CompTIA Mobile App Security+ Certification Exam (Android Edition) v6.0

Page:    1 / 7   
Exam contains 102 questions

If a Java package contains sensitive data in one or more classes, and the data is declared public, what attacks does that expose?

  • A. Public data can be intercepted in transit using network sniffing tools.
  • B. Malicious code can declare itself as part of the same package, and directly access the public data with no means of protection.
  • C. Public data can be accessed (read-write) via HTTP POST/POST arguments.
  • D. The sensitive public data gets cached on the Java server, and is thus searchable using traditional enterprise intranet search tools.


Answer : B

Which of the following is a reason to take mobile app security seriously when developing a social networking app that does NOT accept payments? (Select TWO).

  • A. PCI-DSS regulations
  • B. Consumer privacy expectations and regulations
  • C. HIPAA regulations
  • D. FIPS compliance
  • E. Company reputation


Answer : B,E

Which of the following is the primary reason for web services to output encode all data sent to Android application clients?

  • A. Output encoding eliminates the need for the client to perform input validation, as the server has already ensured that all data being passed to the client is safe.
  • B. Output encoding ensures that an attacker who can view network traffic cannot read the communications between the server and the client.
  • C. Output encoding is required for the data to be sent over an SSL channel.
  • D. Output encoding ensures that the client will treat all data received as data and not as executable scripts.


Answer : D

Why should a developer ensure the debug flag is set to false in the manifest for a production build?

  • A. It prevents malware from being able to connect to the debug socket and take control of the app.
  • B. It prevents debug messages from showing up in the log.
  • C. It prevents an attacker from being able to reverse engineer the app.
  • D. It prevents an attacker from communicating with the app over the debug bridge.


Answer : A

In public key cryptography which problem can occur when the public key is transmitted?

  • A. The initialization vector can be determined
  • B. The public key can be replaced with a different one
  • C. The hash of the data can be decrypted with the private key
  • D. The private key can be calculated from the public one


Answer : B

What additional task is accomplished by using mutual-authentication SSL as opposed to standard SSL?

  • A. The client performs an extra validation to ensure the integrity of the Root Certificate Authorities.
  • B. The identity of the Certificate Authority that issued the servers SSL certificate is validated in addition to that of the server itself.
  • C. The Android application (the client) supplies a certificate to identify itself in addition to the server performing the same task, so that the clients identity is authenticated to the server.
  • D. The client decides to reject or accept the connection with the server based on its own criteria about the validity of the servers SSL certificate.


Answer : C

Which of the following mechanisms is MOST commonly used when attempting a privileged operation?

  • A. A public method interface to private data fields.
  • B. A private package containing only the privileged instructions.
  • C. A try/catch/finally block.
  • D. A security manager directive.


Answer : C

Which of the following attempts to prevent Javascript from accessing a session cookie in a mobile browser?

  • A. Both HTTPonly and Secure attributes
  • B. HTTPonly attribute
  • C. Cookie permission settings
  • D. Use of super cookie


Answer : B

When an app creates a configuration file in its private data directory the developer should ensure:

  • A. that the file path is determined with getExternalStorageDirectory().
  • B. that the file is created world writable.
  • C. that file ownership is set to system.
  • D. that the file is not created world readable.


Answer : D

How should a developer securely share data between applications?

  • A. Using file permissions on the SD card
  • B. Creating world-readable files in the application directory
  • C. Defining content providers with permissions
  • D. Using a shared SQLite database


Answer : C

A SQL database password should be:

  • A. memorable for development purposes.
  • B. encrypted with MD5.
  • C. seeded with a secure random value.
  • D. as complex as possible.


Answer : D

Why is it important to carefully set the permissions for a content provider?

  • A. It controls how data will be deleted from the app database
  • B. It controls how well the content resolver will perform
  • C. It controls how other apps can access the content
  • D. It controls how the content is transmitted


Answer : C

Which of the following describes a way to perform certificate pinning in an SSL Android application?

  • A. Use a KeyManager with a client-side SSL certificate so that mutual authentication will fail if the servers certificate changes.
  • B. Use the httpsURLConnectionPinned method to ensure certificate pinning is enabled.
  • C. Use a TrustManager that is based on a KeyManager specifying the public key associated with the private key that the server should be using.
  • D. Use a TrustManager that is based on a KeyStore containing only the specific certificate(s) that the server should be using.


Answer : D

To prevent a component from being publically accessible via Intents the developer can:

  • A. set the attribute android:exported=false in the manifest.
  • B. declare the method as private in the Java source.
  • C. sign the app because Android protects component access by verifying digital signatures.
  • D. add an Intent Filter with the attribute of “private”.


Answer : A

Which of the following is true regarding DNS?

  • A. Each DNS request is uniquely encrypted
  • B. DNS security is by design difficult to tamper
  • C. Secure host name resolution is assured globally by ICANN
  • D. DNS on most public Wi-Fi has little security


Answer : D

Page:    1 / 7   
Exam contains 102 questions

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us

Certlibrary doesn't offer Real Microsoft Exam Questions.
Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.