Professional Documents
Culture Documents
Comptia Adr-001
Comptia Adr-001
Which of the following is a reason to take mobile app security seriously when developing a social
networking app that does NOT accept payments? (Select TWO).
A. PCI-DSS regulations
B. Consumer privacy expectations and regulations
C. HIPAA regulations
D. FIPS compliance
E. Company reputation
Answer: B,E
Explanation:
QUESTION NO: 2
Which of the following accurately explains why many people criticize the use of a unique hardware
ID such as IMEI/MEID to identify users? (Select TWO).
A. The hardware ID can be traced to an individual user and help track activity over time and
across apps
B. The hardware ID unlocks encryption on the device
C. Companies encode email addresses directly into the hardware ID
D. Hardware ID values are easily predictable
E. Users cannot selectively block apps’ access to it
Answer: A,E
Explanation:
QUESTION NO: 3
Which of the following attempts to inhibit an application from being trojanized and proliferating?
Answer: A
Explanation:
QUESTION NO: 4
A. Device passcode
B. Obfuscation
C. HTTPS
D. Keychain
Answer: C
Explanation:
QUESTION NO: 5
Which of the following can be performed to find security design flaws in mobile apps prior to
writing code?
A. Threat modeling
B. Penetration testing
C. Static source code analysis
D. Dynamic validation testing
Answer: A
Explanation:
QUESTION NO: 6
Which of the following methodologies is BEST for a developer to find input validation weaknesses
in their own mobile app source code?
Answer: C
Explanation:
QUESTION NO: 7
Which of the following techniques are useful in a secure software development process? (Select
TWO).
Answer: C,D
Explanation:
QUESTION NO: 8
Which of the following will LEAST likely be detected through source code analysis?
Answer: C
Explanation:
QUESTION NO: 9
Answer: A
Explanation:
QUESTION NO: 10
When handling sensitive data with Android apps, which of the following storage strategies is
MOST secure?
A. Store data on device using encryption, with encryption key managed on the server
B. Prompt users to enable encryption
C. Store sensitive data locally in XML protected with file permissions
D. Store sensitive data on the server
Answer: D
Explanation:
QUESTION NO: 11
Answer: C
Explanation:
QUESTION NO: 12
Answer: D
Explanation:
QUESTION NO: 13
A developer is using a third-party cloud service via Web APIs for backup of unencrypted user
photos. The use of this service is invisible to the end user. Incorporation of this service into the
application introduces which potential key security risk?
Answer: A
Explanation:
QUESTION NO: 14
Answer: D
Explanation:
QUESTION NO: 15
Answer: D
Explanation:
QUESTION NO: 16
When reviewing the security architecture of a mobile app, which of the following is the MOST
important piece of data to start with?
Answer: B
Explanation:
QUESTION NO: 17
An architectural review is BEST for finding which of the following security defects?
Answer: C
Explanation:
QUESTION NO: 18
Which of the following describes a security risk that may have to be accepted when using a
commercial cross-platform mobile application framework?
Answer: D
Explanation:
QUESTION NO: 19
Answer: C
Explanation:
QUESTION NO: 20
A. assigning a unique user ID (UID) to each app and running in a separate process.
B. running all apps under an unprivileged group ID (GID).
C. restricting read access to an app’s package to the kernel process.
D. preventing an app’s data files from being read by any running process.
Answer: A
Explanation:
QUESTION NO: 21
The digital certificate used to sign the production release should be:
Answer: C
Explanation:
QUESTION NO: 22
A. Native code is faster because it runs as a separate user ID (UID) giving it direct access to
restricted APIs.
B. Native code is run under the same user ID (UID) as the Java app and therefore comes under
the same sandbox restrictions.
C. Native code is executed by the kernel with increased privileges and is mainly used for root
operations.
D. Native code runs outside the Dalvik VM and therefore is not restricted by the sandbox.
Answer: B
Explanation:
QUESTION NO: 23
When an app creates a configuration file in its private data directory the developer should ensure:
Answer: D
Explanation:
QUESTION NO: 24
QUESTION NO: 25
A. app-permissions
B. add-permissions
C. grant-permission
D. uses-permission
Answer: D
Explanation:
QUESTION NO: 26
The MOST likely reason the developer might want to define their own permission in the manifest is
because:
A. they wish to ensure that only their app has the permission to launch their activities or access
their private data.
B. they wish to prevent the user from granting access to protected functionality by mistake.
C. they wish to define a permission to access system APIs and native libraries.
D. they wish to restrict access to a function in their app to only those apps which are specifically
granted access by the user.
Answer: D
Explanation:
QUESTION NO: 27
A. private
B. signature
C. user
D. public
Answer: B,E
Explanation:
QUESTION NO: 28
A. the app needs to determine what permission is required for it to make a call.
B. the app needs to determine if it should allow an incoming call from another app.
C. the app needs to determine whether it has permission to make a call.
D. the app needs to determine what permissions are required to call a specific API.
Answer: B
Explanation:
QUESTION NO: 29
Which of the following is a more secure way for a developer to give 3rd party apps temporary
access to resources in their app, such as opening attachments in an external editor?
Answer: B
Explanation:
QUESTION NO: 30
QUESTION NO: 31
To prevent a component from being publically accessible via Intents the developer can:
Answer: A
Explanation:
QUESTION NO: 32
Answer: C
Explanation:
QUESTION NO: 33
Answer: D
Explanation:
QUESTION NO: 34
Answer: D
Explanation:
QUESTION NO: 35
Fine grained permission control for Content Providers can be achieved with:
A. android:ReadWritePermission.
B. android:ContentPermissions.
C. android:ProviderPermission.
D. android:grantUriPermissions.
Answer: D
Explanation:
QUESTION NO: 36
If using a WebView to serve assets contained within the app package it is good practice to also:
Answer: D
Explanation:
When an app “logs out” of a back end system the developer should also ensure:
A. app jumps to device home screen, clearing the data from the previous session.
B. GUI components displaying data while logged in are destroyed as Android does not do this.
C. app switches back to login screen forcing the user to re-login to view the data.
D. app maintains the state of the session ID in the key chain.
Answer: B
Explanation:
QUESTION NO: 38
Why should a developer ensure the debug flag is set to “false” in the manifest for a production
build?
A. It prevents malware from being able to connect to the debug socket and take control of the app.
B. It prevents debug messages from showing up in the log.
C. It prevents an attacker from being able to reverse engineer the app.
D. It prevents an attacker from communicating with the app over the debug bridge.
Answer: A
Explanation:
QUESTION NO: 39
The filterTouchesWhenObscured property helps protect against which of the following attacks?
A. Tap Jacking
B. Intent Hijacking
C. Screen Bypass
D. Key Logging
Answer: A
Explanation:
QUESTION NO: 40
A. Authentication
B. Integrity verification
C. Diffie-Hellman key exchange
D. Handshake protocol
Answer: A
Explanation:
QUESTION NO: 41
An attacker intercepts and potentially tampers with communication between two entities without
the knowledge of either of the two entities. This BEST describes which of the following attacks?
Answer: B
Explanation:
QUESTION NO: 42
A developer has written an Android application that uses the HttpURLConnection API to
communicate with a backend server. Which of the following is the simplest method to protect the
network communications of the application?
A. Purchase an SSL library from a major vendor and integrate it into the application to protect the
HttpURLConnection.
B. Add the call setSecureSocket(true) to each HttpURLConnection object immediately after it is
created.
C. Replace every HttpURLConnection object with an HttpsURLConnection API.
D. Call Android’s built-in AES and RC-4 encryption implementations.
Answer: C
Explanation:
QUESTION NO: 43
Which of the following BEST describes the responsibility of a TrustManager object when used in
an Android application with SSL?
A. The TrustManager verifies that a Certificate Authority truly did issue a server’s SSL certificate
by using the Online Certificate Status Protocol (OCSP).
B. The TrustManager manages the client-side SSL certificate that the Android application will
present to a server for mutual authentication.
C. The TrustManager makes decisions on if a server’s SSL certificate should be trusted, by
allowing the developer to specify which certificates should be allowed.
D. The TrustManager verifies that a server’s SSL certificate has not been revoked by checking the
Certificate Authority’s Certificate Revocation List (CRL).
Answer: C
Explanation:
QUESTION NO: 44
Which of the following describes a way to perform certificate pinning in an SSL Android
application?
A. Use a KeyManager with a client-side SSL certificate so that mutual authentication will fail if the
server’s certificate changes.
B. Use the httpsURLConnectionPinned method to ensure certificate pinning is enabled.
C. Use a TrustManager that is based on a KeyManager specifying the public key associated with
the private key that the server should be using.
D. Use a TrustManager that is based on a KeyStore containing only the specific certificate(s) that
the server should be using.
Answer: D
Explanation:
QUESTION NO: 45
A. Stores only private keys associated with certificates, which are stored elsewhere in the
Answer: B
Explanation:
QUESTION NO: 46
A. The client performs an extra validation to ensure the integrity of the Root Certificate Authorities.
B. The identity of the Certificate Authority that issued the server’s SSL certificate is validated in
addition to that of the server itself.
C. The Android application (the client) supplies a certificate to identify itself in addition to the
server performing the same task, so that the client’s identity is authenticated to the server.
D. The client decides to reject or accept the connection with the server based on its own criteria
about the validity of the server’s SSL certificate.
Answer: C
Explanation:
QUESTION NO: 47
A. A client-specific secret value is combined with a server-specific secret value to form a master
secret, which is then used to sign all communications.
B. A one-time use token (nonce) is generated by the server and sent to the client, where it is then
returned on each subsequent request.
C. A digital signature is generated of the request using the client’s private key and sent to the
server.
D. A username and password are combined into a string on the client, base 64 encoded, and then
sent to the server as an HTTP header.
Answer: D
Explanation:
QUESTION NO: 48
A. A wrapping envelope is constructed including the message body, the client’s SSL certificate,
and a master secret value, and sent to the server.
B. A one-time use token (nonce) is generated by the server and sent to the client, where it is then
returned on each subsequent request.
C. A digital signature is computed on the entire message body using the client’s private key and
subsequently included along with the request for all future communications.
D. A one-time use token (nonce) is generated by the server and sent to the client, where it is then
used in a computation of a hash involving the username, password, nonce, and some other
values.
Answer: D
Explanation:
QUESTION NO: 49
Answer: B
Explanation:
QUESTION NO: 50
What are two advantages to using OAuth as the authentication method for an Android application
to access a web application or service? (Select TWO).
A. OAuth integrates seamlessly into a mobile application, never requiring the user to interact with
Answer: C,D
Explanation:
QUESTION NO: 51
A developer is designing a very sensitive web application that will be accessed by both desktop
web browsers and mobile Android applications. What is one way the developer can implement a
multi-factor authentication system for these users?
A. Have the user memorize a PIN in addition to their password and require them to supply both
when attempting to log in.
B. Have the user answer a security question once they authenticate using their username and
password.
C. Require a one-time-use code sent via an SMS message in addition to a username and
password.
D. Have the user supply their last password in addition to their current password when they
attempt to log in.
Answer: C
Explanation:
QUESTION NO: 52
Which of the following is a disadvantage of using a static embedded API Key for client
authentication to a web service?
A. API Keys require the use of a certificate issued by a commercial Certificate Authority.
B. API Keys are used with asymmetric cryptography, which is slow and can negatively impact the
performance of the client application.
C. API Keys cannot be transmitted over HTTPS, so they are open to compromise.
D. API Keys can be discovered and abused by an attacker.
Answer: D
QUESTION NO: 53
Which of the following defines why it is important for a developer to deploy known-good (whitelist)
input validation for all requests made to a web service API?
A. Known-good validation ensures that all inputs are in an expected format and are valid before
processing them. As requests to the API come over the network, they must be considered
untrusted.
B. Known-good (whitelist) can be performed much faster than known-bad input validation.
C. Known-good input validation is the only way to prevent command (SQL) injection attacks and
since web services are typically integrated with a backend SQL database, this checking ensures
the integrity and confidentiality of the database.
D. Known-good input validation first checks to ensure that incoming requests are being made by a
valid and known client before beginning to process them, so that inputs from attackers are never
processed, thus protecting the web service.
Answer: A
Explanation:
QUESTION NO: 54
Once an Android client has authenticated to a web service, what must be done on the server-side
to ensure correct authorization checks are being performed?
A. For each request that is considered more sensitive than previous ones, force the client to re-
authenticate so that the user’s identity can be confirmed.
B. For each request, check the session token to verify the client has been authorized for that
device and session.
C. For each request, ensure that the client is authenticated and that the specific Android device
identified in the request is the same as for the last request.
D. For each request, ensure that the client is authenticated and that the specific client is
authorized to perform the specific action on the specific data.
Answer: D
Explanation:
Why must Android clients perform input validation on data received from publically accessible web
service API calls?
A. As the data is being received over the network from public services, it must be treated as
untrusted input with potential malicious intent.
B. Publically accessible web service APIs must be accessed using HTTP and not HTTPS, so an
attacker could modify the data on the network as it is passed from the server to the Android
application.
C. Data frequently becomes corrupted over unreliable cellular networks.
D. JSON objects transmitted by RESTful web services are not structured in the same manner as
SOAP objects, so input validation is necessary to prevent one from being parsed as the other and
exposing potentially hidden malicious code.
Answer: A
Explanation:
QUESTION NO: 56
Which of the following is the primary reason for web services to output encode all data sent to
Android application clients?
A. Output encoding eliminates the need for the client to perform input validation, as the server has
already ensured that all data being passed to the client is safe.
B. Output encoding ensures that an attacker who can view network traffic cannot read the
communications between the server and the client.
C. Output encoding is required for the data to be sent over an SSL channel.
D. Output encoding ensures that the client will treat all data received as data and not as
executable scripts.
Answer: D
Explanation:
QUESTION NO: 57
What two types of input validation should a developer implement for a web server that will be
implementing SOAP-based web services? (Select TWO).
A. Validation that all objects received are digitally signed using XML Signatures.
B. Validation that all requests only contain ASCII alphanumeric characters.
Answer: C,D
Explanation:
QUESTION NO: 58
A. Revealing the session token over an unsecured channel would allow an attacker to determine
the private key used to generate the token.
B. Session tokens can be used to reveal the physical location of the Android device.
C. Session tokens contain the user password.
D. Session tokens can be presented to the application allowing an attacker to impersonate a valid
user.
Answer: D
Explanation:
QUESTION NO: 59
Why should the Secure attribute be set on any session cookie sent to an Android application?
A. This attribute instructs the device to store the cookie in an encrypted region of the device
storage.
B. This attribute requests the client to only send the cookie over an HTTPS connection.
C. This attribute encrypts the cookie so that if it is compromised, it cannot be used.
D. This attribute ensures that session cookies are generated in a random fashion.
Answer: B
Explanation:
QUESTION NO: 60
Which of the following describes the purpose of the HTTPOnly cookie attribute?
Answer: B
Explanation:
QUESTION NO: 61
A. Session tokens should be unpredictable and be short to derive a maximum security benefit with
minimal storage.
B. Session tokens should be reused every time a particular user logs in.
C. Session tokens should be an obfuscated or encrypted version of the user’s ID.
D. Session tokens should be unpredictable, of sufficient length and contain no information about
the user.
Answer: D
Explanation:
QUESTION NO: 62
Answer: B
Explanation:
QUESTION NO: 63
When generating a key from a password why would a developer want to iterate this process many
Answer: A
Explanation:
QUESTION NO: 64
Answer: A
Explanation:
QUESTION NO: 65
Answer: A
Explanation:
QUESTION NO: 66
On an unencrypted rooted Android device, which of the following BEST describes which data is
recoverable?
Answer: A
Explanation:
QUESTION NO: 67
Answer: B
Explanation:
QUESTION NO: 68
Answer: D
Explanation:
QUESTION NO: 69
Unencrypted temporary private user data cached in the application directory should be:
Answer: D
Explanation:
QUESTION NO: 70
Answer: B
Explanation:
QUESTION NO: 71
A. allows it to be decrypted.
B. requires a public key to verify.
C. requires a private key to verify.
D. allows one to see if it has not been modified.
E. encrypts the data.
Answer: B,D
Explanation:
QUESTION NO: 72
When implementing encryption which of the following is the MOST important factor to ensure it will
be secure?
A. Key management
B. Ensuring the device has high entropy
Answer: A
Explanation:
QUESTION NO: 73
When storing a PIN used to logon to the app, by applying a cryptographic hash function a
developer will:
Answer: D
Explanation:
QUESTION NO: 74
When applying PBKDF2 to a password, what would be the MORE secure number of iterations to
use?
A. 100
B. 1,000
C. 2,000
D. 10,000
Answer: D
Explanation:
QUESTION NO: 75
Answer: A,B
Explanation:
QUESTION NO: 76
A onetime pad is considered cryptographically secure, which are two ways it can be broken?
(Select TWO).
Answer: B,C
Explanation:
QUESTION NO: 77
Answer: A
Explanation:
QUESTION NO: 78
In public key cryptography which problem can occur when the public key is transmitted?
Answer: B
Explanation:
QUESTION NO: 79
Answer: B
Explanation:
QUESTION NO: 80
In the AndroidManifest.xml file which element is used to define the permissions an app is
requesting access to?
A. <uses-permission>
B. <permission>
C. <grant-uri-permissions>
D. <activity>
Answer: A
Explanation:
QUESTION NO: 81
Answer: C
Explanation:
QUESTION NO: 82
Answer: D
Explanation:
QUESTION NO: 83
Answer: C
Explanation:
QUESTION NO: 84
QUESTION NO: 85
Which of the following are widely considered appropriate uses of reverse engineering? (Select
TWO).
A. Malware analysis
B. Enabling software features
C. Cracking
D. Software interoperability
E. Creating cloned products
Answer: A,D
Explanation:
QUESTION NO: 86
Which of the following defines the difference between static and dynamic analysis of an
application?
A. Static analysis can be used against encrypted code and is able to determine the actual
instructions running on a device, while dynamic analysis is easily fooled when code is encrypted.
B. Static analysis consists of examining an application’s code as it is provided, while dynamic
analysis consists of examining the application as it runs on an emulator or other debugging
environment.
C. Static analysis is focused solely on the recovery of string and hardcoded values while dynamic
analysis aims to understand the function of the code itself.
D. Static analysis requires a dataflow-modeling tool to examine all data paths, while dynamic
analysis can be conducted using only an Android device.
Answer: B
Explanation:
QUESTION NO: 87
What is the reverse engineering countermeasure tool that is provided with the standard Android
A. Eclipse
B. ProGuard
C. Bouncer
D. Ant
Answer: B
Explanation:
QUESTION NO: 88
Which of the following must be done on a typical Android project to enable reverse engineering
countermeasures provided with the standard Android SDK?
A. Ensure that a Proguard configuration file exists and add a proguard.config statement to the
project’s property file that references the location of the configuration file.
B. Enable Bouncer using the Eclipse Bouncer plugin.
C. Create a dump.txt file that describes the internal structure of the application in question and
point the Dalvik VM startup properties to the file.
D. Add a custom property to the Android Manifest.
Answer: A
Explanation:
QUESTION NO: 89
Which of the following is the primary reverse engineering countermeasure provided with the
standard Android SDK?
A. All code is encrypted and only decrypted in memory so that analysis of the APK itself is
impossible.
B. Code is compressed using lossy compression so that the original source code cannot be
recovered.
C. Names of classes, variables, and other constructs are all renamed to non-descript and similar
names.
D. Checks are made with the Google Play licensing servers to ensure that an application has been
properly purchased.
Answer: C
QUESTION NO: 90
Which of the following BEST describes a process or mechanism to thwart reverse engineering
through software fault injection?
Answer: B
Explanation:
QUESTION NO: 91
Which of the following mechanisms is MOST commonly used when attempting a privileged
operation?
Answer: C
Explanation:
QUESTION NO: 92
What level of security is provided by placing sensitive methods and data inside its own Java
package?
A. High security, as only approved Java classes and methods inside the package can access the
package’s data and methods
B. Minimal security, as any java file can declare itself as part of the same package, and thus have
access to that package’s data and methods
C. Medium security, as it depends on whether the sensitive methods and data are declared public
Answer: B
Explanation:
QUESTION NO: 93
When handling sensitive data inside an exception block, it is BEST to do which of the following
before returning control flow to the application?
A. Log the sensitive data so that the security team can better determine what problem occurred.
B. Identify any known malware or attack signatures in the sensitive data.
C. Purge the sensitive data so that the users’ privacy is protected.
D. Carefully quarantine the sensitive data.
Answer: C
Explanation:
QUESTION NO: 94
As a general best practice when logging application data which of the following is the BEST
approach?
Answer: C
Explanation:
QUESTION NO: 95
Which of the following sensitive data items must be protected in transit at all times?
Answer: A
Explanation:
QUESTION NO: 96
Which of the following attempts to prevent Javascript from accessing a session cookie in a mobile
browser?
Answer: B
Explanation:
QUESTION NO: 97
A. To enhance the readability of the code and help prevent future developers from introducing
flaws
B. To ease text searches using text editors, grep, etc.
C. To avoid namespace collisions with other code
D. So that static code analysis tools can more easily understand the code and detect
vulnerabilities
Answer: A
Explanation:
QUESTION NO: 98
Failing to declare a class final can enable which of the following attacks on a developer’s code?
Answer: D
Explanation:
QUESTION NO: 99
If a Java package contains sensitive data in one or more classes, and the data is declared public,
what attacks does that expose?
Answer: B
Explanation:
Which of the following describes why a developer should define private wrappers around native
and public native methods?
Answer: A
Explanation:
Which of the following describes what is wrong with the following sample code?
foo( );
Answer: C
Explanation:
Which of the following is true about methods that receive an array as a parameter?
A. The developer should never use an array as a parameter because it will cause a buffer
overflow.
B. The developer should expose the array so it can be modified outside the class.
C. The developer should clear the array first.
D. The developer should clone the array object and store the copy.
Answer: D