Versions Compared

Old Version 5

changes.mady.by.user Diarmid Mackenzie

Saved on

compared with

New Version Current

changes.mady.by.user Diarmid Mackenzie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

My expectation is that each item flagged below will become the responsibility of a single tester (with support from others as they need it).

To make a fast start on tracking this, I have created a Trello board here - contact Diarmid for accessyou should be able to access via this link:
https://trello.com/invite/b/Qe0eioYq/2545baab562e045ff0035b1f3c9bdea5/path-check-mvp1
(but reach out to Diarmid on Slack if any issues with access).

Trello card
urlhttps://trello.com/b/Qe0eioYq/path-check-mvp1

...

Secure Data Store - Android - INCOMPLETE

TO DO: Complete this testing
TO DO: Any regression testing needed, given there has been a lot of change since testing was done.regression testing and submit to privacy-security repo for review

MVP4: Clarify limitations via copy

...

MVP10: Designate Privacy Policy in Settings

Testing needed:

  • IN PROGRESSCOMPLETE: Basic end-to-end test: specify Privacy Policy - see PLACES-350

  • TO DO: Stress test Safe Places problematic scenarios

  • TO DO: Stress test Mobile App problematic scenarios

...

This is an expansive line-item covering a wide range of Safe Places functionWill ask Adam L-S to articulate the full set of testing needed here.

  • Exploratory testing of the UI

  • Boundary testing of the fields

MVP12: Manually Enter Points as a Contact Tracer

...

  • IN PROGRESS: Basic end-to-end testing of manually entered points leading to a match on the mobile device if & only if they match a time/place where that device was.

  • DONE: Scale test with 14 days of data

  • TO DO: Exploration of the UI for problematic scenarios for the UI

  • TO DO: Exploration of the UI for problematic scenarios for the system - e.g. large volume of data points, hard-to-handle data points etc.

  • TO DO: Security considerations: what are the risks for a user with these access privileges?Adam - anything to add?

  • TO DO: Functional test of 1 data item, multiple data items, and verifying the right data items actually are transmitted through the flow

MVP14: Configure Retention Policy

...

  • DONE: Test user interface

  • TO DO: Test actual deletion of data when retention period expires

  • TO DO: Stress test - e.g. massive volumes of data, failure cases etc.

  • BLOCKER: Need a way to populate N days of synthetic historical data, for testing of data discard without huge elapsed time test cycles.Adam - anything to add?


MVP15: Publisher Tool

  • DONE: Basic end-to-end flow: publish data, confirm that it can be retrieved and trigger exposue notifications

  • FAILS: Test that data outside a jurisdictions GPS bounds is not published.

  • TO DO: Scale test. Test publishing large numbers of cases, and large cases.

  • TO DO: Robustness test. What failures can occur during the publishing process? Do we handle them gracefully?

  • TO DO: Security considerations: what are the risks for a user with these access privileges?

  • BLOCKER: Need a way to populate large volumes of case data, for large-scale publishing test cases.

  • Adam - anything to add?

MVP16: Secure transmission of location data

  • DONE: Basic end-to-end test where a user shares location data with

  • FAIL: Security testing of endpoints

  • TO DO: Testing with a full 2-week data set from an end-user.

  • TO DO: Testing on both Android & iOS

  • TO DO: Robustness - what happens in common error scenarios? Are they handled well from user & CT perspective (mis-types error code, network not available, mobile data switched off etc.)

  • TO DO: Test server disacard of data without a suitable authentication code, including doing so at scale (i.e. a high volume of requests).

  • TO DO: Test case where an attacker does manage to guess an authentication code - both CT & infected user experience.

  • BLOCKER: Ability to put 2 weeks of location data on a phone, to allow a push of 2 weeks of location data.

  • BLOCKER: Tooling to generate a large volume of requests with invalid authentication codes.Adam - anything to add?


MVP17: Scalability

  • TO DO: Test all different dimensions of scalability of infection data for a single HD: number of pages, size of each page.

  • TO DO: Test scale with multiple HDs (all at max supported scale)

  • TO DO: Test intersections with a full 2 weeks of data on the phone.

  • TO DO: Test scalability on a range of different phones, including very low-end phones

  • TO DO: Test scalability on both Android & iOS

  • BLOCKER: Ability to create 2 weeks of historical data on a phone’s location DB (since re-installing the app loses all location data)

...

  • IN PROGRESS: Scan all app screens with Google Accessibil

  • TO DO: Scan all app screens with Apple Accessibility Inspector

  • TO DO: Accessibility Expert to assess Mobile app on iOS and Android against A and AA WCAG 2.1

Safe Places

  • Adam - can you fill this in?FAIL: Run Odin Axe extension on all pages to check for issues

Privacy

  • TO DO: Assess the product agains all Privacy Unit Tests, with explicit testing of the product where appropriate.

  • What else? For discussion with Adam.

...

  • TO DO: Static Analysis of latest app builds on iOS and Android using ImmuniWeb

  • FAIL: Static Analysis of latest webapp build using ImmuniWeb

  • TO DO: Dynamic Testing of Mobile Apps by Immuniweb or other.

  • DESCOPED: TO DO: Dynamic Testing of Safe Places by Immuniweb or other.

  • TO DO: Documented Threat Model for the entire GPS ecosystem, with all risks & threats identified, logged in Jira, and assessed.

  • TO DO: Fuzz testing of any interfaces exposed to the Internet - e.g. data upload UI. Don’t assume that the 6 digit access code will protect us, as

  • What else? To discuss with Adam…

...