CompTIA Mobile App Security+ Certification Exam (Android Edition) v6.0 (ADR-001)

Page:    1 / 7   
Total 102 questions

Failing to declare a class final can enable which of the following attacks on a developers code?

  • A. Session hijacking via compromised session cookies
  • B. Decompilation of java class files (including those in APK files), revealing sensitive data
  • C. Attacker can use data injection (e.g., SQL injection, Cross-site scripting) to corrupt data in the application or the DOM
  • D. Attacker can potentially extend a class and define new methods that access sensitive data from inside the scope of the class

Answer : D

Which of the following describes a process by which one party confirms the identity of another party?

  • A. Authentication
  • B. Integrity verification
  • C. Diffie-Hellman key exchange
  • D. Handshake protocol

Answer : A

What level of security is provided by placing sensitive methods and data inside its own
Java package?

  • A. High security, as only approved Java classes and methods inside the package can access the packages data and methods
  • B. Minimal security, as any java file can declare itself as part of the same package, and thus have access to that packages data and methods
  • C. Medium security, as it depends on whether the sensitive methods and data are declared public vs. private
  • D. Minimal security unless all the methods are declared final

Answer : B

What is meant by one way function?

  • A. The input cannot be calculated from the output.
  • B. The function can only have an integer input.
  • C. The function can only be called from the parent class.
  • D. The function has no inputs only outputs.

Answer : A

An architectural review is BEST for finding which of the following security defects?

  • A. Malware infection vectors
  • B. SQL or other injection flaws
  • C. Design flaws
  • D. Zero-day vulnerabilities

Answer : C

Fine grained permission control for Content Providers can be achieved with:

  • A. android:ReadWritePermission.
  • B. android:ContentPermissions.
  • C. android:ProviderPermission.
  • D. android:grantUriPermissions.

Answer : D

A onetime pad is considered cryptographically secure, which are two ways it can be broken? (Select TWO).

  • A. By not having an accurate clock with the pad
  • B. If the repeated use of one pad occurs
  • C. By losing one of the complete pads
  • D. If too much randomness is used in the pad generation
  • E. If XOR is used to apply the one time pad

Answer : B,C

Which of the following must be done on a typical Android project to enable reverse engineering countermeasures provided with the standard Android SDK?

  • A. Ensure that a Proguard configuration file exists and add a proguard.config statement to the projects property file that references the location of the configuration file.
  • B. Enable Bouncer using the Eclipse Bouncer plugin.
  • C. Create a dump.txt file that describes the internal structure of the application in question and point the Dalvik VM startup properties to the file.
  • D. Add a custom property to the Android Manifest.

Answer : A

Which of the following methodologies is BEST for a developer to find input validation weaknesses in their own mobile app source code?

  • A. Disassembly of mobile app executable
  • B. Threat modeling
  • C. Fuzz testing an app’s attack surface
  • D. Single stepping an app through a debugger

Answer : C

What are two advantages to using OAuth as the authentication method for an Android application to access a web application or service? (Select TWO).

  • A. OAuth integrates seamlessly into a mobile application, never requiring the user to interact with the web application or service in question
  • B. OAuth only maintains long and complex passwords for users of the Android application so the users do not have to remember them.
  • C. The application does not need to ever know the user’s login credentials.
  • D. In the event the device running the application is lost or stolen, the OAuth credentials issued to it can be revoked by the applications server.
  • E. OAuth enables both ends of an SSL tunnel to authenticate each other.

Answer : C,D

Which of the following must be protected in a symmetric encryption system?

  • A. The cipher text
  • B. The key
  • C. The algorithm
  • D. The initialization vector

Answer : B

Why should a developer add a ‘salt’ to a password?

  • A. To make the password easier to process.
  • B. To make it harder to look up in a pre-computed table.
  • C. To allow the password to be hashed.
  • D. To enable reversible encryption.

Answer : B

How does HTTP Digest Authentication work?

  • A. A wrapping envelope is constructed including the message body, the clients SSL certificate, and a master secret value, and sent to the server.
  • B. A one-time use token (nonce) is generated by the server and sent to the client, where it is then returned on each subsequent request.
  • C. A digital signature is computed on the entire message body using the clients private key and subsequently included along with the request for all future communications.
  • D. A one-time use token (nonce) is generated by the server and sent to the client, where it is then used in a computation of a hash involving the username, password, nonce, and some other values.

Answer : D

Which of the following is fundamental to MOST transport layer encryption implementations?

  • A. Device passcode
  • B. Obfuscation
  • C. HTTPS
  • D. Keychain

Answer : C

Which of the following are widely considered appropriate uses of reverse engineering?
(Select TWO).

  • A. Malware analysis
  • B. Enabling software features
  • C. Cracking
  • D. Software interoperability
  • E. Creating cloned products

Answer : A,D

Page:    1 / 7   
Total 102 questions