Chapter 30 Quiz: Mobile Application Security

Question 1

What file in an Android APK contains the compiled application code (bytecode)?

A) AndroidManifest.xml B) resources.arsc C) classes.dex D) build.gradle

Question 2

Which tool is most commonly used for runtime instrumentation of mobile applications, allowing you to hook functions and modify behavior at runtime?

A) Burp Suite B) Frida C) Nmap D) Wireshark

Question 3

An Android app has android:exported="true" on a content provider without any permission requirements. What is the security implication?

A) The content provider data is encrypted at rest B) Any app on the device can query the content provider and access its data C) The content provider can only be accessed over the network D) The content provider is protected by the app's signing key

Question 4

Starting with Android 7 (Nougat), what change was made to certificate trust that affects mobile traffic interception?

A) All certificates were revoked B) Apps only trust system-level certificates by default, not user-installed certificates C) Certificate pinning became mandatory D) SSL/TLS was replaced with a proprietary protocol

Question 5

What does the android:allowBackup="true" attribute in the Android manifest enable?

A) Automatic cloud backup to Google Drive only B) ADB backup, which can extract application data including databases and shared preferences C) Backup of only non-sensitive configuration files D) Encrypted backup accessible only through the Settings app

Question 6

Which OWASP Mobile Top 10 category covers storing sensitive data in SharedPreferences without encryption?

A) M3: Insecure Communication B) M2: Insecure Data Storage C) M5: Insufficient Cryptography D) M1: Improper Platform Usage

Question 7

What is certificate pinning in the context of mobile security?

A) Encrypting the certificate before storing it B) Restricting which certificates the app trusts for specific domains, beyond the system trust store C) Pinning the certificate to a physical security token D) Automatically rotating certificates on a schedule

Question 8

You are using Objection to explore a mobile application. Which command bypasses SSL pinning?

A) android sslpinning bypass B) android sslpinning disable C) ssl strip D) android certificate remove

Question 9

When analyzing an iOS application, which format is the compiled binary in?

A) DEX (Dalvik Executable) B) ELF (Executable and Linkable Format) C) Mach-O (Mach Object) D) PE (Portable Executable)

Question 10

What is the primary security concern with using MODE_WORLD_READABLE for SharedPreferences on Android?

A) The data cannot be encrypted B) Any application on the device can read the SharedPreferences file C) The data is automatically uploaded to the cloud D) The preference file is deleted on reboot

Question 11

Which tool can decompile an Android APK to produce readable Java source code?

A) apktool B) jadx C) strings D) objdump

Question 12

What is Broken Object Level Authorization (BOLA) in the context of mobile API testing?

A) The API server crashes when processing large objects B) The API does not verify that the authenticated user has access to the specific object they are requesting C) Objects are transmitted in plaintext D) The API uses XML instead of JSON for object serialization

Question 13

An iOS app has an App Transport Security (ATS) exception that allows arbitrary loads. What does this mean?

A) The app can load any UI component B) The app is allowed to make HTTP (non-HTTPS) connections to any domain C) The app can download unlimited data D) The app bypasses the App Store review process

Question 14

Which of the following is NOT a common Android root detection technique?

A) Checking for the existence of the su binary B) Checking for Superuser.apk or Magisk Manager C) Checking the screen resolution D) Attempting to execute su via Runtime.exec()

Question 15

What is the primary advantage of using Objection's patchapk command?

A) It makes the app run faster B) It injects the Frida gadget into the APK, enabling Frida instrumentation without requiring a rooted device C) It removes all advertisements from the app D) It converts the APK to an iOS IPA

Question 16

During mobile API testing, you discover that changing the patient ID in an API request from /api/patients/1001 to /api/patients/1002 returns another patient's data while authenticated as patient 1001. What vulnerability is this?

A) SQL Injection B) Cross-Site Scripting C) Insecure Direct Object Reference (IDOR) / BOLA D) Server-Side Request Forgery

Question 17

What is the recommended secure storage mechanism for sensitive credentials on iOS?

A) NSUserDefaults B) Property list (plist) files C) Keychain Services D) SQLite database in the Documents directory

Question 18

When using Frida to hook a Java method on Android, which function is used to obtain a reference to the target class?

A) Java.perform() B) Java.use() C) Java.cast() D) Java.choose()

Answer Key

  1. C — The classes.dex file (Dalvik Executable) contains the compiled application bytecode. Modern apps may have multiple DEX files (classes.dex, classes2.dex, etc.) for multidex support.

  2. B — Frida is the premier runtime instrumentation toolkit for mobile applications. It injects a JavaScript engine into the target process, enabling function hooking, parameter modification, and runtime behavior analysis.

  3. B — An exported content provider without permission requirements is accessible to any application on the device. Other apps can query, insert, update, or delete data through the content provider, potentially exposing sensitive information.

  4. B — Android 7+ changed the default network security configuration so that apps only trust system-level CA certificates, not certificates installed by the user. This means user-installed proxy certificates (like Burp's CA) are not trusted by default, requiring additional steps to intercept HTTPS traffic.

  5. Bandroid:allowBackup="true" enables ADB backup via adb backup, which extracts the application's data directory including databases, shared preferences, and internal files. This can expose sensitive data if an attacker has physical access to the device with USB debugging enabled.

  6. B — Insecure Data Storage (M2) covers storing sensitive information in locations that can be accessed by other apps or attackers, including SharedPreferences, SQLite databases, log files, and external storage without proper encryption.

  7. B — Certificate pinning restricts the certificates an application accepts for specific domains to a predefined set, ignoring the device's trust store. This prevents proxy-based interception even with a valid CA certificate installed on the device.

  8. B — The correct Objection command is android sslpinning disable, which hooks common SSL pinning implementations and bypasses them, allowing proxy-based traffic interception.

  9. C — iOS application binaries are in Mach-O (Mach Object) format, compiled to native ARM code. App Store binaries are additionally encrypted with FairPlay DRM, requiring decryption before analysis.

  10. BMODE_WORLD_READABLE (deprecated since API 17) makes the SharedPreferences file readable by any application on the device. Any app could read sensitive data like tokens, passwords, or personal information stored there.

  11. B — jadx (Dex to Java decompiler) produces readable Java source code from DEX bytecode. apktool decompiles to smali (assembly-like) representation and preserves resources but does not produce Java source.

  12. B — BOLA (Broken Object Level Authorization) occurs when the API fails to verify that the authenticated user has authorization to access the specific object (identified by ID) they are requesting. An attacker can access other users' resources by manipulating object IDs.

  13. B — An ATS exception for arbitrary loads (NSAllowsArbitraryLoads = true) disables App Transport Security, allowing the app to make unencrypted HTTP connections to any domain. This is a significant security concern, especially for apps handling sensitive data.

  14. C — Checking screen resolution is not a root detection technique. Common techniques include checking for su binaries, root management apps, build tags (test-keys), executing su commands, and checking for writable system partitions.

  15. B — Objection's patchapk injects the Frida gadget library into the APK and re-signs it, enabling Frida instrumentation without requiring root access on the device. The patched app includes Frida as a native library.

  16. C — This is an Insecure Direct Object Reference (IDOR), also classified as Broken Object Level Authorization (BOLA) in the OWASP API Top 10. The API does not verify that patient 1001 has authorization to view patient 1002's data.

  17. C — iOS Keychain Services provide the most secure storage for credentials on iOS. The Keychain encrypts data, supports access control through protection classes, and integrates with biometric authentication. NSUserDefaults and plist files are not encrypted.

  18. BJava.use('class.name') obtains a reference to the target Java class within a Java.perform() callback. Java.perform() ensures the code runs on the Java VM thread, Java.cast() converts objects between types, and Java.choose() finds live instances of a class.