Manage Learn to apply best practices and optimize your operations.

Mobile testing: Three vulnerable areas to test

Mobile access to the internet is growing rapidly making it imperative that companies test primary concern areas to ensure quality. Key vulnerabilities to test for on mobile devices are SSL, HTML-rich Web pages and outbound operations, says an expert.

Karen Johnson
Karen Johnson
What are some of the first checkpoints to assess how a website looks and functions on a mobile device? Here are three areas to start: SSL pages, HTML-heavily formatted pages and "outbound operations," a term I'll explain.

How will you know if your website has an issue with the page or the area you're checking? Sometimes when I'm testing on a mobile device, I pull up a web browser on a PC at the same time I'm navigating a mobile device to see if the issue is particular to testing on a device or if the site itself is encountering an issue. This parallel checking is helpful and sometimes can save time as I test a web page on both a PC and a mobile device at the same time. Other times, I test two or more mobile devices at the same time for a basis of comparison.

Secure Socket Layer (SSL)
Navigate to and check pages that use SSL. Login pages and other pages that may require a secure connection are good places to test on a mobile device to make sure that a secure page can be loaded. I mention navigating to a secure page (versus directly accessing a secure page) to test not just the secure page itself but to check a device as it "flips" or rotates back and forth from SSL to non-SSL pages. Does the navigation of your website and the mobile device work smoothly as secure pages are loaded?

If you're able to set a phone to prompt on accessing secure pages, change the device settings to make the transition or access to secure pages more obvious. Some devices prompt the user before loading a secure page so it might be worthwhile to test responding both "yes" and "no" to continue to a secure page. How does your application handle the login process when the user presses "no" to load a secure page? It's possible to find a device that doesn't recognize your site's secure certificate or cannot handle SSL pages even after the user presses "yes" to access in secure mode. Lower-end devices seem to be more problematic than newer or smart devices – but this is a general observation not a proven statement – so you'll need to test to know.

HTML-heavy pages
HTML heavily-formatted web pages sometimes do not render well on mobile devices and some html tags encounter issues on mobile phones even when the pages look just fine on a PC web browser. I've found numbered lists sometimes do not number, leaving a list of items all numbered as the first item in the list. Bulleted and indented lists may appear fine on a PC web browser but are sometimes misaligned on a mobile device or indented so heavily that the page and the bulleted list are no longer effective. BR or break tags are tags I've seen "break" on a mobile device leaving an ugly HTML error or the page may not load at all.

The O'Reilly book "Mobile design and Development" by Brian Fling is a good resource on identifying CSS and HTML tags most vulnerable on mobile devices. For testing, I both created pages and built a list of pages based on surveying our website ahead of testing and then used those identified pages to begin testing.

In addition to HTML-heavy pages, try pages with graphics or links. Small graphic files such as WVM files that include a small movie with audio embedded on web pages and pages with links to other sites are good pages to test. It depends on the types of pages your website has – some or none of these may be a concern. Survey through your website on a PC browser and build a list of pages to start with.

Outbound operations
Outbound operations – it's a term I've coined (I'm not aware of anyone else's use of the term). What I'm referring to is functionality your website offers that requires some activity outside of the site itself. Examples: forgotten password, email this page to someone, reference this page to another site such as Google Reader – anywhere your site needs to make outside connections or an API call -– these are operations that may be vulnerable or flat out not work on a mobile device or at least not work without intentional design and development. It's a different way to think about your application to find those few operations that extend past your website's immediate functionality.

The way I built this test list was to visually walk back through a website and identify those unique activities. I then bounced those ideas off the developers who were already rapidly becoming aware of functionality that wasn't going to work well on mobile. In paired sessions, we found remaining operations together and ended up with a final list of distinct features that were intentionally disabled from mobile use.

For a jumpstart into mobile, see Julian Harty's book "A Practical Guide to Testing Wireless Smartphone Applications." For a lean book, it's packed with ideas and offers a good introduction to mobile testing.

If you feel overwhelmed by mobile testing, realize that your existing knowledge of a website is helpful background as you plan your testing.

Karen N. Johnson is an independent software test consultant. She views software testing as an intellectual challenge and believes in the context-driven school of testing. She has 14 years' experience in software testing and software test management. She is a frequent speaker at software testing conferences and is an active participant in several software testing workshops. She's published articles in software testing publications as well. For more information about Karen, visit

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.