Mobile Security MCQs: 60 Practice Questions & Answers (2026)
PerfectNotes TeamUpdated: March 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
Mobile Security MCQ practice questions are essential for preparing for competitive exams, certifications (CompTIA Security+, PenTest+), and technical interviews. This comprehensive MCQ platform provides 60 carefully curated practice questions covering mobile OS security models, threat vectors, and defensive strategies.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering foundational terminology and core definitions), Concepts (covering intermediate protocols, threat mechanics, and architectural trade-offs), and Advanced (covering scenario-based analysis, advanced compliance, and enterprise architectures). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate CompTIA exam or university testing conditions. The interactive engine tracks your progress and identifies knowledge gaps across iOS security, Android architecture, MDM systems, and OWASP Mobile risks.
Contents
- 1.Basics (20 Questions)Rooting & jailbreaking Β· app store vetting Β· permission model Β· MDM vs. MAM Β· basic threats
- 2.Concepts (20 Questions)App sandboxing Β· iOS Keychain vs. Android Keystore Β· Binder IPC Β· Universal & App Links Β· Tapjacking
- 3.Advanced (20 Questions)Frida hooks Β· cert pinning bypass Β· SafetyNet & Play Integrity Β· biometrics & Secure Enclave
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
Mobile Security β Basics
1What does "rooting" an Android device mean?
CorrectB: Gaining privileged, administrative access to the operating system
Rooting grants the user (or attacker) superuser/root privileges on Android, bypassing the OS permission model and gaining full control over the system partition, processes, and hardware.
IncorrectB: Gaining privileged, administrative access to the operating system
Rooting grants the user (or attacker) superuser/root privileges on Android, bypassing the OS permission model and gaining full control over the system partition, processes, and hardware.
2What is the equivalent of "rooting" in the iOS ecosystem?
CorrectC: Jailbreaking
Jailbreaking exploits iOS kernel vulnerabilities to remove Apple's code-signing enforcement and sandbox restrictions, granting root access β the iOS equivalent of Android rooting.
IncorrectC: Jailbreaking
Jailbreaking exploits iOS kernel vulnerabilities to remove Apple's code-signing enforcement and sandbox restrictions, granting root access β the iOS equivalent of Android rooting.
3What is the primary purpose of the Application Sandbox in mobile operating systems?
CorrectB: To strictly isolate applications from each other and the core operating system
The application sandbox assigns each app a unique UID/GID and restricts it to its own private directory, preventing apps from reading each other's data or accessing OS resources without explicit permission.
IncorrectB: To strictly isolate applications from each other and the core operating system
The application sandbox assigns each app a unique UID/GID and restricts it to its own private directory, preventing apps from reading each other's data or accessing OS resources without explicit permission.
4What is the main security risk of "Sideloading" mobile applications?
CorrectA: It bypasses official app store security reviews and malware scans
Sideloading installs APKs or IPAs from outside the official store, bypassing Google Play Protect or Apple's review process, which means the app has not been scanned for malware or policy compliance.
IncorrectA: It bypasses official app store security reviews and malware scans
Sideloading installs APKs or IPAs from outside the official store, bypassing Google Play Protect or Apple's review process, which means the app has not been scanned for malware or policy compliance.
5What does the acronym "MDM" stand for in enterprise mobile security?
CorrectD: Mobile Device Management
MDM (Mobile Device Management) is an enterprise solution that enables IT administrators to remotely enroll, configure, enforce policies, and wipe corporate mobile devices.
IncorrectD: Mobile Device Management
MDM (Mobile Device Management) is an enterprise solution that enables IT administrators to remotely enroll, configure, enforce policies, and wipe corporate mobile devices.
6Which biometric authentication system is native to modern Apple iOS devices?
CorrectC: Face ID / Touch ID
Apple's Face ID (3D facial recognition) and Touch ID (fingerprint) are the native biometric authentication mechanisms on modern iOS devices; all biometric data is processed exclusively within the Secure Enclave.
IncorrectC: Face ID / Touch ID
Apple's Face ID (3D facial recognition) and Touch ID (fingerprint) are the native biometric authentication mechanisms on modern iOS devices; all biometric data is processed exclusively within the Secure Enclave.
7What is the OWASP Mobile Top 10?
CorrectB: A standardized awareness document listing the most critical security risks for mobile applications
The OWASP Mobile Top 10 is an industry-standard awareness document published by OWASP that identifies the ten most critical security risks facing mobile applications, guiding developers and testers.
IncorrectB: A standardized awareness document listing the most critical security risks for mobile applications
The OWASP Mobile Top 10 is an industry-standard awareness document published by OWASP that identifies the ten most critical security risks facing mobile applications, guiding developers and testers.
8In mobile security, what does the term "Smishing" refer to?
CorrectD: A phishing attack carried out via SMS text messaging
Smishing (SMS + phishing) delivers fraudulent messages via SMS to lure victims into clicking malicious links or disclosing credentials β a mobile-specific social engineering vector.
IncorrectD: A phishing attack carried out via SMS text messaging
Smishing (SMS + phishing) delivers fraudulent messages via SMS to lure victims into clicking malicious links or disclosing credentials β a mobile-specific social engineering vector.
9What is an APK file?
CorrectA: The standard executable installation package format for Android applications
An APK (Android Package Kit) is a ZIP-based archive containing the compiled DEX bytecode, resources, manifest, and signing certificate for an Android application.
IncorrectA: The standard executable installation package format for Android applications
An APK (Android Package Kit) is a ZIP-based archive containing the compiled DEX bytecode, resources, manifest, and signing certificate for an Android application.
10What is an IPA file?
CorrectD: The standard application archive file format used to install apps on iOS devices
An IPA (iOS App Store Package) is a signed ZIP archive containing the compiled Mach-O binary, resources, and metadata of an iOS application, installable via Xcode, AltStore, or an MDM solution.
IncorrectD: The standard application archive file format used to install apps on iOS devices
An IPA (iOS App Store Package) is a signed ZIP archive containing the compiled Mach-O binary, resources, and metadata of an iOS application, installable via Xcode, AltStore, or an MDM solution.
11What does the term "Permissions" refer to in the context of mobile applications?
CorrectA: The explicitly granted access rights an app has to device hardware or sensitive data (e.g., camera, contacts)
Mobile permissions are runtime declarations (in AndroidManifest.xml or Info.plist) that gate an app's access to sensitive resources such as the camera, microphone, location, or contacts β the user must grant them explicitly.
IncorrectA: The explicitly granted access rights an app has to device hardware or sensitive data (e.g., camera, contacts)
Mobile permissions are runtime declarations (in AndroidManifest.xml or Info.plist) that gate an app's access to sensitive resources such as the camera, microphone, location, or contacts β the user must grant them explicitly.
12What is the primary security purpose of a mobile device PIN, passcode, or biometric lock?
CorrectB: To encrypt the device's storage and prevent unauthorized physical access
On both Android and iOS, setting a PIN/passcode derives the encryption key for File-Based Encryption (FBE), ensuring that data at rest is cryptographically protected against physical extraction if the device is lost.
IncorrectB: To encrypt the device's storage and prevent unauthorized physical access
On both Android and iOS, setting a PIN/passcode derives the encryption key for File-Based Encryption (FBE), ensuring that data at rest is cryptographically protected against physical extraction if the device is lost.
13Which of the following is a common symptom that a mobile device may be infected with malware?
CorrectC: Unexplained spikes in battery drain and cellular data usage
Mobile malware often runs background processes (C2 beaconing, crypto-mining, data exfiltration) that cause abnormal battery drain and unexplained data usage β key indicators of compromise on a device.
IncorrectC: Unexplained spikes in battery drain and cellular data usage
Mobile malware often runs background processes (C2 beaconing, crypto-mining, data exfiltration) that cause abnormal battery drain and unexplained data usage β key indicators of compromise on a device.
14In iOS architecture, what hardware component is specifically designed to securely store cryptographic keys and biometric data?
CorrectA: The Secure Enclave
The Secure Enclave is a dedicated hardware coprocessor on Apple chips (A7+) that stores cryptographic keys and processes biometric data in an isolated environment completely separate from the main CPU.
IncorrectA: The Secure Enclave
The Secure Enclave is a dedicated hardware coprocessor on Apple chips (A7+) that stores cryptographic keys and processes biometric data in an isolated environment completely separate from the main CPU.
15What is the modern Android equivalent to the iOS Secure Enclave for hardware-backed security?
CorrectA: Titan M chip / Trusted Execution Environment (TEE)
Google's Titan M security chip (used in Pixel devices) and ARM TrustZone-based TEE implementations on other Android hardware provide isolated, hardware-backed storage for keys, attestation, and secure boot verification.
IncorrectA: Titan M chip / Trusted Execution Environment (TEE)
Google's Titan M security chip (used in Pixel devices) and ARM TrustZone-based TEE implementations on other Android hardware provide isolated, hardware-backed storage for keys, attestation, and secure boot verification.
16Why does connecting a mobile device to public, open Wi-Fi pose a significant security risk?
CorrectA: Unencrypted traffic can be easily intercepted via Man-in-the-Middle (MitM) attacks
On unencrypted or rogue public Wi-Fi, an attacker on the same network can perform ARP spoofing or an evil-twin attack to position themselves as a MitM, intercepting and modifying unprotected HTTP traffic.
IncorrectA: Unencrypted traffic can be easily intercepted via Man-in-the-Middle (MitM) attacks
On unencrypted or rogue public Wi-Fi, an attacker on the same network can perform ARP spoofing or an evil-twin attack to position themselves as a MitM, intercepting and modifying unprotected HTTP traffic.
17What is a "screen overlay" or "tapjacking" attack on Android?
CorrectD: A malicious app drawing an invisible window over a legitimate app to trick the user into tapping unintended buttons
Tapjacking exploits Android's ability to draw over other apps (SYSTEM_ALERT_WINDOW): a transparent overlay captures the user's taps and redirects them to grant permissions or take unintended actions in the obscured legitimate app.
IncorrectD: A malicious app drawing an invisible window over a legitimate app to trick the user into tapping unintended buttons
Tapjacking exploits Android's ability to draw over other apps (SYSTEM_ALERT_WINDOW): a transparent overlay captures the user's taps and redirects them to grant permissions or take unintended actions in the obscured legitimate app.
18What is the primary purpose of Full-Disk Encryption (FDE) or File-Based Encryption (FBE) on mobile devices?
CorrectC: To protect data at rest from being extracted if the physical device is lost or stolen
FDE/FBE encrypts stored data using keys derived from the user's passcode, ensuring that even if an attacker gains physical access to the NAND flash storage, the extracted data remains cryptographically unreadable.
IncorrectC: To protect data at rest from being extracted if the physical device is lost or stolen
FDE/FBE encrypts stored data using keys derived from the user's passcode, ensuring that even if an attacker gains physical access to the NAND flash storage, the extracted data remains cryptographically unreadable.
19Under the OWASP Mobile Top 10, what does "Improper Credential Usage" specifically refer to?
CorrectB: Developers hardcoding passwords, API keys, or tokens insecurely within the app's source code
OWASP M1 (Improper Credential Usage) covers hardcoded credentials, insecure storage of secrets in the binary or plaintext config files, and the improper use of credentials β all of which can be trivially extracted via static analysis.
IncorrectB: Developers hardcoding passwords, API keys, or tokens insecurely within the app's source code
OWASP M1 (Improper Credential Usage) covers hardcoded credentials, insecure storage of secrets in the binary or plaintext config files, and the improper use of credentials β all of which can be trivially extracted via static analysis.
20What is "Google Play Protect"?
CorrectA: A built-in malware defense system that scans Android apps for malicious behavior
Google Play Protect is Android's built-in security service that continuously scans installed apps and new downloads using machine learning models to detect and alert users to potentially harmful applications.
IncorrectA: A built-in malware defense system that scans Android apps for malicious behavior
Google Play Protect is Android's built-in security service that continuously scans installed apps and new downloads using machine learning models to detect and alert users to potentially harmful applications.
Mobile Security β Concepts
1What is "Certificate Pinning" in mobile app security?
CorrectD: Hardcoding or associating a specific expected server certificate within the app to prevent Man-in-the-Middle attacks
Certificate pinning embeds the expected server certificate's public key or hash directly in the app, so the TLS handshake fails if a proxy or rogue CA presents a different certificate β preventing MitM interception.
IncorrectD: Hardcoding or associating a specific expected server certificate within the app to prevent Man-in-the-Middle attacks
Certificate pinning embeds the expected server certificate's public key or hash directly in the app, so the TLS handshake fails if a proxy or rogue CA presents a different certificate β preventing MitM interception.
2How does Android's "Intent" system pose a security risk if improperly configured?
CorrectB: "Exported" intents can allow malicious third-party apps to intercept sensitive data or trigger restricted internal app functions
When an Activity or BroadcastReceiver is declared with android:exported="true" without proper permission checks, any third-party app can send it an Intent, potentially triggering privileged operations or intercepting sensitive broadcast data.
IncorrectB: "Exported" intents can allow malicious third-party apps to intercept sensitive data or trigger restricted internal app functions
When an Activity or BroadcastReceiver is declared with android:exported="true" without proper permission checks, any third-party app can send it an Intent, potentially triggering privileged operations or intercepting sensitive broadcast data.
3What is the purpose of "Code Obfuscation" in mobile app development?
CorrectB: To intentionally scramble the source code to make reverse engineering and static analysis significantly more difficult for attackers
Tools like ProGuard or R8 rename classes, methods, and variables to meaningless identifiers and remove debug information, dramatically increasing the effort required to understand the logic when an attacker decompiles the APK.
IncorrectB: To intentionally scramble the source code to make reverse engineering and static analysis significantly more difficult for attackers
Tools like ProGuard or R8 rename classes, methods, and variables to meaningless identifiers and remove debug information, dramatically increasing the effort required to understand the logic when an attacker decompiles the APK.
4Which dynamic instrumentation toolkit is heavily used by security researchers to inject scripts into black-box processes on iOS and Android?
CorrectA: Frida
Frida is an open-source dynamic instrumentation platform that injects a JavaScript engine into a running process, allowing researchers to hook functions, intercept API calls, and modify runtime behavior on Android and iOS without source code.
IncorrectA: Frida
Frida is an open-source dynamic instrumentation platform that injects a JavaScript engine into a running process, allowing researchers to hook functions, intercept API calls, and modify runtime behavior on Android and iOS without source code.
5What does the term "Jailbreak/Root Detection" mean in mobile app development?
CorrectB: Implementing runtime checks to see if the OS is modified, and altering app behavior (e.g., refusing to run) if it is
Root/jailbreak detection checks for indicators such as su binaries, Cydia app presence, writable /system partitions, or SafetyNet/Play Integrity attestation failures, then limits app functionality on compromised devices to protect sensitive data.
IncorrectB: Implementing runtime checks to see if the OS is modified, and altering app behavior (e.g., refusing to run) if it is
Root/jailbreak detection checks for indicators such as su binaries, Cydia app presence, writable /system partitions, or SafetyNet/Play Integrity attestation failures, then limits app functionality on compromised devices to protect sensitive data.
6In Android development, which crucial file declares the application's components, requested permissions, and exported activities?
CorrectA: AndroidManifest.xml
AndroidManifest.xml is the mandatory app descriptor that the Android OS reads to understand the app's components (Activities, Services, Receivers, Providers), declared permissions, intent filters, and exported status before installation.
IncorrectA: AndroidManifest.xml
AndroidManifest.xml is the mandatory app descriptor that the Android OS reads to understand the app's components (Activities, Services, Receivers, Providers), declared permissions, intent filters, and exported status before installation.
7What is a "Deep Link" vulnerability in a mobile application?
CorrectC: Improperly validated URIs that can force the app to execute unintended actions, bypass authentication, or leak data when clicked
When an app registers a custom URL scheme (e.g., myapp://action?param=value) without rigorous input validation, an attacker can craft a malicious link that forces the app to navigate to sensitive screens or perform privileged actions.
IncorrectC: Improperly validated URIs that can force the app to execute unintended actions, bypass authentication, or leak data when clicked
When an app registers a custom URL scheme (e.g., myapp://action?param=value) without rigorous input validation, an attacker can craft a malicious link that forces the app to navigate to sensitive screens or perform privileged actions.
8Which of the following represents a severe cryptographic failure commonly found in mobile data storage?
CorrectC: Using hardcoded, static symmetric encryption keys embedded directly in the app's binary
Hardcoded encryption keys embedded in the binary can be trivially extracted via static analysis (strings tool, JADX, Ghidra), completely defeating the purpose of encryption β a critical OWASP M9 (Insecure Cryptography) violation.
IncorrectC: Using hardcoded, static symmetric encryption keys embedded directly in the app's binary
Hardcoded encryption keys embedded in the binary can be trivially extracted via static analysis (strings tool, JADX, Ghidra), completely defeating the purpose of encryption β a critical OWASP M9 (Insecure Cryptography) violation.
9What is the primary goal of Mobile Application Management (MAM) compared to MDM?
CorrectA: Securing, managing, and enforcing corporate policies on specific enterprise applications and their data, rather than controlling the entire device
MAM targets the app container level β enabling selective wipe of corporate app data, enforcing app-level policies, and managing app configurations β without requiring full MDM device enrollment, making it ideal for BYOD scenarios.
IncorrectA: Securing, managing, and enforcing corporate policies on specific enterprise applications and their data, rather than controlling the entire device
MAM targets the app container level β enabling selective wipe of corporate app data, enforcing app-level policies, and managing app configurations β without requiring full MDM device enrollment, making it ideal for BYOD scenarios.
10In iOS, what mechanism ensures that only Apple-approved, unaltered software runs on the device?
CorrectB: Mandatory Code Signing Enforcement
iOS enforces mandatory code signing: every executable must be signed by a certificate chaining to Apple's root CA. The kernel verifies this signature before executing any binary, preventing unsigned or tampered code from running.
IncorrectB: Mandatory Code Signing Enforcement
iOS enforces mandatory code signing: every executable must be signed by a certificate chaining to Apple's root CA. The kernel verifies this signature before executing any binary, preventing unsigned or tampered code from running.
11What is an "Exported Activity" in an Android application?
CorrectC: An app component that is explicitly permitted to be launched by other applications on the device
Setting android:exported="true" on an Activity makes it accessible to any app on the device via an explicit or implicit Intent; without proper permission enforcement, attackers can exploit this to bypass authentication or access restricted functionality.
IncorrectC: An app component that is explicitly permitted to be launched by other applications on the device
Setting android:exported="true" on an Activity makes it accessible to any app on the device via an explicit or implicit Intent; without proper permission enforcement, attackers can exploit this to bypass authentication or access restricted functionality.
12What is "Reverse Engineering" in the context of mobile application security?
CorrectC: Decompiling or disassembling the app binary to view the original source code, assets, and business logic
Mobile reverse engineering uses tools like JADX, apktool, Ghidra, or Hopper to decompile/disassemble an APK or IPA, revealing hardcoded secrets, proprietary algorithms, API keys, and authentication logic.
IncorrectC: Decompiling or disassembling the app binary to view the original source code, assets, and business logic
Mobile reverse engineering uses tools like JADX, apktool, Ghidra, or Hopper to decompile/disassemble an APK or IPA, revealing hardcoded secrets, proprietary algorithms, API keys, and authentication logic.
13Which open-source tool is widely used by security analysts to decompile Android APKs into readable Java/Smali code?
CorrectA: JADX (or apktool)
JADX decompiles Android DEX bytecode back into readable Java source code, while apktool decodes resources and converts bytecode to Smali assembly β both are standard tools in Android static analysis workflows.
IncorrectA: JADX (or apktool)
JADX decompiles Android DEX bytecode back into readable Java source code, while apktool decodes resources and converts bytecode to Smali assembly β both are standard tools in Android static analysis workflows.
14In the updated OWASP Mobile Top 10, what does "Inadequate Supply Chain Security" primarily address?
CorrectA: Vulnerabilities introduced by integrating compromised third-party SDKs, open-source libraries, or flawed CI/CD pipelines
OWASP M2 (Inadequate Supply Chain Security) highlights risks from malicious or vulnerable third-party SDKs, advertising libraries, and compromised build tools that can introduce backdoors without the developer's direct knowledge.
IncorrectA: Vulnerabilities introduced by integrating compromised third-party SDKs, open-source libraries, or flawed CI/CD pipelines
OWASP M2 (Inadequate Supply Chain Security) highlights risks from malicious or vulnerable third-party SDKs, advertising libraries, and compromised build tools that can introduce backdoors without the developer's direct knowledge.
15How can mobile app developers most securely store highly sensitive data, such as authentication tokens, on an iOS device?
CorrectB: Within the iOS Keychain, which utilizes hardware-backed encryption
The iOS Keychain stores sensitive items (passwords, tokens, cryptographic keys) in an encrypted container backed by the Secure Enclave, with access controls tied to device PIN and biometrics β far more secure than UserDefaults or plaintext SQLite.
IncorrectB: Within the iOS Keychain, which utilizes hardware-backed encryption
The iOS Keychain stores sensitive items (passwords, tokens, cryptographic keys) in an encrypted container backed by the Secure Enclave, with access controls tied to device PIN and biometrics β far more secure than UserDefaults or plaintext SQLite.
16What is the inherent security risk of logging sensitive information (like passwords) using Log.d or print() in a production mobile app?
CorrectA: The sensitive data is written to the system log, which can be read by attackers with physical access, ADB access, or malicious apps with log-reading permissions
Android's logcat and iOS's ASL/unified logs are globally readable on many devices; any app with READ_LOGS permission (or an attacker with ADB) can capture passwords, tokens, and PII written by careless debug logging left in production builds.
IncorrectA: The sensitive data is written to the system log, which can be read by attackers with physical access, ADB access, or malicious apps with log-reading permissions
Android's logcat and iOS's ASL/unified logs are globally readable on many devices; any app with READ_LOGS permission (or an attacker with ADB) can capture passwords, tokens, and PII written by careless debug logging left in production builds.
17What is the function of App Transport Security (ATS) in iOS?
CorrectD: It forces the application to use secure network connections (HTTPS) and blocks unencrypted HTTP traffic by default
Introduced in iOS 9, ATS mandates TLS 1.2+ with strong cipher suites and forward secrecy for all outbound network connections, blocking plaintext HTTP unless the developer explicitly whitelists domains in NSAppTransportSecurity.
IncorrectD: It forces the application to use secure network connections (HTTPS) and blocks unencrypted HTTP traffic by default
Introduced in iOS 9, ATS mandates TLS 1.2+ with strong cipher suites and forward secrecy for all outbound network connections, blocking plaintext HTTP unless the developer explicitly whitelists domains in NSAppTransportSecurity.
18What is a "WebView" in mobile development, and what is its primary security risk?
CorrectC: An embedded browser component used to display web content; it can be vulnerable to Cross-Site Scripting (XSS) if JavaScript is enabled and inputs aren't sanitized
WebView embeds a web rendering engine inside a native app; if JavaScript is enabled and user-supplied content is rendered without sanitization, attackers can inject malicious scripts (XSS) that execute with the app's native context and permissions.
IncorrectC: An embedded browser component used to display web content; it can be vulnerable to Cross-Site Scripting (XSS) if JavaScript is enabled and inputs aren't sanitized
WebView embeds a web rendering engine inside a native app; if JavaScript is enabled and user-supplied content is rendered without sanitization, attackers can inject malicious scripts (XSS) that execute with the app's native context and permissions.
19What is the risk of storing sensitive data in Android's SharedPreferences without explicit encryption?
CorrectD: The data is stored in plaintext XML files that can be easily extracted from rooted devices or insecure backups
SharedPreferences stores data as plaintext XML in the app's data directory; on rooted devices or via ADB backups (if allowBackup=true), these files are trivially accessible and expose sensitive values like user tokens or preferences.
IncorrectD: The data is stored in plaintext XML files that can be easily extracted from rooted devices or insecure backups
SharedPreferences stores data as plaintext XML in the app's data directory; on rooted devices or via ADB backups (if allowBackup=true), these files are trivially accessible and expose sensitive values like user tokens or preferences.
20What is "Biometric Bypass" in mobile application testing?
CorrectC: Hooking the local biometric API prompt (e.g., using Frida) to force it to return a "success" boolean without actually providing a fingerprint or face
When apps implement biometric authentication using only a boolean return value (e.g., onAuthenticationSucceeded) without hardware-backed cryptographic verification through the KeyStore, Frida can hook these callbacks and return success unconditionally.
IncorrectC: Hooking the local biometric API prompt (e.g., using Frida) to force it to return a "success" boolean without actually providing a fingerprint or face
When apps implement biometric authentication using only a boolean return value (e.g., onAuthenticationSucceeded) without hardware-backed cryptographic verification through the KeyStore, Frida can hook these callbacks and return success unconditionally.
Mobile Security β Advanced
1How does the "Frida" framework fundamentally achieve dynamic instrumentation on mobile devices?
CorrectA: By injecting the V8 JavaScript engine directly into the target application's memory space, allowing runtime manipulation of functions and memory
Frida spawns a frida-agent shared library into the target process's address space (via ptrace on Android or task_for_pid on jailbroken iOS), which hosts the Duktape/V8 JavaScript engine and exposes the Interceptor and Memory APIs for runtime hooking.
IncorrectA: By injecting the V8 JavaScript engine directly into the target application's memory space, allowing runtime manipulation of functions and memory
Frida spawns a frida-agent shared library into the target process's address space (via ptrace on Android or task_for_pid on jailbroken iOS), which hosts the Duktape/V8 JavaScript engine and exposes the Interceptor and Memory APIs for runtime hooking.
2What is the core architectural difference between Android's legacy Full Disk Encryption (FDE) and modern File-Based Encryption (FBE)?
CorrectA: FBE allows different files to be encrypted with different keys and unlocked independently, enabling features like Direct Boot; FDE encrypts the entire partition with a single key
FDE uses a single key for the entire userdata partition, requiring a full unlock before boot completes. FBE (introduced in Android 7.0) uses per-file/per-directory keys: Credential Encrypted (CE) files unlock with the PIN, while Device Encrypted (DE) files are available in Direct Boot before authentication.
IncorrectA: FBE allows different files to be encrypted with different keys and unlocked independently, enabling features like Direct Boot; FDE encrypts the entire partition with a single key
FDE uses a single key for the entire userdata partition, requiring a full unlock before boot completes. FBE (introduced in Android 7.0) uses per-file/per-directory keys: Credential Encrypted (CE) files unlock with the PIN, while Device Encrypted (DE) files are available in Direct Boot before authentication.
3In iOS exploitation, what is a "tfp0" (task for pid 0) vulnerability?
CorrectA: A critical kernel exploit that grants the attacker arbitrary read and write access to the kernel's memory space
task_for_pid(0) returns a kernel task port, granting the caller arbitrary kernel memory read/write β the holy grail for iOS jailbreaking. A tfp0 exploit gives attackers full kernel control and enables sandbox escape, code injection, and persistent root access.
IncorrectA: A critical kernel exploit that grants the attacker arbitrary read and write access to the kernel's memory space
task_for_pid(0) returns a kernel task port, granting the caller arbitrary kernel memory read/write β the holy grail for iOS jailbreaking. A tfp0 exploit gives attackers full kernel control and enables sandbox escape, code injection, and persistent root access.
4When performing static reverse engineering on native iOS applications, which executable binary format is primarily analyzed?
CorrectB: Mach-O (Mach Object)
iOS apps compile to ARM Mach-O binaries (Mach Object format). Tools like Hopper, IDA Pro, and Ghidra parse the Mach-O structure (load commands, segments, sections) to perform disassembly and decompilation of native Swift/Objective-C code.
IncorrectB: Mach-O (Mach Object)
iOS apps compile to ARM Mach-O binaries (Mach Object format). Tools like Hopper, IDA Pro, and Ghidra parse the Mach-O structure (load commands, segments, sections) to perform disassembly and decompilation of native Swift/Objective-C code.
5What is the specific security purpose of the android:networkSecurityConfig XML file in modern Android development?
CorrectC: To declaratively customize network security settings, such as forcing HTTPS, disabling cleartext traffic, or specifying custom certificate trust anchors without modifying app code
The Network Security Configuration file (introduced in Android 7.0) allows developers to disable cleartext HTTP, pin specific certificates, trust custom CAs for debug builds, and override system-wide network trust settings at app level without code changes.
IncorrectC: To declaratively customize network security settings, such as forcing HTTPS, disabling cleartext traffic, or specifying custom certificate trust anchors without modifying app code
The Network Security Configuration file (introduced in Android 7.0) allows developers to disable cleartext HTTP, pin specific certificates, trust custom CAs for debug builds, and override system-wide network trust settings at app level without code changes.
6How do penetration testers typically bypass strict SSL/TLS Certificate Pinning during dynamic analysis of a mobile app?
CorrectA: By using instrumentation frameworks like Frida or Xposed to hook the app's SSL verification functions and force them to return a "valid" boolean
Testers use Frida scripts (e.g., ssl-pinning-bypass.js) or the Xposed/LSPosed framework with modules like TrustMeAlready to hook SSL/TLS validation methods (X509TrustManager, SecTrustEvaluate) and force them to accept any certificate presented by an intercepting proxy.
IncorrectA: By using instrumentation frameworks like Frida or Xposed to hook the app's SSL verification functions and force them to return a "valid" boolean
Testers use Frida scripts (e.g., ssl-pinning-bypass.js) or the Xposed/LSPosed framework with modules like TrustMeAlready to hook SSL/TLS validation methods (X509TrustManager, SecTrustEvaluate) and force them to accept any certificate presented by an intercepting proxy.
7What is "White-Box Cryptography" in the context of advanced mobile application defense?
CorrectB: A mathematical technique designed to hide cryptographic keys and execution logic within the code itself, preventing key extraction even if the attacker has full memory access
White-box cryptography (e.g., by Irdeto or Dexprotector) mathematically merges the secret key into the cryptographic implementation code itself using lookup tables and encodings, aiming to prevent key extraction even when an attacker has full runtime memory access.
IncorrectB: A mathematical technique designed to hide cryptographic keys and execution logic within the code itself, preventing key extraction even if the attacker has full memory access
White-box cryptography (e.g., by Irdeto or Dexprotector) mathematically merges the secret key into the cryptographic implementation code itself using lookup tables and encodings, aiming to prevent key extraction even when an attacker has full runtime memory access.
8In the Android operating system architecture, what is the primary function of the "Binder" mechanism?
CorrectD: To serve as the kernel-level driver that facilitates high-performance Inter-Process Communication (IPC) and Remote Procedure Calls (RPC)
Binder is a Linux kernel driver (/dev/binder) that implements Android's primary IPC mechanism, enabling cross-process method calls with automatic parameter marshalling, caller UID injection for permission enforcement, and secure reference counting.
IncorrectD: To serve as the kernel-level driver that facilitates high-performance Inter-Process Communication (IPC) and Remote Procedure Calls (RPC)
Binder is a Linux kernel driver (/dev/binder) that implements Android's primary IPC mechanism, enabling cross-process method calls with automatic parameter marshalling, caller UID injection for permission enforcement, and secure reference counting.
9What is a "Content Provider" in Android, and what is its primary security risk if misconfigured?
CorrectA: A component that manages access to a structured set of data; if exported without proper permissions, it can be exploited via SQL injection or path traversal
Content Providers expose app data (SQLite databases, files) via a URI interface. If exported without restrictive permissions, attackers can query the underlying SQL database (injection), traverse to arbitrary file paths, or read sensitive corporate data via crafted content:// URIs.
IncorrectA: A component that manages access to a structured set of data; if exported without proper permissions, it can be exploited via SQL injection or path traversal
Content Providers expose app data (SQLite databases, files) via a URI interface. If exported without restrictive permissions, attackers can query the underlying SQL database (injection), traverse to arbitrary file paths, or read sensitive corporate data via crafted content:// URIs.
10What does the iOS ptrace system call restriction (specifically PT_DENY_ATTACH) attempt to accomplish?
CorrectB: It serves as a primitive anti-debugging technique by preventing debuggers (like GDB or LLDB) from attaching to the application process
Calling ptrace(PT_DENY_ATTACH, 0, 0, 0) on iOS causes the process to terminate if a debugger later tries to attach; however, this is a weak control easily bypassed by patching the ptrace call or using Frida before the call executes.
IncorrectB: It serves as a primitive anti-debugging technique by preventing debuggers (like GDB or LLDB) from attaching to the application process
Calling ptrace(PT_DENY_ATTACH, 0, 0, 0) on iOS causes the process to terminate if a debugger later tries to attach; however, this is a weak control easily bypassed by patching the ptrace call or using Frida before the call executes.
11What is an Android PendingIntent, and what is its associated security risk?
CorrectC: A token granting a foreign application the right to execute code with the permissions of the originating app; vulnerable to privilege escalation if implicitly created or improperly delegated
A PendingIntent wraps an Intent with the calling app's identity; when passed to a third-party app (e.g., via AlarmManager or NotificationManager), if the wrapped Intent is implicit or mutable, the recipient can modify the Intent's action/data to perform operations with the originator's elevated privileges.
IncorrectC: A token granting a foreign application the right to execute code with the permissions of the originating app; vulnerable to privilege escalation if implicitly created or improperly delegated
A PendingIntent wraps an Intent with the calling app's identity; when passed to a third-party app (e.g., via AlarmManager or NotificationManager), if the wrapped Intent is implicit or mutable, the recipient can modify the Intent's action/data to perform operations with the originator's elevated privileges.
12Which OWASP Mobile Application Security Verification Standard (MASVS) category specifically dictates requirements for anti-tampering, anti-reversing, and obfuscation controls?
CorrectD: MASVS-RESILIENCE
MASVS-RESILIENCE defines defense-in-depth controls for high-risk apps: jailbreak/root detection, anti-debugging, integrity verification, obfuscation, and device binding β all aimed at increasing the cost of reverse engineering and tampering.
IncorrectD: MASVS-RESILIENCE
MASVS-RESILIENCE defines defense-in-depth controls for high-risk apps: jailbreak/root detection, anti-debugging, integrity verification, obfuscation, and device binding β all aimed at increasing the cost of reverse engineering and tampering.
13How does Apple's Pointer Authentication Code (PAC) hardware feature actively mitigate advanced exploits on modern iOS devices?
CorrectC: It signs memory pointers with a cryptographic hash to ensure they haven't been modified, heavily mitigating Return-Oriented Programming (ROP) and memory corruption attacks
ARM's PAC (deployed on Apple A12+ via QARMA algorithm) embeds a cryptographic signature into the unused high bits of pointers. Attempts to redirect control flow via corrupted return addresses or function pointers fail the PAC authentication check and fault, neutralizing most ROP/JOP exploit chains.
IncorrectC: It signs memory pointers with a cryptographic hash to ensure they haven't been modified, heavily mitigating Return-Oriented Programming (ROP) and memory corruption attacks
ARM's PAC (deployed on Apple A12+ via QARMA algorithm) embeds a cryptographic signature into the unused high bits of pointers. Attempts to redirect control flow via corrupted return addresses or function pointers fail the PAC authentication check and fault, neutralizing most ROP/JOP exploit chains.
14When testing an iOS app, what is the critical significance of the entitlements embedded in the signed binary?
CorrectA: They are key-value pairs verified by the kernel that explicitly grant the app restricted executable permissions, such as accessing iCloud, Push Notifications, or the Keychain
iOS entitlements (embedded in the code signature's Entitlements.plist) are enforced by AMFI and the kernel; they gate access to privileged capabilities like Keychain groups, iCloud containers, push notifications, and inter-process communication services.
IncorrectA: They are key-value pairs verified by the kernel that explicitly grant the app restricted executable permissions, such as accessing iCloud, Push Notifications, or the Keychain
iOS entitlements (embedded in the code signature's Entitlements.plist) are enforced by AMFI and the kernel; they gate access to privileged capabilities like Keychain groups, iCloud containers, push notifications, and inter-process communication services.
15In advanced Android malware attacks, what is the "Accessibility Service" most frequently abused to do?
CorrectC: To read sensitive UI content (like 2FA codes), observe user actions, and automatically click permission prompts without user interaction
Banking trojans (e.g., Anubis, BankBot) abuse Accessibility Services to perform overlay attacks, auto-click permission dialogs, capture on-screen OTP codes, log keystrokes, and silently grant themselves additional permissions β all without user interaction.
IncorrectC: To read sensitive UI content (like 2FA codes), observe user actions, and automatically click permission prompts without user interaction
Banking trojans (e.g., Anubis, BankBot) abuse Accessibility Services to perform overlay attacks, auto-click permission dialogs, capture on-screen OTP codes, log keystrokes, and silently grant themselves additional permissions β all without user interaction.
16What is a "Tapjacking" vulnerability mitigated by in modern Android development?
CorrectA: Setting the filterTouchesWhenObscured attribute to "true", which drops touch events when a malicious window obscures the legitimate app
android:filterTouchesWhenObscured="true" instructs the Android framework to ignore touch events delivered to a View when another window is visually obscuring it, preventing overlay-based attacks from stealing taps meant for the underlying UI.
IncorrectA: Setting the filterTouchesWhenObscured attribute to "true", which drops touch events when a malicious window obscures the legitimate app
android:filterTouchesWhenObscured="true" instructs the Android framework to ignore touch events delivered to a View when another window is visually obscuring it, preventing overlay-based attacks from stealing taps meant for the underlying UI.
17What was the historical security purpose of the __RESTRICT,__restrict segment in an iOS Mach-O binary?
CorrectC: It prevented the DYLD dynamic linker from injecting external dynamic libraries via environment variables, serving as a primitive anti-hooking mechanism
When the __RESTRICT,__restrict segment is present in a Mach-O binary, DYLD ignores DYLD_INSERT_LIBRARIES and similar environment variables, blocking basic library injection techniques β though this was trivially bypassed on jailbroken devices via DYLD patches.
IncorrectC: It prevented the DYLD dynamic linker from injecting external dynamic libraries via environment variables, serving as a primitive anti-hooking mechanism
When the __RESTRICT,__restrict segment is present in a Mach-O binary, DYLD ignores DYLD_INSERT_LIBRARIES and similar environment variables, blocking basic library injection techniques β though this was trivially bypassed on jailbroken devices via DYLD patches.
18How do attackers frequently abuse Custom URL Schemes (e.g., myapp://) on mobile operating systems?
CorrectC: By registering the exact same URL scheme in a malicious app to hijack incoming deep links, intercepting sensitive data or OAuth authorization tokens
Unlike Universal Links (iOS) or App Links (Android) β which require HTTPS ownership verification β custom schemes have no ownership enforcement. A malicious app can register the same scheme and the OS will present an ambiguous app chooser, allowing it to intercept OAuth redirect tokens or sensitive deep-link parameters.
IncorrectC: By registering the exact same URL scheme in a malicious app to hijack incoming deep links, intercepting sensitive data or OAuth authorization tokens
Unlike Universal Links (iOS) or App Links (Android) β which require HTTPS ownership verification β custom schemes have no ownership enforcement. A malicious app can register the same scheme and the OS will present an ambiguous app chooser, allowing it to intercept OAuth redirect tokens or sensitive deep-link parameters.
19What is the primary security significance of Android's Play Integrity API (formerly SafetyNet)?
CorrectD: It provides a cryptographic attestation to backend servers verifying that the device environment is genuine, unrooted, and has not been tampered with
Play Integrity API generates a signed JWT attestation (verified by Google's servers) that reports MEETS_DEVICE_INTEGRITY, MEETS_BASIC_INTEGRITY, and app licensing verdicts β allowing backend APIs to reject requests from rooted, emulated, or tampered device environments.
IncorrectD: It provides a cryptographic attestation to backend servers verifying that the device environment is genuine, unrooted, and has not been tampered with
Play Integrity API generates a signed JWT attestation (verified by Google's servers) that reports MEETS_DEVICE_INTEGRITY, MEETS_BASIC_INTEGRITY, and app licensing verdicts β allowing backend APIs to reject requests from rooted, emulated, or tampered device environments.
20In the context of dynamic analysis and reverse engineering, what is "Method Swizzling" on iOS?
CorrectB: Modifying the mapping of a selector to its underlying implementation function at runtime, allowing attackers to intercept, log, or alter Objective-C method calls
Objective-C's dynamic dispatch uses a selector-to-IMP (implementation pointer) table. Method swizzling (via method_exchangeImplementations or Frida's ObjC.classes) replaces an existing method's IMP with a custom one at runtime, enabling interception and logging of any Objective-C call without source code access.
IncorrectB: Modifying the mapping of a selector to its underlying implementation function at runtime, allowing attackers to intercept, log, or alter Objective-C method calls
Objective-C's dynamic dispatch uses a selector-to-IMP (implementation pointer) table. Method swizzling (via method_exchangeImplementations or Frida's ObjC.classes) replaces an existing method's IMP with a custom one at runtime, enabling interception and logging of any Objective-C call without source code access.
Conclusion: Mobile Application Security Essentials
Mobile security spans platform hardening, secure coding practices, and threat response. These 60 MCQs cover malware detection, network security (certificate pinning, HTTPS), secure storage and authentication, API security, and incident response specific to mobile threats.
Revisit missed questions, practice secure mobile development, and stay current with platform security advisories for iOS and Android.
Key Takeaways β Mobile Security
- Certificate Pinning: Hardcode expected cert/key in app; verify server cert matches during TLS handshake; prevents MitM via rogue CAs.
- Secure Storage: Use Keychain (iOS) or Keystore (Android) for secrets; encrypt data at rest; never hardcode API keys or credentials.
- API Security: Validate all API responses; use HTTPS + pinning; implement OAuth 2.0; rate limit; never trust client-side controls.
- Biometric Auth: Convenient but not foolproof β combine with PIN/password for sensitive transactions; subject to spoofing.
- Token Management: Store in secure storage; use short-lived access tokens + long-lived refresh tokens; revoke on logout.
- Obfuscation β Security: Obfuscation is reversible; real security requires proper crypto, secret key management, and server-side enforcement.
- Common Pitfalls: Hardcoded secrets, disabled TLS cert validation, unencrypted local storage, SQL injection, logging sensitive data.
- Malware & Phishing: Educate users; install MDM/threat detection tools; validate app permissions; use secure messaging for sensitive data.
Quick Review & Summary
Use this summary table to consolidate key concepts before or after attempting the questions above.
| Security Area | Threat | Defense |
|---|---|---|
| Network | MitM, rogue CA | HTTPS + certificate pinning |
| Local Storage | Data theft if device stolen | Encrypt at rest; use Keychain/Keystore |
| Authentication | Stolen credentials | OAuth 2.0; secure token storage; MFA |
| API | Injection, tampering | Input validation; parameterized queries; rate limit |
| Code | Reverse engineering | Obfuscation (weak); proper crypto; secret mgmt (strong) |
| Malware | Trojans, ransomware | App store vetting; permissions review; EDR tools |
| Phishing | Credential theft | User education; verify URLs; app-only communication |
| Biometric | Spoofing, theft | Liveness detection; combine with PIN |
Frequently Asked Questions
Q. What are the main mobile security threats?
Q. What is Mobile Device Management (MDM)?
Q. What is the difference between jailbreaking and rooting?
Q. How does certificate pinning improve mobile app security?
Q. What is smishing and how does it differ from phishing?
Q. What security controls should be enforced on corporate mobile devices?
Q. What is a rogue access point attack on mobile devices?
Struggling with some questions? Re-read the full Theory Guide: Mobile Security