CompTIA ADR-001

CompTIA Mobile App Security+ Certification Exam

(Android Edition)
Version: 4.0
 CompTIA ADR-001 Exam
QUESTION NO: 1

Which of the following is a reason to take mobile app security seriously when developing a social
networking app that does NOT accept payments? (Select TWO).

A. PCI-DSS regulations
B. Consumer privacy expectations and regulations
C. HIPAA regulations
D. FIPS compliance
E. Company reputation

Answer: B,E
Explanation:

QUESTION NO: 2

Which of the following accurately explains why many people criticize the use of a unique hardware
ID such as IMEI/MEID to identify users? (Select TWO).

A. The hardware ID can be traced to an individual user and help track activity over time and
across apps
B. The hardware ID unlocks encryption on the device
C. Companies encode email addresses directly into the hardware ID
D. Hardware ID values are easily predictable
E. Users cannot selectively block apps’ access to it

Answer: A,E
Explanation:

QUESTION NO: 3

Which of the following attempts to inhibit an application from being trojanized and proliferating?

A. Tamper protection in code.

B. Encrypting config file.
C. Ensure appropriate permissions are deployed to every component.
D. Login credentials delivered over network with HTTPS.

Answer: A
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 2

 CompTIA ADR-001 Exam

QUESTION NO: 4

Which of the following is fundamental to MOST transport layer encryption implementations?

A. Device passcode
B. Obfuscation
C. HTTPS
D. Keychain

Answer: C
Explanation:

QUESTION NO: 5

Which of the following can be performed to find security design flaws in mobile apps prior to
writing code?

A. Threat modeling
B. Penetration testing
C. Static source code analysis
D. Dynamic validation testing

Answer: A
Explanation:

QUESTION NO: 6

Which of the following methodologies is BEST for a developer to find input validation weaknesses
in their own mobile app source code?

A. Disassembly of mobile app executable

B. Threat modeling
C. Fuzz testing an app’s attack surface
D. Single stepping an app through a debugger

Answer: C
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 3

 CompTIA ADR-001 Exam

QUESTION NO: 7

Which of the following techniques are useful in a secure software development process? (Select
TWO).

A. Cross platform compatibility testing with HTML5

B. Using hardware encryption to protect all data on the device
C. Static code analysis
D. Abuse/misuse case analysis
E. Implementation of two-factor authentication

Answer: C,D
Explanation:

QUESTION NO: 8

Which of the following will LEAST likely be detected through source code analysis?

A. Improper certificate validation

B. Buffer overflow vulnerability
C. Improper build process
D. Hardcoded credentials

Answer: C
Explanation:

QUESTION NO: 9

Which of the following is the MOST reliable form of input validation?

A. Positive validation of input data using regular expression processing

B. Base64 encoding of input data
C. Validating the bounds of input data using a character set
D. HTML or URI encoding of input data and ensuring Unicode support

Answer: A
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 4

 CompTIA ADR-001 Exam

QUESTION NO: 10

When handling sensitive data with Android apps, which of the following storage strategies is
MOST secure?

A. Store data on device using encryption, with encryption key managed on the server
B. Prompt users to enable encryption
C. Store sensitive data locally in XML protected with file permissions
D. Store sensitive data on the server

Answer: D
Explanation:

QUESTION NO: 11

Which of the following describes a best practice in a software system?

A. Security through obscurity

B. Hardcoded encryption keys
C. Principle of least privilege
D. Trust session implicitly

Answer: C
Explanation:

QUESTION NO: 12

Which of the following provides an enumeration of software weaknesses to be avoided?

A. Open IOC (MANDIANT)

B. Metasploit Framework (RAPID7)
C. NVD (NIST)
D. CWE (MITRE)

Answer: D
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 5

 CompTIA ADR-001 Exam

QUESTION NO: 13

A developer is using a third-party cloud service via Web APIs for backup of unencrypted user
photos. The use of this service is invisible to the end user. Incorporation of this service into the
application introduces which potential key security risk?

A. User data breach on cloud provider’s systems

B. Breaking backward compatibility
C. Reflected XSS
D. Application instability in case of cloud provider outage

Answer: A
Explanation:

QUESTION NO: 14

Which of the following is true regarding DNS?

A. Each DNS request is uniquely encrypted

B. DNS security is by design difficult to tamper
C. Secure host name resolution is assured globally by ICANN
D. DNS on most public Wi-Fi has little security

Answer: D
Explanation:

QUESTION NO: 15

Which of the following is an effective means of confirming data integrity?

A. File access control

B. Set the No execute (NX) bit on data segment in memory
C. Base64 encoding
D. Digital signatures

Answer: D
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 6

 CompTIA ADR-001 Exam

QUESTION NO: 16

When reviewing the security architecture of a mobile app, which of the following is the MOST
important piece of data to start with?

A. UI wireframes and process flows

B. Diagram/flowchart of all app components
C. Source code
D. Test plans

Answer: B
Explanation:

QUESTION NO: 17

An architectural review is BEST for finding which of the following security defects?

A. Malware infection vectors

B. SQL or other injection flaws
C. Design flaws
D. Zero-day vulnerabilities

Answer: C
Explanation:

QUESTION NO: 18

Which of the following describes a security risk that may have to be accepted when using a
commercial cross-platform mobile application framework?

A. Allowing code to run outside the app sandbox

B. Installing HTML 5 support on user device
C. Digest authentication without HTTPS
D. Using native code libraries without source code review

Answer: D
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 7

 CompTIA ADR-001 Exam

QUESTION NO: 19

In an application architecture diagram, what categories of weaknesses are considered using

Microsoft’s threat modeling process?

A. Man-in-the-middle, Data injection, SQL Injection, Malware, Zero-day exploits

B. Damage, Reproducibility, Exploitability, Affected users, Discoverability
C. Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of
privilege
D. Cross site scripting, Clickjacking, Data input validation, SSL, RSA security, Buffer overflow,
Heap smashing, ARP injection

Answer: C
Explanation:

QUESTION NO: 20

Android’s kernel-level app sandbox provides security by:

A. assigning a unique user ID (UID) to each app and running in a separate process.
B. running all apps under an unprivileged group ID (GID).
C. restricting read access to an app’s package to the kernel process.
D. preventing an app’s data files from being read by any running process.

Answer: A
Explanation:

QUESTION NO: 21

The digital certificate used to sign the production release should be:

A. regenerated for each version of the app.

B. stored inside the app package before deployment.
C. stored in a secure location separate from the passphrase.
D. stored with the source code so all developers can build the app.

Answer: C
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 8

 CompTIA ADR-001 Exam

QUESTION NO: 22

Which statement about native code in apps is TRUE?

A. Native code is faster because it runs as a separate user ID (UID) giving it direct access to
restricted APIs.
B. Native code is run under the same user ID (UID) as the Java app and therefore comes under
the same sandbox restrictions.
C. Native code is executed by the kernel with increased privileges and is mainly used for root
operations.
D. Native code runs outside the Dalvik VM and therefore is not restricted by the sandbox.

Answer: B
Explanation:

QUESTION NO: 23

When an app creates a configuration file in its private data directory the developer should ensure:

A. that the file path is determined with getExternalStorageDirectory().

B. that the file is created world writable.
C. that file ownership is set to system.
D. that the file is not created world readable.

Answer: D
Explanation:

QUESTION NO: 24

An example of APIs protected by permissions would bE. (Select TWO).

A. SIM card access

B. Telephony functions
C. File handling functions
D. Encryption functions
E. Network/data connections

"Pass Any Exam. Any Time." - www.actualtests.com 9

 CompTIA ADR-001 Exam
Answer: B,E
Explanation:

QUESTION NO: 25

An app accessing protected APIs should use which manifest declaration?

A. app-permissions
B. add-permissions
C. grant-permission
D. uses-permission

Answer: D
Explanation:

QUESTION NO: 26

The MOST likely reason the developer might want to define their own permission in the manifest is
because:

A. they wish to ensure that only their app has the permission to launch their activities or access
their private data.
B. they wish to prevent the user from granting access to protected functionality by mistake.
C. they wish to define a permission to access system APIs and native libraries.
D. they wish to restrict access to a function in their app to only those apps which are specifically
granted access by the user.

Answer: D
Explanation:

QUESTION NO: 27

Valid permission protection levels are. (Select TWO).

A. private
B. signature
C. user
D. public

"Pass Any Exam. Any Time." - www.actualtests.com 10

 CompTIA ADR-001 Exam
E. dangerous

Answer: B,E
Explanation:

QUESTION NO: 28

The checkCallingPermission() method is used when:

A. the app needs to determine what permission is required for it to make a call.
B. the app needs to determine if it should allow an incoming call from another app.
C. the app needs to determine whether it has permission to make a call.
D. the app needs to determine what permissions are required to call a specific API.

Answer: B
Explanation:

QUESTION NO: 29

Which of the following is a more secure way for a developer to give 3rd party apps temporary
access to resources in their app, such as opening attachments in an external editor?

A. Make use of grantTempAccess()

B. Make use of per-URI permissions
C. Temporarily make files world readable
D. Temporarily store files on SD Card

Answer: B
Explanation:

QUESTION NO: 30

Adding an Intent Filter to an Activity could cause a security issue because:

A. activities with Intent Filters are unprivileged by default.

B. it bypasses Android’s default filters.
C. activities with Intent Filters are exported by default.
D. it violates the Android sandbox security model.

"Pass Any Exam. Any Time." - www.actualtests.com 11

 CompTIA ADR-001 Exam
Answer: C
Explanation:

QUESTION NO: 31

To prevent a component from being publically accessible via Intents the developer can:

A. set the attribute android:exported=false in the manifest.

B. declare the method as private in the Java source.
C. sign the app because Android protects component access by verifying digital signatures.
D. add an Intent Filter with the attribute of “private”.

Answer: A
Explanation:

QUESTION NO: 32

Implicit Broadcast Intents:

A. cannot be secured from interception as they are public by nature.

B. cannot be secured from interception without changing to an Explicit Intent.
C. can be secured from interception with a permission.
D. can be secured by specifying the receiving threshold to system apps.

Answer: C
Explanation:

QUESTION NO: 33

To protect a Content Provider from abuse a developer might implement:

A. An app-based firewall for the Content Provider

B. An export attributeto offload permission checking
C. Acontent type toprevent dangerous type requests
D. Aselectionclause to prevent SQL Injection

Answer: D
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 12

 CompTIA ADR-001 Exam

QUESTION NO: 34

An Intent Sniffing attack is where:

A. a malicious app intercepts network communications to capture Intent traffic.

B. cached Intent messages are read from storage by an attacker.
C. Intent declarations are read from the manifest in order to construct spoof Intents.
D. a malicious app registers to receive public broadcasts in order to intercept data.

Answer: D
Explanation:

QUESTION NO: 35

Fine grained permission control for Content Providers can be achieved with:

A. android:ReadWritePermission.
B. android:ContentPermissions.
C. android:ProviderPermission.
D. android:grantUriPermissions.

Answer: D
Explanation:

QUESTION NO: 36

If using a WebView to serve assets contained within the app package it is good practice to also:

A. enable Plugins support for the WebView.

B. add JavaScript handlers for the WebView.
C. disable dynamic content handlers for the WebView.
D. disable local file system access from the WebView.

Answer: D
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 13

 CompTIA ADR-001 Exam
QUESTION NO: 37

When an app “logs out” of a back end system the developer should also ensure:

A. app jumps to device home screen, clearing the data from the previous session.
B. GUI components displaying data while logged in are destroyed as Android does not do this.
C. app switches back to login screen forcing the user to re-login to view the data.
D. app maintains the state of the session ID in the key chain.

Answer: B
Explanation:

QUESTION NO: 38

Why should a developer ensure the debug flag is set to “false” in the manifest for a production
build?

A. It prevents malware from being able to connect to the debug socket and take control of the app.
B. It prevents debug messages from showing up in the log.
C. It prevents an attacker from being able to reverse engineer the app.
D. It prevents an attacker from communicating with the app over the debug bridge.

Answer: A
Explanation:

QUESTION NO: 39

The filterTouchesWhenObscured property helps protect against which of the following attacks?

A. Tap Jacking
B. Intent Hijacking
C. Screen Bypass
D. Key Logging

Answer: A
Explanation:

QUESTION NO: 40

"Pass Any Exam. Any Time." - www.actualtests.com 14

 CompTIA ADR-001 Exam
Which of the following describes a process by which one party confirms the identity of another
party?

A. Authentication
B. Integrity verification
C. Diffie-Hellman key exchange
D. Handshake protocol

Answer: A
Explanation:

QUESTION NO: 41

An attacker intercepts and potentially tampers with communication between two entities without
the knowledge of either of the two entities. This BEST describes which of the following attacks?

A. SOCKS proxy attack

B. Man-in-the-middle attack
C. TCP relay attack
D. ARP poisoning attack

Answer: B
Explanation:

QUESTION NO: 42

A developer has written an Android application that uses the HttpURLConnection API to
communicate with a backend server. Which of the following is the simplest method to protect the
network communications of the application?

A. Purchase an SSL library from a major vendor and integrate it into the application to protect the
HttpURLConnection.
B. Add the call setSecureSocket(true) to each HttpURLConnection object immediately after it is
created.
C. Replace every HttpURLConnection object with an HttpsURLConnection API.
D. Call Android’s built-in AES and RC-4 encryption implementations.

Answer: C
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 15

 CompTIA ADR-001 Exam

QUESTION NO: 43

Which of the following BEST describes the responsibility of a TrustManager object when used in
an Android application with SSL?

A. The TrustManager verifies that a Certificate Authority truly did issue a server’s SSL certificate
by using the Online Certificate Status Protocol (OCSP).
B. The TrustManager manages the client-side SSL certificate that the Android application will
present to a server for mutual authentication.
C. The TrustManager makes decisions on if a server’s SSL certificate should be trusted, by
allowing the developer to specify which certificates should be allowed.
D. The TrustManager verifies that a server’s SSL certificate has not been revoked by checking the
Certificate Authority’s Certificate Revocation List (CRL).

Answer: C
Explanation:

QUESTION NO: 44

Which of the following describes a way to perform certificate pinning in an SSL Android
application?

A. Use a KeyManager with a client-side SSL certificate so that mutual authentication will fail if the
server’s certificate changes.
B. Use the httpsURLConnectionPinned method to ensure certificate pinning is enabled.
C. Use a TrustManager that is based on a KeyManager specifying the public key associated with
the private key that the server should be using.
D. Use a TrustManager that is based on a KeyStore containing only the specific certificate(s) that
the server should be using.

Answer: D
Explanation:

QUESTION NO: 45

What does a KeyStore do in the Android SSL implementation?

A. Stores only private keys associated with certificates, which are stored elsewhere in the

"Pass Any Exam. Any Time." - www.actualtests.com 16

 CompTIA ADR-001 Exam
resources section of an Android application.
B. Stores certificates and associated private keys in an encrypted form.
C. Provides a device-wide repository to safely store passwords so any other applications or users
of the device cannot access them.
D. Stores certificates and associated private keys, but does not encrypt them.

Answer: B
Explanation:

QUESTION NO: 46

What additional task is accomplished by using mutual-authentication SSL as opposed to standard

SSL?

A. The client performs an extra validation to ensure the integrity of the Root Certificate Authorities.
B. The identity of the Certificate Authority that issued the server’s SSL certificate is validated in
addition to that of the server itself.
C. The Android application (the client) supplies a certificate to identify itself in addition to the
server performing the same task, so that the client’s identity is authenticated to the server.
D. The client decides to reject or accept the connection with the server based on its own criteria
about the validity of the server’s SSL certificate.

Answer: C
Explanation:

QUESTION NO: 47

How does HTTP Basic Authentication work?

A. A client-specific secret value is combined with a server-specific secret value to form a master
secret, which is then used to sign all communications.
B. A one-time use token (nonce) is generated by the server and sent to the client, where it is then
returned on each subsequent request.
C. A digital signature is generated of the request using the client’s private key and sent to the
server.
D. A username and password are combined into a string on the client, base 64 encoded, and then
sent to the server as an HTTP header.

Answer: D
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 17

 CompTIA ADR-001 Exam

QUESTION NO: 48

How does HTTP Digest Authentication work?

A. A wrapping envelope is constructed including the message body, the client’s SSL certificate,
and a master secret value, and sent to the server.
B. A one-time use token (nonce) is generated by the server and sent to the client, where it is then
returned on each subsequent request.
C. A digital signature is computed on the entire message body using the client’s private key and
subsequently included along with the request for all future communications.
D. A one-time use token (nonce) is generated by the server and sent to the client, where it is then
used in a computation of a hash involving the username, password, nonce, and some other
values.

Answer: D
Explanation:

QUESTION NO: 49

What is an advantage of mutually authenticated SSL over standard HTTP authentication

methods?

A. Mutually authenticated SSL is faster than HTTP authentication.

B. Client credentials (passwords/private keys) are not required to be transmitted over the network
in any form.
C. Mutually authenticated SSL requires stronger encryption algorithms.
D. Mutually authenticated SSL requires the use of a client-side certificate issued by a Certificate
Authority.

Answer: B
Explanation:

QUESTION NO: 50

What are two advantages to using OAuth as the authentication method for an Android application
to access a web application or service? (Select TWO).

A. OAuth integrates seamlessly into a mobile application, never requiring the user to interact with

"Pass Any Exam. Any Time." - www.actualtests.com 18

 CompTIA ADR-001 Exam
the web application or service in question
B. OAuth only maintains long and complex passwords for users of the Android application so the
users do not have to remember them.
C. The application does not need to ever know the user’s login credentials.
D. In the event the device running the application is lost or stolen, the OAuth credentials issued to
it can be revoked by the application’s server.
E. OAuth enables both ends of an SSL tunnel to authenticate each other.

Answer: C,D
Explanation:

QUESTION NO: 51

A developer is designing a very sensitive web application that will be accessed by both desktop
web browsers and mobile Android applications. What is one way the developer can implement a
multi-factor authentication system for these users?

A. Have the user memorize a PIN in addition to their password and require them to supply both
when attempting to log in.
B. Have the user answer a security question once they authenticate using their username and
password.
C. Require a one-time-use code sent via an SMS message in addition to a username and
password.
D. Have the user supply their last password in addition to their current password when they
attempt to log in.

Answer: C
Explanation:

QUESTION NO: 52

Which of the following is a disadvantage of using a static embedded API Key for client
authentication to a web service?

A. API Keys require the use of a certificate issued by a commercial Certificate Authority.
B. API Keys are used with asymmetric cryptography, which is slow and can negatively impact the
performance of the client application.
C. API Keys cannot be transmitted over HTTPS, so they are open to compromise.
D. API Keys can be discovered and abused by an attacker.

Answer: D

"Pass Any Exam. Any Time." - www.actualtests.com 19

 CompTIA ADR-001 Exam
Explanation:

QUESTION NO: 53

Which of the following defines why it is important for a developer to deploy known-good (whitelist)
input validation for all requests made to a web service API?

A. Known-good validation ensures that all inputs are in an expected format and are valid before
processing them. As requests to the API come over the network, they must be considered
untrusted.
B. Known-good (whitelist) can be performed much faster than known-bad input validation.
C. Known-good input validation is the only way to prevent command (SQL) injection attacks and
since web services are typically integrated with a backend SQL database, this checking ensures
the integrity and confidentiality of the database.
D. Known-good input validation first checks to ensure that incoming requests are being made by a
valid and known client before beginning to process them, so that inputs from attackers are never
processed, thus protecting the web service.

Answer: A
Explanation:

QUESTION NO: 54

Once an Android client has authenticated to a web service, what must be done on the server-side
to ensure correct authorization checks are being performed?

A. For each request that is considered more sensitive than previous ones, force the client to re-
authenticate so that the user’s identity can be confirmed.
B. For each request, check the session token to verify the client has been authorized for that
device and session.
C. For each request, ensure that the client is authenticated and that the specific Android device
identified in the request is the same as for the last request.
D. For each request, ensure that the client is authenticated and that the specific client is
authorized to perform the specific action on the specific data.

Answer: D
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 20

 CompTIA ADR-001 Exam
QUESTION NO: 55

Why must Android clients perform input validation on data received from publically accessible web
service API calls?

A. As the data is being received over the network from public services, it must be treated as
untrusted input with potential malicious intent.
B. Publically accessible web service APIs must be accessed using HTTP and not HTTPS, so an
attacker could modify the data on the network as it is passed from the server to the Android
application.
C. Data frequently becomes corrupted over unreliable cellular networks.
D. JSON objects transmitted by RESTful web services are not structured in the same manner as
SOAP objects, so input validation is necessary to prevent one from being parsed as the other and
exposing potentially hidden malicious code.

Answer: A
Explanation:

QUESTION NO: 56

Which of the following is the primary reason for web services to output encode all data sent to
Android application clients?

A. Output encoding eliminates the need for the client to perform input validation, as the server has
already ensured that all data being passed to the client is safe.
B. Output encoding ensures that an attacker who can view network traffic cannot read the
communications between the server and the client.
C. Output encoding is required for the data to be sent over an SSL channel.
D. Output encoding ensures that the client will treat all data received as data and not as
executable scripts.

Answer: D
Explanation:

QUESTION NO: 57

What two types of input validation should a developer implement for a web server that will be
implementing SOAP-based web services? (Select TWO).

A. Validation that all objects received are digitally signed using XML Signatures.
B. Validation that all requests only contain ASCII alphanumeric characters.

"Pass Any Exam. Any Time." - www.actualtests.com 21

 CompTIA ADR-001 Exam
C. Validation against recursive payloads.
D. Validation that all payloads and entity names are of valid sizes.
E. Validation against their SOAP pattern.

Answer: C,D
Explanation:

QUESTION NO: 58

Why is it necessary to pass session tokens over a secure, encrypted channel?

A. Revealing the session token over an unsecured channel would allow an attacker to determine
the private key used to generate the token.
B. Session tokens can be used to reveal the physical location of the Android device.
C. Session tokens contain the user password.
D. Session tokens can be presented to the application allowing an attacker to impersonate a valid
user.

Answer: D
Explanation:

QUESTION NO: 59

Why should the Secure attribute be set on any session cookie sent to an Android application?

A. This attribute instructs the device to store the cookie in an encrypted region of the device
storage.
B. This attribute requests the client to only send the cookie over an HTTPS connection.
C. This attribute encrypts the cookie so that if it is compromised, it cannot be used.
D. This attribute ensures that session cookies are generated in a random fashion.

Answer: B
Explanation:

QUESTION NO: 60

Which of the following describes the purpose of the HTTPOnly cookie attribute?

"Pass Any Exam. Any Time." - www.actualtests.com 22

 CompTIA ADR-001 Exam
A. This attribute ensures that such cookies are only sent over HTTP connections and not over
SSL making them unusable.
B. This attribute requests that clients use the cookie only for HTTP connections and not expose it
to client-side scripting.
C. This attribute requests that other protocols cannot access such cookies.
D. This attribute ensures that such cookies are only transmitted over an encrypted connection.

Answer: B
Explanation:

QUESTION NO: 61

Which of the following statements is TRUE about session tokens?

A. Session tokens should be unpredictable and be short to derive a maximum security benefit with
minimal storage.
B. Session tokens should be reused every time a particular user logs in.
C. Session tokens should be an obfuscated or encrypted version of the user’s ID.
D. Session tokens should be unpredictable, of sufficient length and contain no information about
the user.

Answer: D
Explanation:

QUESTION NO: 62

Why should a developer add a ‘salt’ to a password?

A. To make the password easier to process.

B. To make it harder to look up in a pre-computed table.
C. To allow the password to be hashed.
D. To enable reversible encryption.

Answer: B
Explanation:

QUESTION NO: 63

When generating a key from a password why would a developer want to iterate this process many

"Pass Any Exam. Any Time." - www.actualtests.com 23

 CompTIA ADR-001 Exam
times?

A. To make brute force attempts more expensive.

B. To ensure there is enough entropy.
C. To shrink the length of long passwords.
D. To generate extra processing cycles.

Answer: A
Explanation:

QUESTION NO: 64

What is meant by one way function?

A. The input cannot be calculated from the output.

B. The function can only have an integer input.
C. The function can only be called from the parent class.
D. The function has no inputs only outputs.

Answer: A
Explanation:

QUESTION NO: 65

Which of the following in asymmetric encryption should NOT be transmitted?

A. The private key

B. A hash of the public key
C. The public key
D. A hash of the private key

Answer: A
Explanation:

QUESTION NO: 66

On an unencrypted rooted Android device, which of the following BEST describes which data is
recoverable?

"Pass Any Exam. Any Time." - www.actualtests.com 24

 CompTIA ADR-001 Exam
A. Active data and some deleted data.
B. Active data and none of the deleted data.
C. Only some active data and no deleted data.
D. Only some active data and some deleted data.

Answer: A
Explanation:

QUESTION NO: 67

Which of the following is true regarding apps running on rooted devices?

A. Google Play will remove any app running on a rooted device.

B. The developer can attempt to prevent the app from running on rooted devices.
C. By default Android automatically prevents apps from running on a rooted device.
D. The handset manufacturers control which apps can run on rooted devices.

Answer: B
Explanation:

QUESTION NO: 68

A SQL database password should be:

A. memorable for development purposes.

B. encrypted with MD5.
C. seeded with a secure random value.
D. as complex as possible.

Answer: D
Explanation:

QUESTION NO: 69

Unencrypted temporary private user data cached in the application directory should be:

A. moved to the SD card.

B. wiped on app shut down.

"Pass Any Exam. Any Time." - www.actualtests.com 25

 CompTIA ADR-001 Exam
C. hashed to avoid recovery.
D. wiped when no longer needed.

Answer: D
Explanation:

QUESTION NO: 70

Which of the following must be protected in a symmetric encryption system?

A. The cipher text

B. The key
C. The algorithm
D. The initialization vector

Answer: B
Explanation:

QUESTION NO: 71

Signing data with a digital signature. (Select TWO)

A. allows it to be decrypted.
B. requires a public key to verify.
C. requires a private key to verify.
D. allows one to see if it has not been modified.
E. encrypts the data.

Answer: B,D
Explanation:

QUESTION NO: 72

When implementing encryption which of the following is the MOST important factor to ensure it will
be secure?

A. Key management
B. Ensuring the device has high entropy

"Pass Any Exam. Any Time." - www.actualtests.com 26

 CompTIA ADR-001 Exam
C. Using AES over 3DES
D. Only implement on devices with GPU

Answer: A
Explanation:

QUESTION NO: 73

When storing a PIN used to logon to the app, by applying a cryptographic hash function a
developer will:

A. provide plausible deniability.

B. mitigate the salt used with the password.
C. mitigate the location of the encrypted data.
D. mitigate the password from being recovered.

Answer: D
Explanation:

QUESTION NO: 74

When applying PBKDF2 to a password, what would be the MORE secure number of iterations to
use?

A. 100
B. 1,000
C. 2,000
D. 10,000

Answer: D
Explanation:

QUESTION NO: 75

What is the point of using an initialization vector in encryption? (Select TWO).

A. It stops readable patterns from forming

B. It creates randomization

"Pass Any Exam. Any Time." - www.actualtests.com 27

 CompTIA ADR-001 Exam
C. It adds geometry to the encryption
D. It is required for any encryption process
E. It removes the need for the public key

Answer: A,B
Explanation:

QUESTION NO: 76

A onetime pad is considered cryptographically secure, which are two ways it can be broken?
(Select TWO).

A. By not having an accurate clock with the pad

B. If the repeated use of one pad occurs
C. By losing one of the complete pads
D. If too much randomness is used in the pad generation
E. If XOR is used to apply the one time pad

Answer: B,C
Explanation:

QUESTION NO: 77

Session keys are useful because:

A. they temporarily provide a mechanism to maintain the state of user interaction.

B. they are generated on the Android device locally upon startup.
C. there is only one key to generate.
D. they are more secure than public/private keys.

Answer: A
Explanation:

QUESTION NO: 78

In public key cryptography which problem can occur when the public key is transmitted?

A. The initialization vector can be determined

"Pass Any Exam. Any Time." - www.actualtests.com 28

 CompTIA ADR-001 Exam
B. The public key can be replaced with a different one
C. The hash of the data can be decrypted with the private key
D. The private key can be calculated from the public one

Answer: B
Explanation:

QUESTION NO: 79

A file with Unix permissions ‘700’ allows:

A. all users to read, write and execute.

B. full access to the app that created it and no other apps.
C. only the system and root access.
D. for protected storage on the shared SD card.

Answer: B
Explanation:

QUESTION NO: 80

In the AndroidManifest.xml file which element is used to define the permissions an app is
requesting access to?

A. <uses-permission>
B. <permission>
C. <grant-uri-permissions>
D. <activity>

Answer: A
Explanation:

QUESTION NO: 81

How should a developer securely share data between applications?

A. Using file permissions on the SD card

B. Creating world-readable files in the application directory

"Pass Any Exam. Any Time." - www.actualtests.com 29

 CompTIA ADR-001 Exam
C. Defining content providers with permissions
D. Using a shared SQLite database

Answer: C
Explanation:

QUESTION NO: 82

Why are file permissions important to security?

A. They prevent files from being transmitted to another device.

B. They hide files in the file system.
C. They provide links to files outside the sandbox.
D. They determine which processes can read files.

Answer: D
Explanation:

QUESTION NO: 83

Which of the following is TRUE regarding permissions?

A. Users cannot review permissions before installing an app

B. Android permissions do not change between versions
C. Over-permissioned apps increase the risk to the end user
D. Apps are granted access to contacts data without requesting permissions

Answer: C
Explanation:

QUESTION NO: 84

Why is it important to carefully set the permissions for a content provider?

A. It controls how data will be deleted from the app database

B. It controls how well the content resolver will perform
C. It controls how other apps can access the content
D. It controls how the content is transmitted

"Pass Any Exam. Any Time." - www.actualtests.com 30

 CompTIA ADR-001 Exam
Answer: C
Explanation:

QUESTION NO: 85

Which of the following are widely considered appropriate uses of reverse engineering? (Select
TWO).

A. Malware analysis
B. Enabling software features
C. Cracking
D. Software interoperability
E. Creating cloned products

Answer: A,D
Explanation:

QUESTION NO: 86

Which of the following defines the difference between static and dynamic analysis of an
application?

A. Static analysis can be used against encrypted code and is able to determine the actual
instructions running on a device, while dynamic analysis is easily fooled when code is encrypted.
B. Static analysis consists of examining an application’s code as it is provided, while dynamic
analysis consists of examining the application as it runs on an emulator or other debugging
environment.
C. Static analysis is focused solely on the recovery of string and hardcoded values while dynamic
analysis aims to understand the function of the code itself.
D. Static analysis requires a dataflow-modeling tool to examine all data paths, while dynamic
analysis can be conducted using only an Android device.

Answer: B
Explanation:

QUESTION NO: 87

What is the reverse engineering countermeasure tool that is provided with the standard Android

"Pass Any Exam. Any Time." - www.actualtests.com 31

 CompTIA ADR-001 Exam
SDK?

A. Eclipse
B. ProGuard
C. Bouncer
D. Ant

Answer: B
Explanation:

QUESTION NO: 88

Which of the following must be done on a typical Android project to enable reverse engineering
countermeasures provided with the standard Android SDK?

A. Ensure that a Proguard configuration file exists and add a proguard.config statement to the
project’s property file that references the location of the configuration file.
B. Enable Bouncer using the Eclipse Bouncer plugin.
C. Create a dump.txt file that describes the internal structure of the application in question and
point the Dalvik VM startup properties to the file.
D. Add a custom property to the Android Manifest.

Answer: A
Explanation:

QUESTION NO: 89

Which of the following is the primary reverse engineering countermeasure provided with the
standard Android SDK?

A. All code is encrypted and only decrypted in memory so that analysis of the APK itself is
impossible.
B. Code is compressed using lossy compression so that the original source code cannot be
recovered.
C. Names of classes, variables, and other constructs are all renamed to non-descript and similar
names.
D. Checks are made with the Google Play licensing servers to ensure that an application has been
properly purchased.

Answer: C

"Pass Any Exam. Any Time." - www.actualtests.com 32

 CompTIA ADR-001 Exam
Explanation:

QUESTION NO: 90

Which of the following BEST describes a process or mechanism to thwart reverse engineering
through software fault injection?

A. Dumping stack trace information

B. Handling of program exceptions
C. Altering of class names and/or method names
D. Eliminating dead, i.e. unreachable, code

Answer: B
Explanation:

QUESTION NO: 91

Which of the following mechanisms is MOST commonly used when attempting a privileged
operation?

A. A public method interface to private data fields.

B. A private package containing only the privileged instructions.
C. A try/catch/finally block.
D. A security manager directive.

Answer: C
Explanation:

QUESTION NO: 92

What level of security is provided by placing sensitive methods and data inside its own Java
package?

A. High security, as only approved Java classes and methods inside the package can access the
package’s data and methods
B. Minimal security, as any java file can declare itself as part of the same package, and thus have
access to that package’s data and methods
C. Medium security, as it depends on whether the sensitive methods and data are declared public

"Pass Any Exam. Any Time." - www.actualtests.com 33

 CompTIA ADR-001 Exam
vs. private
D. Minimal security unless all the methods are declared final

Answer: B
Explanation:

QUESTION NO: 93

When handling sensitive data inside an exception block, it is BEST to do which of the following
before returning control flow to the application?

A. Log the sensitive data so that the security team can better determine what problem occurred.
B. Identify any known malware or attack signatures in the sensitive data.
C. Purge the sensitive data so that the users’ privacy is protected.
D. Carefully quarantine the sensitive data.

Answer: C
Explanation:

QUESTION NO: 94

As a general best practice when logging application data which of the following is the BEST
approach?

A. Log verbosely to the syslog.

B. Log everything so that the security team can figure out what occurred.
C. Log the operationally critical data, while preventing private data from being logged.
D. Log the critical data and quarantine anything sensitive in a separate log file.

Answer: C
Explanation:

QUESTION NO: 95

Which of the following sensitive data items must be protected in transit at all times?

A. Username, password, and session tokens require protection

B. Only the username and session token, as long as the password is hashed using a

"Pass Any Exam. Any Time." - www.actualtests.com 34

 CompTIA ADR-001 Exam
cryptographically secure hash function
C. Only the password
D. Username and password require protection. Session tokens do not, as they are randomly
generated.

Answer: A
Explanation:

QUESTION NO: 96

Which of the following attempts to prevent Javascript from accessing a session cookie in a mobile
browser?

A. Both HTTPonly and Secure attributes

B. HTTPonly attribute
C. Cookie permission settings
D. Use of super cookie

Answer: B
Explanation:

QUESTION NO: 97

Why is it important to security to follow defined naming conventions when coding?

A. To enhance the readability of the code and help prevent future developers from introducing
flaws
B. To ease text searches using text editors, grep, etc.
C. To avoid namespace collisions with other code
D. So that static code analysis tools can more easily understand the code and detect
vulnerabilities

Answer: A
Explanation:

QUESTION NO: 98

Failing to declare a class final can enable which of the following attacks on a developer’s code?

"Pass Any Exam. Any Time." - www.actualtests.com 35

 CompTIA ADR-001 Exam
A. Session hijacking via compromised session cookies
B. Decompilation of java class files (including those in APK files), revealing sensitive data
C. Attacker can use data injection (e.g., SQL injection, Cross-site scripting) to corrupt data in the
application or the DOM
D. Attacker can potentially extend a class and define new methods that access sensitive data from
inside the scope of the class

Answer: D
Explanation:

QUESTION NO: 99

If a Java package contains sensitive data in one or more classes, and the data is declared public,
what attacks does that expose?

A. Public data can be intercepted in transit using network sniffing tools.

B. Malicious code can declare itself as part of the same package, and directly access the public
data with no means of protection.
C. Public data can be accessed (read-write) via HTTP POST/POST arguments.
D. The sensitive public data gets cached on the Java server, and is thus searchable using
traditional enterprise intranet search tools.

Answer: B
Explanation:

QUESTION NO: 100

Which of the following describes why a developer should define private wrappers around native
and public native methods?

A. To prevent untrusted callers from invoking native methods.

B. To filter data that is sent to the native methods.
C. Because native methods cannot be called directly.
D. To impose naming convention on methods.

Answer: A
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 36

 CompTIA ADR-001 Exam
QUESTION NO: 101

Which of the following describes what is wrong with the following sample code?

public class MyActivity extends Activity{

public void onCreate(Bundle myBundle){

foo( );

A. The method onCreate must be private.

B. A developer cannot extend Activity.
C. A call is missing to super.onCreate(mybundle).
D. The class MyActivity must be private.

Answer: C
Explanation:

QUESTION NO: 102

Which of the following is true about methods that receive an array as a parameter?

A. The developer should never use an array as a parameter because it will cause a buffer
overflow.
B. The developer should expose the array so it can be modified outside the class.
C. The developer should clear the array first.
D. The developer should clone the array object and store the copy.

Answer: D

"Pass Any Exam. Any Time." - www.actualtests.com 37