR MESSAGES

Objective: To ensure the app doesn’t reveal the technical details of the app failure(s)/crashes

Pre-req:
1. Latest version of the app is downloaded & installed on the device
2. WiFi/4G/3G/2G is turned ON on the test device
3. Valid user account is created with <Email Address> and <Password>

Test steps:
1. Tap to launch the app
2. Login to the app
3. Perform any actions that results in a crash or app failures or app hangs
4. Observe the error message displayed when a crash or functional failure is encountered

1. Appropriate Custom error messages has to be displayed to the end user without revealing any stack trace, DB failure or technical details

2. Error messages should not reveal any sensitive information

TC_SECURITY_22

APPLICATION ERROR MESSAGES

Objective: To ensure that the app does not provide application error messages to an attacker that could be used in an attack

Pre-req:
1. Latest version of the app is downloaded & installed on the device
2. WiFi/4G/3G/2G is turned ON on the test device
3. Valid user account is created with <Email Address> and <Password>

Test steps:
1. Tap to launch the app
2. Login to the app
3. Attempt to execute incorrect sequence of actions
4. Observe the error message displayed by the app/server

1. The app should not display verbose error messages such as stack trace info or database path error message or query failure message or internal system failure details instead a generic message has to be displayed

2. Error messages should not reveal any sensitive information

TC_SECURITY_23

USER ERROR MESSAGES

Objective: To ensure that the application does not present user error messages to an attacker that could be used in an attack

Pre-req:
1. Latest version of the app is downloaded & installed on the device
2. WiFi/4G/3G/2G is turned ON on the test device
3. Valid user account is created with <Email Address> and <Password>

Test steps:
1. Tap to launch the app
2. Login to the app
3. Attempt to input invalid credentials or incorrect input into the required fields in Sign Up screen, Forgot/Reset Password screen, Login screen etc
4. Observe the error message displayed by the app/server

1. The app should not display user error messages such as “User doesn’t exists” or “User correct, Password incorrect”, “Invalid username” or “Invalid password” or “Email address doesn’t exists”. This poses a security-penetration vulnerability

2. The app has to display generic error messages

3. Error messages should not reveal any sensitive information