Mobile Platform Security MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: March 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
Mobile Platform Security Models MCQ practice questions are essential for preparing for competitive exams, certifications (CompTIA Security+, CISSP, CEH), and technical interviews. This comprehensive MCQ platform provides 60 carefully curated practice questions covering the full iOS and Android security architecture β from Linux UID sandboxing and SELinux policy to Secure Enclave, ARM TrustZone, and hardware-backed key storage.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering sandboxing fundamentals, permissions, and security boundaries), Concepts (covering iOS Secure Enclave, Android TEE, KeyStore/Keychain, code signing, and ASLR), and Advanced (covering Verified Boot, hardware-backed keys, eBPF runtime, and Android Binder IPC). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate CompTIA Security+ or MASVS assessment conditions. The interactive engine tracks your progress and identifies knowledge gaps across iOS security, Android architecture, TEE, secure boot, and app signing.
Contents
- 1.Basics (20 Questions)Sandboxing Β· permissions Β· user space vs. kernel space Β· security boundary
- 2.Concepts (20 Questions)iOS Secure Enclave Β· Android TEE Β· KeyStore/Keychain Β· code signing Β· ASLR
- 3.Advanced (20 Questions)Verified Boot Β· hardware-backed keys Β· eBPF runtime Β· Android Binder IPC
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
Mobile Platform Security Models β Basics
1How does the Android operating system fundamentally enforce its Application Sandbox?
CorrectC: By assigning a unique Linux User ID (UID) and Group ID (GID) to each installed application
Android's sandbox is a direct extension of the Linux DAC model. Each installed app receives a unique UID/GID at install time, so the kernel enforces process and file-system isolation between apps automatically β no app can read another's private data without an explicit IPC contract.
IncorrectC: By assigning a unique Linux User ID (UID) and Group ID (GID) to each installed application
Android's sandbox is a direct extension of the Linux DAC model. Each installed app receives a unique UID/GID at install time, so the kernel enforces process and file-system isolation between apps automatically β no app can read another's private data without an explicit IPC contract.
2What is the primary purpose of the iOS "Secure Boot" chain?
CorrectB: To ensure that each component of the boot process is cryptographically signed and trusted by Apple before executing
The iOS Secure Boot chain forms a chain of trust from the immutable Boot ROM. Each stage (LLB, iBoot, kernel, OS) verifies the cryptographic signature of the next before handing off control β if any signature check fails, the boot process halts.
IncorrectB: To ensure that each component of the boot process is cryptographically signed and trusted by Apple before executing
The iOS Secure Boot chain forms a chain of trust from the immutable Boot ROM. Each stage (LLB, iBoot, kernel, OS) verifies the cryptographic signature of the next before handing off control β if any signature check fails, the boot process halts.
3In the Android security model, what is the role of "Install-Time" permissions?
CorrectA: They are granted automatically upon installation because they pose very little risk to user privacy (e.g., internet access)
Install-time (Normal) permissions such as INTERNET or VIBRATE are automatically granted by the OS at install because they carry minimal privacy risk. They do not require a runtime user dialog, unlike Dangerous permissions which are requested as the user interacts with the feature.
IncorrectA: They are granted automatically upon installation because they pose very little risk to user privacy (e.g., internet access)
Install-time (Normal) permissions such as INTERNET or VIBRATE are automatically granted by the OS at install because they carry minimal privacy risk. They do not require a runtime user dialog, unlike Dangerous permissions which are requested as the user interacts with the feature.
4Which of the following statements is true regarding application signing on the Android platform?
CorrectD: Every APK must be digitally signed by the developer before it can be installed on a device
Every Android APK must be digitally signed with a developer's private key before installation. The OS does not enforce that the certificate is issued by a CA β self-signed certificates are valid β but the signature proves the APK hasn't been tampered with and links updates to the same developer.
IncorrectD: Every APK must be digitally signed by the developer before it can be installed on a device
Every Android APK must be digitally signed with a developer's private key before installation. The OS does not enforce that the certificate is issued by a CA β self-signed certificates are valid β but the signature proves the APK hasn't been tampered with and links updates to the same developer.
5In iOS architecture, what are "Entitlements"?
CorrectB: Key-value pairs embedded in an app's signature that explicitly grant it specific restricted capabilities (e.g., Push Notifications)
Entitlements are a signed plist dictionary baked into the Mach-O binary's code signature. The iOS kernel and system daemons verify them at runtime β an app cannot access iCloud, Push Notifications, or custom Keychain sharing groups without the corresponding entitlement being cryptographically present in its signature.
IncorrectB: Key-value pairs embedded in an app's signature that explicitly grant it specific restricted capabilities (e.g., Push Notifications)
Entitlements are a signed plist dictionary baked into the Mach-O binary's code signature. The iOS kernel and system daemons verify them at runtime β an app cannot access iCloud, Push Notifications, or custom Keychain sharing groups without the corresponding entitlement being cryptographically present in its signature.
6What is the "Secure Enclave" in the iOS security model?
CorrectC: A dedicated, isolated coprocessor within the Apple SoC responsible for handling cryptographic operations and biometric data
The Secure Enclave Processor (SEP) is an isolated ARM coprocessor with its own encrypted memory, Boot ROM, and OS (sepOS). It handles all Touch ID / Face ID template storage and matching, encryption key generation, and Data Protection key management β raw key material never leaves the SEP.
IncorrectC: A dedicated, isolated coprocessor within the Apple SoC responsible for handling cryptographic operations and biometric data
The Secure Enclave Processor (SEP) is an isolated ARM coprocessor with its own encrypted memory, Boot ROM, and OS (sepOS). It handles all Touch ID / Face ID template storage and matching, encryption key generation, and Data Protection key management β raw key material never leaves the SEP.
7What is a Trusted Execution Environment (TEE) in modern mobile platforms?
CorrectD: A secure, hardware-isolated area of the main processor that ensures sensitive data is stored, processed, and protected in a trusted environment
Built on ARM TrustZone, a TEE splits the main SoC into a "Normal World" (Android/iOS) and a "Secure World" (TEE OS). The Secure World runs trusted applications (TAs) for key management, biometrics, and DRM, isolated from the rich OS even if the main kernel is fully compromised.
IncorrectD: A secure, hardware-isolated area of the main processor that ensures sensitive data is stored, processed, and protected in a trusted environment
Built on ARM TrustZone, a TEE splits the main SoC into a "Normal World" (Android/iOS) and a "Secure World" (TEE OS). The Secure World runs trusted applications (TAs) for key management, biometrics, and DRM, isolated from the rich OS even if the main kernel is fully compromised.
8What fundamental security control is deliberately disabled when an iOS device is "Jailbroken"?
CorrectB: Mandatory Code Signing enforcement
iOS mandates that every executable binary must be cryptographically signed by Apple or an Apple-authorized developer. Jailbreaks use kernel exploits to patch the AMFI (Apple Mobile File Integrity) kext and task_for_pid(0) access, disabling the signature check so unsigned binaries (e.g., Cydia packages) can run freely.
IncorrectB: Mandatory Code Signing enforcement
iOS mandates that every executable binary must be cryptographically signed by Apple or an Apple-authorized developer. Jailbreaks use kernel exploits to patch the AMFI (Apple Mobile File Integrity) kext and task_for_pid(0) access, disabling the signature check so unsigned binaries (e.g., Cydia packages) can run freely.
9Android utilizes SELinux to enforce which type of access control model?
CorrectC: Mandatory Access Control (MAC)
SELinux enforces Mandatory Access Control (MAC) via a policy file compiled into the kernel. Unlike DAC (where file owners set permissions), MAC policy is dictated centrally by the OS vendor and cannot be altered by root-level compromised processes, confining their damage even after a root exploit.
IncorrectC: Mandatory Access Control (MAC)
SELinux enforces Mandatory Access Control (MAC) via a policy file compiled into the kernel. Unlike DAC (where file owners set permissions), MAC policy is dictated centrally by the OS vendor and cannot be altered by root-level compromised processes, confining their damage even after a root exploit.
10Why does iOS severely restrict Just-In-Time (JIT) compilation for third-party applications?
CorrectA: To enforce the W^X (Write XOR Execute) memory protection policy, preventing malware from writing executable code into memory at runtime
iOS enforces W^X (Write XOR Execute): a memory page can be writable or executable, never both simultaneously. JIT requires writing machine code then executing it, which violates W^X. Only a handful of apps with the specific com.apple.security.cs.allow-jit entitlement (e.g., Safari's JavaScript engine) are permitted this capability.
IncorrectA: To enforce the W^X (Write XOR Execute) memory protection policy, preventing malware from writing executable code into memory at runtime
iOS enforces W^X (Write XOR Execute): a memory page can be writable or executable, never both simultaneously. JIT requires writing machine code then executing it, which violates W^X. Only a handful of apps with the specific com.apple.security.cs.allow-jit entitlement (e.g., Safari's JavaScript engine) are permitted this capability.
11What is the fundamental advantage of File-Based Encryption (FBE) over legacy Full-Disk Encryption (FDE) on Android?
CorrectC: FBE allows different files to be encrypted with different keys, enabling features like Direct Boot before the device is unlocked
FBE (Android 7.0+) uses two storage classes: Device Encrypted (DE) β decryptable before user passcode β and Credential Encrypted (CE) β decryptable only after passcode entry. This enables Direct Boot, allowing alarm clocks and encrypted calls to function before unlock, which was impossible with single-key FDE.
IncorrectC: FBE allows different files to be encrypted with different keys, enabling features like Direct Boot before the device is unlocked
FBE (Android 7.0+) uses two storage classes: Device Encrypted (DE) β decryptable before user passcode β and Credential Encrypted (CE) β decryptable only after passcode entry. This enables Direct Boot, allowing alarm clocks and encrypted calls to function before unlock, which was impossible with single-key FDE.
12In the context of mobile platform security, what is a "Sandbox"?
CorrectD: A tightly controlled, isolated environment that restricts an application's access to system resources and other applications' data
On Android, sandboxing is achieved via Linux UIDs, DAC file permissions, and SELinux MAC. On iOS, it's enforced by the kernel-level Seatbelt framework. Both ensure a process can only access its own data directory, granted permissions, and explicitly shared IPC endpoints.
IncorrectD: A tightly controlled, isolated environment that restricts an application's access to system resources and other applications' data
On Android, sandboxing is achieved via Linux UIDs, DAC file permissions, and SELinux MAC. On iOS, it's enforced by the kernel-level Seatbelt framework. Both ensure a process can only access its own data directory, granted permissions, and explicitly shared IPC endpoints.
13What is the primary function of Android's Play Integrity API (formerly SafetyNet)?
CorrectA: To provide a cryptographic attestation to backend servers verifying that the device environment is genuine, unrooted, and not compromised
The Play Integrity API generates a signed JWT containing a MEETS_DEVICE_INTEGRITY verdict. This attestation is verified server-side β if the verdict fails (rooted device, emulator, tampered app), the backend can deny sensitive operations like financial transactions or DRM content access.
IncorrectA: To provide a cryptographic attestation to backend servers verifying that the device environment is genuine, unrooted, and not compromised
The Play Integrity API generates a signed JWT containing a MEETS_DEVICE_INTEGRITY verdict. This attestation is verified server-side β if the verdict fails (rooted device, emulator, tampered app), the backend can deny sensitive operations like financial transactions or DRM content access.
14Unlike Android, the iOS security model heavily relies on a "Walled Garden" approach. What does this mean?
CorrectB: Apple maintains strict, centralized control over app distribution, reviewing and cryptographically approving all software before it reaches the user
Every iOS app must pass Apple's App Review process and be signed with an Apple-issued distribution certificate. This centralized gating, combined with mandatory code signing enforced by the kernel, means unsigned or unapproved code cannot run on non-jailbroken devices β a stark contrast to Android's toggleable sideloading.
IncorrectB: Apple maintains strict, centralized control over app distribution, reviewing and cryptographically approving all software before it reaches the user
Every iOS app must pass Apple's App Review process and be signed with an Apple-issued distribution certificate. This centralized gating, combined with mandatory code signing enforced by the kernel, means unsigned or unapproved code cannot run on non-jailbroken devices β a stark contrast to Android's toggleable sideloading.
15What is "Google Play Protect" within the Android ecosystem?
CorrectC: A built-in, cloud-backed malware defense system that continuously scans installed Android apps for malicious behavior
Google Play Protect runs on every Android device and uses machine learning models trained on billions of apps. It performs on-device scans of all installed APKs β including sideloaded ones β and sends app metadata to Google for server-side analysis, flagging and disabling malicious applications.
IncorrectC: A built-in, cloud-backed malware defense system that continuously scans installed Android apps for malicious behavior
Google Play Protect runs on every Android device and uses machine learning models trained on billions of apps. It performs on-device scans of all installed APKs β including sideloaded ones β and sends app metadata to Google for server-side analysis, flagging and disabling malicious applications.
16How does setting a device passcode conceptually protect the data on a modern mobile device?
CorrectC: The passcode is cryptographically entangled with a hardware key to derive the actual keys used to decrypt the file system
On both iOS and Android, the passcode is not stored anywhere. Instead, it is PBKDF2-stretched and combined with a hardware UID key (iOS) or Keystore-backed hardware key (Android) to derive the file system encryption key. Without the correct passcode, the hardware key alone cannot decrypt storage.
IncorrectC: The passcode is cryptographically entangled with a hardware key to derive the actual keys used to decrypt the file system
On both iOS and Android, the passcode is not stored anywhere. Instead, it is PBKDF2-stretched and combined with a hardware UID key (iOS) or Keystore-backed hardware key (Android) to derive the file system encryption key. Without the correct passcode, the hardware key alone cannot decrypt storage.
17How does the concept of "Sideloading" differ between standard Android and iOS security models?
CorrectB: Android natively allows users to toggle a setting to install apps from unknown sources; iOS strictly prohibits sideloading without developer certificates or MDM profiles
Android exposes an "Install unknown apps" setting per-source (Android 8+) which users can enable, making sideloading straightforward. iOS enforces mandatory App Store distribution for consumer devices β the only legitimate alternatives are developer certificates (limited to 3 devices, 7-day renewal for free accounts) or enterprise MDM provisioning profiles.
IncorrectB: Android natively allows users to toggle a setting to install apps from unknown sources; iOS strictly prohibits sideloading without developer certificates or MDM profiles
Android exposes an "Install unknown apps" setting per-source (Android 8+) which users can enable, making sideloading straightforward. iOS enforces mandatory App Store distribution for consumer devices β the only legitimate alternatives are developer certificates (limited to 3 devices, 7-day renewal for free accounts) or enterprise MDM provisioning profiles.
18When a user authenticates via Face ID or Touch ID on iOS, what is actually transmitted to the operating system?
CorrectC: A simple "Yes" or "No" cryptographic token from the Secure Enclave confirming a match
The Secure Enclave stores biometric templates in its own encrypted memory and performs matching entirely in isolation. The AP (Application Processor) and iOS kernel never see the template or raw sensor data β they only receive a signed success/failure signal from the SEP, preserving biometric privacy even against kernel-level attackers.
IncorrectC: A simple "Yes" or "No" cryptographic token from the Secure Enclave confirming a match
The Secure Enclave stores biometric templates in its own encrypted memory and performs matching entirely in isolation. The AP (Application Processor) and iOS kernel never see the template or raw sensor data β they only receive a signed success/failure signal from the SEP, preserving biometric privacy even against kernel-level attackers.
19What is the iOS Keychain primarily used for?
CorrectB: Securely storing small, sensitive pieces of data like passwords, cryptographic keys, and certificates
The iOS Keychain is an encrypted SQLite database protected by Data Protection class keys, ultimately rooted in the Secure Enclave. Items can be configured with accessibility attributes (e.g., kSecAttrAccessibleWhenUnlockedThisDeviceOnly) and ACLs requiring biometric authentication, making it the correct location for tokens, private keys, and credentials.
IncorrectB: Securely storing small, sensitive pieces of data like passwords, cryptographic keys, and certificates
The iOS Keychain is an encrypted SQLite database protected by Data Protection class keys, ultimately rooted in the Secure Enclave. Items can be configured with accessibility attributes (e.g., kSecAttrAccessibleWhenUnlockedThisDeviceOnly) and ACLs requiring biometric authentication, making it the correct location for tokens, private keys, and credentials.
20What is the Android equivalent to the iOS Keychain for securely generating and storing cryptographic keys?
CorrectA: The Android Keystore system
The Android Keystore system allows apps to generate and use cryptographic keys that are backed by either the TEE or a discrete Secure Element (StrongBox). Key material is non-exportable β operations are performed inside the secure hardware, so even a fully compromised kernel cannot extract the raw key bytes.
IncorrectA: The Android Keystore system
The Android Keystore system allows apps to generate and use cryptographic keys that are backed by either the TEE or a discrete Secure Element (StrongBox). Key material is non-exportable β operations are performed inside the secure hardware, so even a fully compromised kernel cannot extract the raw key bytes.
Mobile Platform Security Models β Concepts
1In the Android security model, how is Inter-Process Communication (IPC) primarily managed and secured?
CorrectD: By utilizing the "Binder" framework, which facilitates message passing and inherently identifies the PID and UID of the calling process
Binder (/dev/binder) is Android's kernel IPC driver. Every Binder transaction automatically tags the calling process's UID and PID in the kernel, which the receiving process can read via Binder.getCallingUid(). This allows system services to perform fine-grained access control β e.g., only the package with a matching UID can bind to a specific Service.
IncorrectD: By utilizing the "Binder" framework, which facilitates message passing and inherently identifies the PID and UID of the calling process
Binder (/dev/binder) is Android's kernel IPC driver. Every Binder transaction automatically tags the calling process's UID and PID in the kernel, which the receiving process can read via Binder.getCallingUid(). This allows system services to perform fine-grained access control β e.g., only the package with a matching UID can bind to a specific Service.
2Which iOS Data Protection API class ensures that a file is completely inaccessible while the device is locked, securely clearing the decryption key from RAM?
CorrectB: NSFileProtectionComplete
NSFileProtectionComplete (Class A) wraps the file's per-file key with a key derived from both the hardware UID and the user's passcode. When the device locks, this derived key is purged from memory, making the file cryptographically inaccessible until the passcode is re-entered β the strongest iOS Data Protection level.
IncorrectB: NSFileProtectionComplete
NSFileProtectionComplete (Class A) wraps the file's per-file key with a key derived from both the hardware UID and the user's passcode. When the device locks, this derived key is purged from memory, making the file cryptographically inaccessible until the passcode is re-entered β the strongest iOS Data Protection level.
3How does Android's "Intent" mechanism introduce a potential security boundary risk?
CorrectA: If an Intent is "Exported" without strict permission checks, malicious third-party apps can invoke sensitive components or intercept data payloads
Setting android:exported="true" on an Activity, Service, or BroadcastReceiver without declaring a custom permission allows any app to invoke it. Attackers can fire implicit Intents to trigger sensitive actions (e.g., launch a payment screen) or register BroadcastReceivers to intercept system events not properly protected with android:permission.
IncorrectA: If an Intent is "Exported" without strict permission checks, malicious third-party apps can invoke sensitive components or intercept data payloads
Setting android:exported="true" on an Activity, Service, or BroadcastReceiver without declaring a custom permission allows any app to invoke it. Attackers can fire implicit Intents to trigger sensitive actions (e.g., launch a payment screen) or register BroadcastReceivers to intercept system events not properly protected with android:permission.
4The iOS sandbox relies on a kernel-level MAC framework known as:
CorrectC: Seatbelt
iOS uses a macOS-derived sandbox engine called "Seatbelt" (also referred to as the Sandboxd / MACF kernel framework). Each app's sandbox profile is a compiled binary policy file that defines exactly which file paths, IPC endpoints, and syscalls the process is permitted to use β violations are blocked at the kernel level.
IncorrectC: Seatbelt
iOS uses a macOS-derived sandbox engine called "Seatbelt" (also referred to as the Sandboxd / MACF kernel framework). Each app's sandbox profile is a compiled binary policy file that defines exactly which file paths, IPC endpoints, and syscalls the process is permitted to use β violations are blocked at the kernel level.
5In Android's Verified Boot (AVB) architecture, what does a "Yellow" boot state signify?
CorrectB: The device has booted an alternative operating system signed with a custom, user-provided key
Android Verified Boot defines four states: GREEN (locked, verified), YELLOW (locked, but signed with a user-enrolled custom key β shown as a warning on boot), ORANGE (bootloader unlocked, no verification), and RED (verification failed, device will not proceed). YELLOW allows developers to flash custom ROMs while still providing integrity.
IncorrectB: The device has booted an alternative operating system signed with a custom, user-provided key
Android Verified Boot defines four states: GREEN (locked, verified), YELLOW (locked, but signed with a user-enrolled custom key β shown as a warning on boot), ORANGE (bootloader unlocked, no verification), and RED (verification failed, device will not proceed). YELLOW allows developers to flash custom ROMs while still providing integrity.
6How does the iOS main processor communicate securely with the Secure Enclave Processor (SEP)?
CorrectD: Through an isolated, interrupt-driven shared memory "mailbox" system
The AP and SEP share a small hardware mailbox β a ring buffer in a restricted memory region only SEP can write sensitive outputs to. The AP posts requests (e.g., "verify biometric") and the SEP responds with results. This asymmetric communication channel ensures the AP can request operations without ever reading SEP's internal state or key material.
IncorrectD: Through an isolated, interrupt-driven shared memory "mailbox" system
The AP and SEP share a small hardware mailbox β a ring buffer in a restricted memory region only SEP can write sensitive outputs to. The AP posts requests (e.g., "verify biometric") and the SEP responds with results. This asymmetric communication channel ensures the AP can request operations without ever reading SEP's internal state or key material.
7In Android, the standard Linux UID/GID system provides Discretionary Access Control (DAC). What layer provides the Mandatory Access Control (MAC) to prevent root exploits from bypassing DAC?
CorrectB: SELinux
SELinux (Security-Enhanced Linux), running in Enforcing mode on Android since 4.4, assigns security labels (contexts) to every process and file. Even if an attacker obtains root (UID 0), SELinux policy prevents unlabeled or improperly labeled processes from accessing files outside their defined domain β significantly containing post-exploitation impact.
IncorrectB: SELinux
SELinux (Security-Enhanced Linux), running in Enforcing mode on Android since 4.4, assigns security labels (contexts) to every process and file. Even if an attacker obtains root (UID 0), SELinux policy prevents unlabeled or improperly labeled processes from accessing files outside their defined domain β significantly containing post-exploitation impact.
8What is a "Signature" level permission in Android?
CorrectA: A highly privileged permission only granted if the requesting app is signed with the exact same developer certificate as the app declaring the permission
signatureOrSystem permissions are used by Android system components to restrict inter-app communication to trusted partners. For example, only an app signed with the same certificate as the one declaring a custom permission can use it β no user prompt ever appears, and no third-party app can spoof eligibility.
IncorrectA: A highly privileged permission only granted if the requesting app is signed with the exact same developer certificate as the app declaring the permission
signatureOrSystem permissions are used by Android system components to restrict inter-app communication to trusted partners. For example, only an app signed with the same certificate as the one declaring a custom permission can use it β no user prompt ever appears, and no third-party app can spoof eligibility.
9What is the purpose of Apple's FairPlay DRM within the iOS security model?
CorrectB: To encrypt the application binary at rest, requiring the OS to decrypt pages on the fly during execution, hindering static reverse engineering
When you download an app from the App Store, Apple's FairPlay DRM wraps the compiled Mach-O binary in a symmetric encryption layer tied to your Apple ID and device. The OS decrypts individual code pages only as they are paged into RAM for execution, which prevents straightforward static analysis of the binary stored on disk.
IncorrectB: To encrypt the application binary at rest, requiring the OS to decrypt pages on the fly during execution, hindering static reverse engineering
When you download an app from the App Store, Apple's FairPlay DRM wraps the compiled Mach-O binary in a symmetric encryption layer tied to your Apple ID and device. The OS decrypts individual code pages only as they are paged into RAM for execution, which prevents straightforward static analysis of the binary stored on disk.
10What mechanism in Android allows developers to declare custom certificate trust anchors or mandate HTTPS without modifying the application's Java/Kotlin code?
CorrectC: The Network Security Configuration XML file
Network Security Configuration (res/xml/network_security_config.xml) lets developers declaratively disable cleartext HTTP for specific or all domains, pin certificates, and define custom CA trust anchors for debug builds. This separates transport security configuration from application code, making it auditable and adjustable without re-compiling.
IncorrectC: The Network Security Configuration XML file
Network Security Configuration (res/xml/network_security_config.xml) lets developers declaratively disable cleartext HTTP for specific or all domains, pin certificates, and define custom CA trust anchors for debug builds. This separates transport security configuration from application code, making it auditable and adjustable without re-compiling.
11Address Space Layout Randomization (ASLR) is a critical security feature on both platforms. What does it do?
CorrectB: It randomizes the memory locations of application executables, libraries, and the heap, making buffer overflow and ROP exploits drastically harder
ASLR loads the executable, stack, heap, and shared libraries at random virtual addresses each time a process starts. This defeats exploit techniques that rely on hardcoded memory addresses β attackers must first leak an address via an information disclosure bug before building a reliable exploit, adding enormous complexity.
IncorrectB: It randomizes the memory locations of application executables, libraries, and the heap, making buffer overflow and ROP exploits drastically harder
ASLR loads the executable, stack, heap, and shared libraries at random virtual addresses each time a process starts. This defeats exploit techniques that rely on hardcoded memory addresses β attackers must first leak an address via an information disclosure bug before building a reliable exploit, adding enormous complexity.
12What is the primary security goal of "Scoped Storage" introduced in modern Android versions?
CorrectA: To restrict apps to only reading and writing files within their own isolated app-specific directories, heavily limiting broad read access to the entire external shared storage
Introduced in Android 10 and fully enforced in Android 11+, Scoped Storage removes the broad READ_EXTERNAL_STORAGE permission for most use cases. Apps can only directly access their own external app-specific directories and files they created via MediaStore β they must use the Storage Access Framework to access arbitrary user files.
IncorrectA: To restrict apps to only reading and writing files within their own isolated app-specific directories, heavily limiting broad read access to the entire external shared storage
Introduced in Android 10 and fully enforced in Android 11+, Scoped Storage removes the broad READ_EXTERNAL_STORAGE permission for most use cases. Apps can only directly access their own external app-specific directories and files they created via MediaStore β they must use the Storage Access Framework to access arbitrary user files.
13In the iOS enterprise distribution model, what file dictates which devices are authorized to run a specific internal application?
CorrectC: The Provisioning Profile
A Provisioning Profile is a signed plist (by Apple) that binds together a set of device UDIDs (or wildcard), an App ID, an entitlements set, and a developer or distribution certificate. The device checks this profile at launch β if the UDID or certificate chain isn't listed, the app refuses to run.
IncorrectC: The Provisioning Profile
A Provisioning Profile is a signed plist (by Apple) that binds together a set of device UDIDs (or wildcard), an App ID, an entitlements set, and a developer or distribution certificate. The device checks this profile at launch β if the UDID or certificate chain isn't listed, the app refuses to run.
14Why is a Hardware-Backed Keystore considered significantly more secure than a Software-Based Keystore?
CorrectB: The cryptographic keys are generated and used entirely within the isolated TEE/SE, meaning even a compromised kernel cannot extract the raw key material
In a software keystore, keys reside in process or kernel memory and are vulnerable to extraction via memory dumps if root is obtained. Hardware-backed keys are generated inside the TEE (or StrongBox SE), and all cryptographic operations happen inside the secure hardware β the key material's bits never cross into the normal world as plaintext.
IncorrectB: The cryptographic keys are generated and used entirely within the isolated TEE/SE, meaning even a compromised kernel cannot extract the raw key material
In a software keystore, keys reside in process or kernel memory and are vulnerable to extraction via memory dumps if root is obtained. Hardware-backed keys are generated inside the TEE (or StrongBox SE), and all cryptographic operations happen inside the secure hardware β the key material's bits never cross into the normal world as plaintext.
15What is "Rollback Protection" in the context of mobile secure boot architectures?
CorrectC: A hardware-enforced mechanism that prevents an attacker from downgrading the OS to an older, vulnerable version to exploit patched flaws
Both Android (via anti-rollback counters in the TEE) and iOS (via fusing non-volatile counters in hardware) record the minimum OS version that may be booted. If an attacker attempts to restore a signed-but-older firmware containing a patched vulnerability, the bootloader consults the hardware counter and refuses to proceed.
IncorrectC: A hardware-enforced mechanism that prevents an attacker from downgrading the OS to an older, vulnerable version to exploit patched flaws
Both Android (via anti-rollback counters in the TEE) and iOS (via fusing non-volatile counters in hardware) record the minimum OS version that may be booted. If an attacker attempts to restore a signed-but-older firmware containing a patched vulnerability, the bootloader consults the hardware counter and refuses to proceed.
16Where is the mathematical matching process for Face ID actually executed on an iPhone?
CorrectD: Entirely inside the isolated Secure Enclave Processor (SEP)
The TrueDepth camera sends infrared dot-pattern data to the SEP via a direct, isolated interface β not through the AP. The SEP converts this into a mathematical representation and compares it against the enrolled template, also stored in SEP-encrypted memory. The AP only learns the binary pass/fail result.
IncorrectD: Entirely inside the isolated Secure Enclave Processor (SEP)
The TrueDepth camera sends infrared dot-pattern data to the SEP via a direct, isolated interface β not through the AP. The SEP converts this into a mathematical representation and compares it against the enrolled template, also stored in SEP-encrypted memory. The AP only learns the binary pass/fail result.
17In Android, what is the distinction between "Normal" and "Dangerous" permissions?
CorrectA: Dangerous permissions (like Camera or Location) require explicit runtime consent from the user, while Normal permissions (like Internet access) are granted at install time
Android groups permissions by protection level. 'Normal' permissions (e.g., INTERNET, VIBRATE) are auto-granted at install β they offer low privacy risk. 'Dangerous' permissions (e.g., READ_CONTACTS, ACCESS_FINE_LOCATION, CAMERA) require an explicit runtime dialog (Android 6.0+) where the user grants or denies the request in-context.
IncorrectA: Dangerous permissions (like Camera or Location) require explicit runtime consent from the user, while Normal permissions (like Internet access) are granted at install time
Android groups permissions by protection level. 'Normal' permissions (e.g., INTERNET, VIBRATE) are auto-granted at install β they offer low privacy risk. 'Dangerous' permissions (e.g., READ_CONTACTS, ACCESS_FINE_LOCATION, CAMERA) require an explicit runtime dialog (Android 6.0+) where the user grants or denies the request in-context.
18ARM TrustZone is the foundational hardware architecture for many mobile security models. How does it operate?
CorrectB: It physically divides the processor into a "Secure World" for trusted operations and a "Normal World" for the rich operating system
ARM TrustZone introduces a hardware security bit (NS bit) on the CPU bus. When clear, the CPU runs in "Secure World" β accessible to the TEE OS and Trusted Applications (TAs). When set, it's in "Normal World" (Android/iOS). The Secure Monitor, running at EL3, manages context switches between worlds via Secure Monitor Calls (SMC).
IncorrectB: It physically divides the processor into a "Secure World" for trusted operations and a "Normal World" for the rich operating system
ARM TrustZone introduces a hardware security bit (NS bit) on the CPU bus. When clear, the CPU runs in "Secure World" β accessible to the TEE OS and Trusted Applications (TAs). When set, it's in "Normal World" (Android/iOS). The Secure Monitor, running at EL3, manages context switches between worlds via Secure Monitor Calls (SMC).
19How does iOS handle dynamic library injection via environment variables (like DYLD_INSERT_LIBRARIES) for third-party apps?
CorrectC: It aggressively strips or ignores these variables for signed binaries to prevent malicious code hooking
When DYLD (the iOS dynamic linker) loads a process that is restricted (has a code signature and no get-task-allow entitlement), it ignores DYLD_INSERT_LIBRARIES and all other DYLD_ environment variables. This prevents the classic LD_PRELOAD-style attack. On jailbroken devices, this restriction is patched, enabling tools like Cydia Substrate and Frida.
IncorrectC: It aggressively strips or ignores these variables for signed binaries to prevent malicious code hooking
When DYLD (the iOS dynamic linker) loads a process that is restricted (has a code signature and no get-task-allow entitlement), it ignores DYLD_INSERT_LIBRARIES and all other DYLD_ environment variables. This prevents the classic LD_PRELOAD-style attack. On jailbroken devices, this restriction is patched, enabling tools like Cydia Substrate and Frida.
20In Android, what component is heavily utilized to securely share specific database records across application boundaries without granting broad file permissions?
CorrectB: Content Providers utilizing temporary URI permissions
Content Providers expose structured data via content:// URIs. Using grantUriPermission() or FLAG_GRANT_READ_URI_PERMISSION, an app can share a specific URI with another app for the duration of a task (e.g., allowing a photo editor to access one image from a gallery app) without granting broad file-system read access.
IncorrectB: Content Providers utilizing temporary URI permissions
Content Providers expose structured data via content:// URIs. Using grantUriPermission() or FLAG_GRANT_READ_URI_PERMISSION, an app can share a specific URI with another app for the duration of a task (e.g., allowing a photo editor to access one image from a gallery app) without granting broad file-system read access.
Mobile Platform Security Models β Advanced
1How does Apple's PAC (Pointer Authentication Codes) hardware feature mitigate advanced kernel exploitation?
CorrectC: By signing code pointers with a cryptographic hash before placing them in memory, validating the signature before execution to thwart Return-Oriented Programming (ROP)
ARM v8.3-A PAC uses spare bits in 64-bit pointers to embed a HMAC-like signature (PAC) derived from the pointer value, its context, and a secret hardware key. A blr x0 instruction first validates the PAC β if the pointer was forged or corrupted (as in a ROP chain), the validation faults, aborting the exploit before gaining control.
IncorrectC: By signing code pointers with a cryptographic hash before placing them in memory, validating the signature before execution to thwart Return-Oriented Programming (ROP)
ARM v8.3-A PAC uses spare bits in 64-bit pointers to embed a HMAC-like signature (PAC) derived from the pointer value, its context, and a secret hardware key. A blr x0 instruction first validates the PAC β if the pointer was forged or corrupted (as in a ROP chain), the validation faults, aborting the exploit before gaining control.
2In modern Android, how is the attack surface of the kernel reduced when applications attempt to execute system calls?
CorrectB: By applying seccomp-bpf filters that restrict the specific syscalls a sandboxed application is permitted to invoke
Android's Zygote-spawned app processes have a seccomp-bpf filter installed that creates an allowlist of permitted Linux syscalls. If a sandboxed process attempts any syscall outside its allowlist β which an exploit might need (e.g., ptrace, keyctl) β the kernel delivers a SIGSYS signal, terminating the process before exploitation proceeds.
IncorrectB: By applying seccomp-bpf filters that restrict the specific syscalls a sandboxed application is permitted to invoke
Android's Zygote-spawned app processes have a seccomp-bpf filter installed that creates an allowlist of permitted Linux syscalls. If a sandboxed process attempts any syscall outside its allowlist β which an exploit might need (e.g., ptrace, keyctl) β the kernel delivers a SIGSYS signal, terminating the process before exploitation proceeds.
3What is the purpose of the KTRR (Kernel Text Read-Only Region) mitigation in iOS?
CorrectC: To use hardware features to lock the kernel's executable code pages, preventing attackers from modifying the kernel even if they achieve arbitrary write primitives
KTRR, introduced on Apple's A10 chip, uses MMU region registers to hardware-lock the kernel's __TEXT and __CONST segments as read-only after boot. Even an attacker with kernel write primitives (from a tfp0 exploit) cannot patch the kernel text β a write attempt causes a hardware exception, impeding persistent kernel modifications.
IncorrectC: To use hardware features to lock the kernel's executable code pages, preventing attackers from modifying the kernel even if they achieve arbitrary write primitives
KTRR, introduced on Apple's A10 chip, uses MMU region registers to hardware-lock the kernel's __TEXT and __CONST segments as read-only after boot. Even an attacker with kernel write primitives (from a tfp0 exploit) cannot patch the kernel text β a write attempt causes a hardware exception, impeding persistent kernel modifications.
4What does Control Flow Integrity (CFI) achieve in the Android platform compilation process?
CorrectD: It embeds checks into compiled binaries to ensure the execution path follows a predetermined, valid control-flow graph, mitigating code-reuse attacks
LLVM CFI, enforced in Android system components (since Android 9) and the kernel (since Android 10), inserts runtime checks before indirect calls and virtual dispatch. The check validates that the target address is within the set of legal call destinations. ROP/JOP gadget chains that redirect control flow to arbitrary addresses fail this check and trap.
IncorrectD: It embeds checks into compiled binaries to ensure the execution path follows a predetermined, valid control-flow graph, mitigating code-reuse attacks
LLVM CFI, enforced in Android system components (since Android 9) and the kernel (since Android 10), inserts runtime checks before indirect calls and virtual dispatch. The check validates that the target address is within the set of legal call destinations. ROP/JOP gadget chains that redirect control flow to arbitrary addresses fail this check and trap.
5In advanced iOS exploitation, gaining control of the tfp0 (task for pid 0) port effectively grants an attacker what capability?
CorrectD: The ability to arbitrarily read and write to the kernel memory space, completely compromising the operating system
In macOS/iOS Mach, pid 0 is the kernel task. Obtaining a send right to the kernel task port (task_for_pid(0)) grants the holder mach_vm_read() and mach_vm_write() primitives over the entire kernel address space. This is the crown jewel of iOS kernel exploits and is the building block of virtually every modern jailbreak.
IncorrectD: The ability to arbitrarily read and write to the kernel memory space, completely compromising the operating system
In macOS/iOS Mach, pid 0 is the kernel task. Obtaining a send right to the kernel task port (task_for_pid(0)) grants the holder mach_vm_read() and mach_vm_write() primitives over the entire kernel address space. This is the crown jewel of iOS kernel exploits and is the building block of virtually every modern jailbreak.
6What security benefit did the "Project Treble" architecture bring to the Android ecosystem?
CorrectB: It heavily isolated the vendor-specific Hardware Abstraction Layers (HALs) from the Android OS framework, preventing bugs in proprietary drivers from directly compromising the core OS
Pre-Treble, OEM HALs ran as monolithic libraries inside the mediaserver/system_server processes, meaning a camera HAL bug could compromise the entire system. Post-Treble (Android 8+), each HAL runs as an isolated process in its own SELinux domain with minimal permissions β a vulnerability in a vendor HAL is now contained to that narrow domain.
IncorrectB: It heavily isolated the vendor-specific Hardware Abstraction Layers (HALs) from the Android OS framework, preventing bugs in proprietary drivers from directly compromising the core OS
Pre-Treble, OEM HALs ran as monolithic libraries inside the mediaserver/system_server processes, meaning a camera HAL bug could compromise the entire system. Post-Treble (Android 8+), each HAL runs as an isolated process in its own SELinux domain with minimal permissions β a vulnerability in a vendor HAL is now contained to that narrow domain.
7In the ARM TrustZone architecture, how does the Normal World (Android) request services from the Secure World (TEE)?
CorrectA: By executing a Secure Monitor Call (SMC) instruction, triggering a context switch managed by the Secure Monitor
The SMC (Secure Monitor Call) instruction drops the CPU to EL3 (Secure Monitor), which saves Normal World state, switches the NS bit to 0 (Secure World), and transfers execution to the TEE OS. The TEE processes the request (e.g., key unwrapping) and returns results to the Normal World without exposing secure memory directly.
IncorrectA: By executing a Secure Monitor Call (SMC) instruction, triggering a context switch managed by the Secure Monitor
The SMC (Secure Monitor Call) instruction drops the CPU to EL3 (Secure Monitor), which saves Normal World state, switches the NS bit to 0 (Secure World), and transfers execution to the TEE OS. The TEE processes the request (e.g., key unwrapping) and returns results to the Normal World without exposing secure memory directly.
8Which iOS kernel extension is directly responsible for enforcing the code signing requirements by validating the cryptographic signature of memory pages before they are executed?
CorrectC: Apple Mobile File Integrity (AMFI)
AMFI (amfi.kext) is the in-kernel component of iOS code signing enforcement. It works alongside a userland daemon (amfid) to validate the Code Directory hash chain for every binary before pages are made executable. AMFI is the first target that jailbreaks must patch or bypass to allow unsigned code to run.
IncorrectC: Apple Mobile File Integrity (AMFI)
AMFI (amfi.kext) is the in-kernel component of iOS code signing enforcement. It works alongside a userland daemon (amfid) to validate the Code Directory hash chain for every binary before pages are made executable. AMFI is the first target that jailbreaks must patch or bypass to allow unsigned code to run.
9What specifically designates an Android Keystore implementation as a "StrongBox" keystore?
CorrectD: It is backed by a physically separate, tamper-resistant secure element (SE) with its own CPU, memory, and secure storage, distinct from the main SoC's TEE
StrongBox (Android 9+, KeyProperties.SECURITY_LEVEL_STRONGBOX) requires a discrete, tamper-resistant Secure Element chip β not just a TrustZone TEE, which shares silicon with the main SoC. The SE has its own CPU and flash storage and is physically separate, meaning key material is isolated from even a fully-compromised TEE.
IncorrectD: It is backed by a physically separate, tamper-resistant secure element (SE) with its own CPU, memory, and secure storage, distinct from the main SoC's TEE
StrongBox (Android 9+, KeyProperties.SECURITY_LEVEL_STRONGBOX) requires a discrete, tamper-resistant Secure Element chip β not just a TrustZone TEE, which shares silicon with the main SoC. The SE has its own CPU and flash storage and is physically separate, meaning key material is isolated from even a fully-compromised TEE.
10The iOS Secure Enclave runs its own isolated operating system. What is the fundamental root of trust for the Secure Enclave?
CorrectB: An immutable, read-only Boot ROM fabricated directly into the SEP silicon during manufacturing
Like the main AP's Boot ROM, the SEP has its own on-chip ROM that cannot be altered post-fabrication. This Boot ROM verifies the sepOS firmware signature before executing it, forming an independent trust anchor. If sepOS is compromised, the Boot ROM will halt β it cannot be patched by software running on the main processor.
IncorrectB: An immutable, read-only Boot ROM fabricated directly into the SEP silicon during manufacturing
Like the main AP's Boot ROM, the SEP has its own on-chip ROM that cannot be altered post-fabrication. This Boot ROM verifies the sepOS firmware signature before executing it, forming an independent trust anchor. If sepOS is compromised, the Boot ROM will halt β it cannot be patched by software running on the main processor.
11Android 10 introduced eXecute-Only Memory (XOM) for core system components. What exploitation technique does this primarily defend against?
CorrectA: Just-In-Time (JIT) code reuse attacks, by preventing attackers from reading memory pages to find ROP gadgets
XOM marks executable memory pages as non-readable. ROP/JOP attacks require the attacker to first read .text segments to discover gadget addresses and byte patterns. With XOM, any attempt to read an execute-only page causes a segmentation fault, forcing attackers to rely on information disclosure side-channels β greatly increasing exploit complexity.
IncorrectA: Just-In-Time (JIT) code reuse attacks, by preventing attackers from reading memory pages to find ROP gadgets
XOM marks executable memory pages as non-readable. ROP/JOP attacks require the attacker to first read .text segments to discover gadget addresses and byte patterns. With XOM, any attempt to read an execute-only page causes a segmentation fault, forcing attackers to rely on information disclosure side-channels β greatly increasing exploit complexity.
12What is the iOS Page Protection Layer (PPL) designed to defend against?
CorrectC: Attackers modifying userland page tables to bypass code signing, even if they have already achieved kernel read/write capabilities
PPL (introduced with A12 on iOS 12) runs at a higher privilege level than the XNU kernel (ppl_handler routines run in PPL mode, not kernel mode). It is the sole component allowed to modify page table entries controlling execute permissions. Even an attacker with full kernel r/w cannot directly re-map pages as executable β they must compromise PPL itself, a much harder target.
IncorrectC: Attackers modifying userland page tables to bypass code signing, even if they have already achieved kernel read/write capabilities
PPL (introduced with A12 on iOS 12) runs at a higher privilege level than the XNU kernel (ppl_handler routines run in PPL mode, not kernel mode). It is the sole component allowed to modify page table entries controlling execute permissions. Even an attacker with full kernel r/w cannot directly re-map pages as executable β they must compromise PPL itself, a much harder target.
13How do Android APEX modules enhance platform security?
CorrectB: They provide a secure mechanism to update lower-level, unprivileged system libraries and components natively, bypassing the need for full OEM firmware updates
APEX (Android Pony EXpress), introduced in Android 10 via Project Mainline, packages low-level system components (e.g., libcrypto, DNS resolver, Media codecs) as signed, updatable modules. Google can push security patches to these components via the Play Store without requiring a full OEM/carrier firmware update cycle, drastically reducing patch propagation time.
IncorrectB: They provide a secure mechanism to update lower-level, unprivileged system libraries and components natively, bypassing the need for full OEM firmware updates
APEX (Android Pony EXpress), introduced in Android 10 via Project Mainline, packages low-level system components (e.g., libcrypto, DNS resolver, Media codecs) as signed, updatable modules. Google can push security patches to these components via the Play Store without requiring a full OEM/carrier firmware update cycle, drastically reducing patch propagation time.
14In recent iOS versions, Apple introduced a heavily sandboxed, isolated environment specifically designed to parse untrusted, incoming iMessage data before it reaches the main OS. What is this architecture called?
CorrectC: BlastDoor
BlastDoor (introduced in iOS 14 following Project Zero's FORCEDENTRY research) is a sandboxed service that pre-processes all incoming iMessage content β parsing attachments, decoding data structures β before any results reach the main SpringBoard process. It runs with extremely limited syscalls (seccomp) and no network access, neutralizing parsing-based zero-click exploits.
IncorrectC: BlastDoor
BlastDoor (introduced in iOS 14 following Project Zero's FORCEDENTRY research) is a sandboxed service that pre-processes all incoming iMessage content β parsing attachments, decoding data structures β before any results reach the main SpringBoard process. It runs with extremely limited syscalls (seccomp) and no network access, neutralizing parsing-based zero-click exploits.
15In Android File-Based Encryption (FBE), what is the difference between Credential Encrypted (CE) and Device Encrypted (DE) storage?
CorrectC: CE storage requires the user's passcode to decrypt; DE storage is unlocked during Direct Boot before the user enters their passcode
DE (Device Encrypted) keys are derived from hardware secrets alone, making DE files accessible immediately after a reboot in Direct Boot mode (e.g., alarm clock data). CE (Credential Encrypted) keys are derived from both hardware secrets and the user's passcode β CE files remain locked until first unlock (AFU), holding more sensitive user data like emails and photos.
IncorrectC: CE storage requires the user's passcode to decrypt; DE storage is unlocked during Direct Boot before the user enters their passcode
DE (Device Encrypted) keys are derived from hardware secrets alone, making DE files accessible immediately after a reboot in Direct Boot mode (e.g., alarm clock data). CE (Credential Encrypted) keys are derived from both hardware secrets and the user's passcode β CE files remain locked until first unlock (AFU), holding more sensitive user data like emails and photos.
16In iOS, how do sandboxed userland applications communicate with higher-privileged system daemons?
CorrectD: Through the XPC (XNU Inter-Process Communication) framework, which enforces strict entitlement checks on the caller
XPC is Apple's IPC framework built on Mach messages and libdispatch. System daemons validate the calling process's entitlements (e.g., com.apple.security.network.client) before servicing requests. XPC connections are brokered by launchd with privilege separation β apps cannot directly call privileged APIs and must ask daemons with appropriate entitlements to act on their behalf.
IncorrectD: Through the XPC (XNU Inter-Process Communication) framework, which enforces strict entitlement checks on the caller
XPC is Apple's IPC framework built on Mach messages and libdispatch. System daemons validate the calling process's entitlements (e.g., com.apple.security.network.client) before servicing requests. XPC connections are brokered by launchd with privilege separation β apps cannot directly call privileged APIs and must ask daemons with appropriate entitlements to act on their behalf.
17During the Android boot sequence, how does the init process securely transition services into their appropriate SELinux contexts?
CorrectB: By looking up the target domains mapped in the file_contexts and service_contexts policies
The init process reads compiled policy files (file_contexts, service_contexts, property_contexts) built into the vendor and system partitions. When forking a service, init calls setcon() to transition the new process into its declared SELinux domain, ensuring each service starts with least-privilege MAC labels β never inheriting init's own context.
IncorrectB: By looking up the target domains mapped in the file_contexts and service_contexts policies
The init process reads compiled policy files (file_contexts, service_contexts, property_contexts) built into the vendor and system partitions. When forking a service, init calls setcon() to transition the new process into its declared SELinux domain, ensuring each service starts with least-privilege MAC labels β never inheriting init's own context.
18When a developer uses the iOS LocalAuthentication framework (e.g., LAContext), what does the framework fundamentally return to the application?
CorrectB: A boolean true/false indicating whether the biometric evaluation was successful, entirely abstracting the underlying biometric data
LAContext.evaluatePolicy() is a deliberately thin API. It returns only a success/failure boolean (and an NSError on failure). The actual biometric template, match score, and hardware operations all occur inside the SEP β completely opaque to the calling application and the iOS kernel. This abstraction is why local biometric bypass via Frida hooks the boolean return value.
IncorrectB: A boolean true/false indicating whether the biometric evaluation was successful, entirely abstracting the underlying biometric data
LAContext.evaluatePolicy() is a deliberately thin API. It returns only a success/failure boolean (and an NSError on failure). The actual biometric template, match score, and hardware operations all occur inside the SEP β completely opaque to the calling application and the iOS kernel. This abstraction is why local biometric bypass via Frida hooks the boolean return value.
19Which cutting-edge hardware security feature, implemented in newer ARMv9 Android devices, uses small tags to monitor memory allocations and detect spatial memory safety violations (like buffer overflows) in real-time?
CorrectA: Memory Tagging Extension (MTE)
ARM MTE (ARMv8.5-A) assigns a 4-bit color tag to every 16-byte granule of memory at allocation. Pointers to that allocation store the matching tag in their upper bits. On every load/store, the CPU hardware checks that the pointer tag matches the memory granule tag β a mismatch (indicating OOB access) triggers a fault, detecting heap overflows and use-after-free with near-zero overhead.
IncorrectA: Memory Tagging Extension (MTE)
ARM MTE (ARMv8.5-A) assigns a 4-bit color tag to every 16-byte granule of memory at allocation. Pointers to that allocation store the matching tag in their upper bits. On every load/store, the CPU hardware checks that the pointer tag matches the memory granule tag β a mismatch (indicating OOB access) triggers a fault, detecting heap overflows and use-after-free with near-zero overhead.
20When the iOS kernel validates an application's signature via AMFI, how does it ensure the integrity of the executable as it is paged into memory piece by piece?
CorrectD: It uses a Code Directory (CD) structure embedded in the signature, which contains an array of cryptographic hashes for every page of the executable
A Mach-O code signature contains a Code Directory β a list of SHA-256 hashes, one per 4 KB page of the binary. When the VM system pages in a code page, XNU's pager calls AMFI to verify the page's hash against the pre-validated Code Directory. Any tampered or injected page fails the hash check and the process is killed, providing continuous, lazy integrity verification.
IncorrectD: It uses a Code Directory (CD) structure embedded in the signature, which contains an array of cryptographic hashes for every page of the executable
A Mach-O code signature contains a Code Directory β a list of SHA-256 hashes, one per 4 KB page of the binary. When the VM system pages in a code page, XNU's pager calls AMFI to verify the page's hash against the pre-validated Code Directory. Any tampered or injected page fails the hash check and the process is killed, providing continuous, lazy integrity verification.
Conclusion: Mobile Security Through Architectural Design
Mobile platform security models (iOS, Android) are fundamentally different from desktop OS security because mobile devices face unique threats: ambient network access, physical loss/theft, and direct user control. These 60 MCQs cover sandbox isolation, permission models, enterprise MDM controls, and threat mitigation through attestation and containerization.
iOS and Android take different philosophical approaches β iOS is centralized and vertically integrated; Android is open and fragmented. Both use sandboxing and least privilege, but ecosystem fragmentation in Android creates longer security patch deployment times and greater vulnerability exposure.
Master mobile security by revisiting missed questions, understanding how MDM and containerization enable BYOD, and staying current with mobile platform security advisories (Google Android Security & Privacy Year in Review, Apple Security Updates).
Key Takeaways β Mobile Platform Security Models
- Sandbox Isolation is Fundamental: Each app runs in isolated memory space; cannot access other apps' data or OS files. Sandbox escape is the most severe mobile vulnerability.
- iOS vs. Android: iOS = closed, code review, mandatory updates, fast patches; Android = open, sideloading, fragmented updates, slower patch deployment. iOS generally more secure due to centralization.
- Least Privilege Permissions: Apps request only minimum permissions needed; users can deny. Users should deny unnecessary permissions (flashlight requesting contacts = suspicious).
- MDM Controls Enable BYOD: Mobile Device Management remotely enforces encryption, password policies, app whitelisting, device wipe, and network isolation. Critical for protecting corporate data on personal devices.
- Jailbreaking/Rooting Breaks Security: Removes sandbox protections, disables security checks, allows malware to run as root. Enterprise policies require device attestation (no jailbreak/root).
- Containerization Separates Personal & Corporate: Encrypted container on same device partitions data β personal apps on one side, corporate apps/data in isolated container. Enables BYOD with data protection.
- Attestation Proves Device Security: Cryptographic proof device meets security requirements (authentic OS, security patches current, not jailbroken). Enterprises use attestation before granting sensitive data access.
- Privilege Escalation is Severity Critical: Kernel/OS vulnerabilities allow breaking out of sandbox (CVE-2022-42619, Stagefright, MediaTek flaws). Regular OS updates are essential; delay = exposure.
- Fragmentation Makes Android Vulnerable: Many manufacturers delay/skip security patches for older devices. iOS's forced, unified updates mean all active devices patch faster.
Quick Review & Summary
Use this table to consolidate mobile platform security concepts before or after attempting the questions above.
| Mobile Security Concept | Purpose | Implementation / Trade-offs |
|---|---|---|
| Sandbox Isolation | Prevent inter-app data access | Each app = isolated memory space; limited file system access; enforced by OS kernel |
| iOS Security Model | Centralized, secure by default | Closed source, app store vetting, mandatory updates, fast patch deployment, limited customization |
| Android Security Model | Open, flexible platform | Open source, sideloading, fragmented updates, slower patches, more customization, more security incidents |
| Least Privilege Permissions | Limit app access to sensitive data | iOS & Android: user-granted runtime permissions; users should deny unnecessary permissions |
| Mobile Device Management (MDM) | Enforce security policies remotely | Remote device wipe, password enforcement, app whitelisting, network isolation, encryption requirements |
| Containerization | Separate personal & corporate data | Encrypted partition on same device; corporate apps cannot access personal apps; enables BYOD |
| Device Attestation | Verify device meets security requirements | Cryptographic proof: authentic OS, patches current, not jailbroken; required for enterprise data access |
| Jailbreaking / Rooting | Gain root-level system access | Breaks sandbox; disables security checks; violates MDM; incompatible with enterprise policies |
| Privilege Escalation Vulnerability | Attack that breaks sandbox | Kernel/OS vulnerabilities (CVE-2022-42619, Stagefright, MediaTek flaws); allows malware to run as root |
| Patch Management | Fix security vulnerabilities quickly | iOS: forced, unified updates across all devices; Android: fragmented, delayed by manufacturers |
Frequently Asked Questions
Q. What are the main differences between iOS (Apple) and Android security models?
Q. What is a sandbox in mobile security and how does it protect users?
Q. What is the principle of Least Privilege in mobile platform security?
Q. What is enterprise mobile device management (MDM) and what security controls does it provide?
Q. What is a privilege escalation attack on mobile and how does it occur?
Q. What is jailbreaking/rooting and what security risks does it introduce?
Q. What is containerization on mobile and how does it separate personal and corporate data?
Q. What is attestation in mobile security and why is it important for enterprise adoption?
Struggling with some questions? Re-read the full Theory Guide: Mobile Platform Security Models