How to Test Forgot Password on Android (Complete Guide)

The "Forgot Password" functionality is a critical component of any Android application requiring user authentication. A flawed implementation directly impacts user experience, potentially leading to a

Robust Android Forgot Password Flows: A Practical Testing Guide

The "Forgot Password" functionality is a critical component of any Android application requiring user authentication. A flawed implementation directly impacts user experience, potentially leading to account lockouts, frustration, and lost business. This guide details how to thoroughly test these flows, ensuring reliability and security.

The High Stakes of Password Resets

Users expect a seamless and secure password recovery process. Failures here are not minor inconvenconveniences; they can prevent legitimate users from accessing their accounts entirely. Common issues include:

• Email/SMS delivery failures: Codes or reset links never reach the user.
• Expired tokens/links: Security measures designed to limit exposure become obstacles.
• Incorrect validation: Malformed inputs bypass security or lead to dead ends.
• Session management flaws: Insecure handling of reset tokens or subsequent logins.
• Accessibility barriers: Users with disabilities may be unable to initiate or complete the reset.

Comprehensive Test Cases for Forgot Password

Beyond the obvious "happy path," a robust testing strategy requires exploring various failure points and user behaviors.

Happy Path Scenarios:

1. Successful Email Reset:

• Enter a valid registered email address.
• Receive a password reset email.
• Click the reset link.
• Enter a new strong password.
• Confirm the new password.
• Successfully log in with the new password.

1. Successful SMS Reset (if applicable):

• Enter a valid registered phone number.
• Receive an SMS with a reset code.
• Enter the reset code into the app.
• Enter and confirm a new strong password.
• Successfully log in with the new password.

Error Scenarios:

1. Invalid Email/Phone Number:

• Enter an email address not registered with the app.
• Enter a phone number not registered.
• Verify appropriate error messages are displayed (e.g., "Email not found," "Phone number not registered").

1. Malformed Email/Phone Number:

• Enter an email without "@" or domain (e.g., test@com).
• Enter an invalid phone number format (e.g., too few digits, non-numeric characters).
• Ensure input validation prevents submission or provides specific feedback.

1. Expired Reset Link/Code:

• Initiate a reset, wait for the link/code to expire (check your backend configuration for expiry times).
• Attempt to use the expired link/code.
• Verify an appropriate error message (e.g., "This link has expired," "Invalid or expired code") and guidance on re-initiating the reset.

1. Incorrect Password Confirmation:

• Enter a new password, then a different confirmation password.
• Verify the app prevents proceeding and prompts for matching passwords.

1. Weak Password Attempt:

• Attempt to set a password that does not meet complexity requirements (e.g., too short, missing numbers/symbols).
• Ensure clear feedback on password policy is provided.

1. Multiple Reset Requests:

• Request a reset, then immediately request another for the same email/phone.
• Verify that only the latest request is valid and the older one is invalidated (or that the user is informed about the latest request).

Edge Cases:

1. Account Already Logged In:

• Initiate a password reset from a logged-out device.
• While the reset is pending, log into the same account on another device.
• Attempt to use the reset link/code. Observe behavior – it should ideally invalidate the reset for security.

1. Special Characters in Email/Username:

• If your app supports special characters in usernames or emails, test their inclusion in the reset request.

1. Case Sensitivity:

• Test if the email/phone number input is case-sensitive for lookup. Typically, email addresses are not, but it's worth verifying.

Accessibility Considerations:

1. Screen Reader Compatibility:

• Navigate the entire forgot password flow using a screen reader (e.g., TalkBack).
• Ensure all labels, input fields, buttons, and error messages are clearly announced.
• Verify focus order is logical.

1. Dynamic Type Support:

• Test the flow with significantly increased font sizes.
• Ensure text doesn't overlap or become truncated, breaking usability.

1. Sufficient Color Contrast:

• Check that all text and interactive elements have adequate color contrast against their backgrounds, especially for error messages and input field states.

Manual Testing Approach

1. Locate the Forgot Password Link: On the login screen, find and tap the "Forgot Password?" or similar link.
2. Enter Identifier: Input your registered email address or phone number into the designated field.
3. Submit Request: Tap the "Submit," "Send Reset Link," or equivalent button.
4. Check Email/SMS: Access your email inbox or SMS messages. Locate the password reset message.
5. Follow Link/Use Code:

• Link: Tap the provided link. This should open the app to a password reset screen.
• Code: Note the code, return to the app, and enter it into the verification screen.

1. Set New Password: On the password reset screen, enter your new password. Ensure it meets complexity requirements.
2. Confirm New Password: Re-enter the new password to confirm.
3. Save Changes: Tap "Reset Password," "Save," or similar.
4. Verify Login: Navigate back to the login screen and attempt to log in using your new password.
5. Test Error Paths: Systematically repeat steps 1-9, substituting valid inputs with invalid ones, expired links/codes, or non-compliant passwords as per the test cases above.

Automated Testing Approach for Android

While manual testing is essential for exploring user journeys, automation is key for regression.

• Appium: For native Android apps, Appium is the de facto standard. It allows you to write tests in various programming languages (Java, Python, JavaScript) that interact with your app's UI elements.

Example (Conceptual Java with Appium):

    // Assuming you have initialized your AndroidDriver
    MobileElement forgotPasswordLink = driver.findElementByAccessibilityId("forgot_password_button");
    forgotPasswordLink.click();

    MobileElement emailField = driver.findElementById("com.your.app:id/email_input");
    emailField.sendKeys("testuser@example.com");

    MobileElement submitButton = driver.findElementById("com.your.app:id/submit_reset_button");
    submitButton.click();

    // ... (Assertions for email delivery or code entry would be more complex,
    // often involving external services or mocked responses for true automation)

• Backend/API Testing: Crucially, the email/SMS sending and token validation logic resides on the backend. Unit and integration tests for these APIs are paramount. You can mock external email/SMS services for testing the app's interaction with them.

• JUnit XML Reports: For CI/CD integration, generating reports in JUnit XML format is standard. This allows CI systems to parse test results and report pass/fail status.

SUSA's Autonomous Approach to Forgot Password Testing

SUSA (SUSATest) automates this entire process by treating your Android app as a black box. You simply upload your APK to susatest.com. SUSA's autonomous engine then explores your application without requiring any pre-written scripts.

How SUSA Tests Forgot Password:

1. Autonomous Exploration: SUSA's engine navigates through your app, discovering the "Forgot Password" entry point. It uses its understanding of common UI patterns to locate it.
2. Persona-Driven Testing: SUSA employs multiple user personas, each with unique interaction styles:

• Curious/Novice: Will attempt to enter invalid data, explore all buttons, and try different sequences. This is excellent for finding basic validation errors and unexpected UI states.
• Impatient: Will rush through steps, potentially leading to race conditions or issues with rapid input.
• Adversarial: Actively tries to break the system by entering malformed data, attempting to bypass security checks, or exploiting edge cases. This persona is critical for uncovering security vulnerabilities and unexpected crashes.
• Elderly/Accessibility: These personas simulate users who may have slower reaction times, use assistive technologies, or have difficulty with complex interfaces. SUSA checks for WCAG 2.1 AA compliance during this exploration, uncovering issues like poor contrast, non-semantic elements, and unreadable text at larger font sizes.
• Power User: Might try to find shortcuts or exploit known patterns.

1. Issue Detection: During its autonomous exploration, SUSA identifies:

• Crashes and ANRs: If the app crashes or becomes unresponsive during any part of the reset flow.
• Dead Buttons: Interactive elements that appear clickable but do nothing.
• UX Friction: Steps that are confusing, require excessive input, or lead to dead ends.
• Accessibility Violations: Based on WCAG 2.1 AA standards, ensuring usability for all.
• Security Issues: While not a full penetration test, SUSA can detect common API security flaws or insecure data handling patterns.

1. Flow Tracking & Verdicts: SUSA tracks the critical "Forgot Password" flow. It can provide a PASS/FAIL verdict based on whether the user can successfully initiate, complete, and verify the password reset process without encountering critical errors.
2. Auto-Generated Regression Scripts: A key benefit of SUSA is that after its initial autonomous run, it auto-generates robust Appium (for Android) regression test scripts. These scripts capture the successful flows and common failure points identified, allowing you to integrate them into your CI/CD pipeline. This means your forgot password flow will be automatically re-tested with every build.

• CI/CD Integration: SUSA integrates seamlessly with CI/CD platforms like GitHub Actions. You can use the pip install susatest-agent CLI tool to trigger SUSA runs directly from your pipeline, receiving results in JUnit XML format.

1. Cross-Session Learning: With each run, SUSA learns more about your application. If a particular reset flow was problematic in one run, SUSA will revisit and test it more rigorously in subsequent runs, getting smarter about your specific app's behavior.

By combining manual exploration, targeted test case design, and the power of SUSA's autonomous testing, you can build confidence