Android Security Essentials Practice Exam, Exams of Technology

This exam focuses on securing Android applications and devices. Areas include data encryption, keystore usage, secure networking (TLS/HTTPS), code obfuscation, secure storage, permissions hardening, rooting/jailbreak detection, threat modeling, and OWASP Mobile Top 10 vulnerabilities. Practical scenarios help candidates identify, prevent, and mitigate common mobile security risks.

Typology: Exams

2025/2026

Available from 01/16/2026

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 96

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Android Security Essentials Practice Exam
**Question 1. Which component of the Android architecture is directly responsible for
providing hardware abstraction to the higher layers?**
A) Linux Kernel
B) Hardware Abstraction Layer (HAL)
C) Android Runtime (ART)
D) Application Framework
Answer: B
Explanation: HAL defines a standard interface for hardware vendors, allowing the Android
framework to communicate with device hardware without needing to know the specifics.
**Question 2. What security mechanism does the Linux kernel use to isolate each Android
application’s process from others?**
A) SELinux policies only
B) UID-based process isolation
C) Java sandboxing
D) Android permissions
Answer: B
Explanation: Each app runs under a unique Linux UID, ensuring file system and process isolation
at the kernel level.
**Question 3. Which Android Runtime feature improves security by preventing apps from
executing arbitrary native code at runtime?**
A) JustInTime (JIT) compilation
B) AheadOfTime (AOT) compilation
C) Dalvik bytecode verification
D) ART’s profileguided compilation
Answer: C
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60

Partial preview of the text

Download Android Security Essentials Practice Exam and more Exams Technology in PDF only on Docsity!

Question 1. Which component of the Android architecture is directly responsible for providing hardware abstraction to the higher layers? A) Linux Kernel B) Hardware Abstraction Layer (HAL) C) Android Runtime (ART) D) Application Framework Answer: B Explanation: HAL defines a standard interface for hardware vendors, allowing the Android framework to communicate with device hardware without needing to know the specifics. Question 2. What security mechanism does the Linux kernel use to isolate each Android application’s process from others? A) SELinux policies only B) UID-based process isolation C) Java sandboxing D) Android permissions Answer: B Explanation: Each app runs under a unique Linux UID, ensuring file system and process isolation at the kernel level. Question 3. Which Android Runtime feature improves security by preventing apps from executing arbitrary native code at runtime? A) Just‑In‑Time (JIT) compilation B) Ahead‑Of‑Time (AOT) compilation C) Dalvik bytecode verification D) ART’s profile‑guided compilation Answer: C

Explanation: ART verifies bytecode before execution, ensuring only valid DEX instructions run, reducing the risk of malicious native code injection. Question 4. The principle of “Least Privilege” in Android is primarily enforced through which mechanism? A) Application signing certificates B) Permission declarations in the manifest C) UID separation D) Verified Boot Answer: B Explanation: By declaring only the permissions an app truly needs, Android limits the app’s access to system resources. Question 5. When an Android app is installed, which of the following is verified before installation proceeds? A) The app’s size hobby B) The app’s digital signature matches the certificate in the manifest C) The app’s target SDK version only D) The app’s minimum API level only Answer: B Explanation: Android checks that the APK’s signature matches the developer’s certificate to ensure integrity and authenticity. Question 6. What is the effect of using the same android:sharedUserId value in two apps signed with the same certificate? A) They share the same UID and can read each other’s private data B) They are forced to run in the same process only C) They cannot be installed on the same device

B) Dangerous C) Signature D) Signature|System Answer: D Explanation: Signature|System permissions are the highest level, reserved for privileged system components. Question 10. A developer wants to create a custom permission that only other apps signed with the same certificate can use. Which protection level should be specified? A) normal B) dangerous C) signature D) signatureOrSystem Answer: C Explanation: The signature protection level restricts the permission to apps sharing the same signing certificate. Question 11. Which type of Android permission is automatically granted at install time without user interaction? A) Dangerous B) Normal C) Signature D) Signature|System Answer: B Explanation: Normal permissions pose low risk and are granted by the system when the app is installed.

Question 12. When an app targets Android 6.0 (API 23) or higher, how are dangerous permissions requested? A) At install time via the manifest only B) At runtime through requestPermissions() C) They are never required D) Through a separate APK file Answer: B Explanation: Starting with API 23, dangerous permissions must be requested and granted at runtime. Question 13. Which of the following is a secure way to send a broadcast that only your app’s receiver can receive? A) Use an implicit intent with no permission B) Use a normal broadcast without specifying a permission C) Use sendBroadcast() with a custom permission and declare that permission on the receiver D) Use LocalBroadcastManager without any permission Answer: C Explanation: Specifying a custom permission on both sendBroadcast() and the receiver restricts who can send and receive the broadcast. Question 14. What is the primary security benefit of using LocalBroadcastManager? A) It encrypts the broadcast data automatically B) It limits broadcast delivery to the same app, preventing other apps from intercepting it C) It allows broadcasts to cross process boundaries securely D) It bypasses permission checks altogether Answer: B

D) android:authorities Answer: B Explanation: Setting android:exported="false" prevents external apps from accessing the provider. Question 18. A content provider uses the attribute android:readPermission="com.example.READ" and android:writePermission="com.example.WRITE". What does this enforce? A) Only apps with the READ permission can query, and only those with WRITE can insert, update, or delete B) All apps can read but not write C) The provider can only be accessed by the system D) The provider ignores permission checks at runtime Answer: A Explanation: The specified permissions control read and write access separately. Question 19. Which of the following storage locations is private to the app and not accessible by other apps without root? A) External storage public directory (/sdcard/Download) B) Internal storage (getFilesDir()) C) SharedPreferences on external storage D) SQLite database on external storage Answer: B Explanation: Files stored in internal storage are owned by the app’s UID and are not world‑readable. Question 20. When storing sensitive user credentials, which Android feature provides hardware‑backed protection for cryptographic keys?

A) SharedPreferences B) Android Keystore System C) SQLite encryption API D) File system permissions Answer: B Explanation: The Android Keystore stores keys in a hardware‑backed Trusted Execution Environment (TEE) or Secure Element, preventing extraction. Question 21. Which of the following is the recommended way to store a user’s authentication token on Android? A) Plain text in a file on external storage B) In SharedPreferences without encryption C) In the Android Keystore as a symmetric key‑wrapped value D) In a static final variable in code Answer: C Explanation: Storing the token encrypted with a key from the Keystore protects it from extraction even if the device is compromised. Question 22. Which cryptographic algorithm is considered unsuitable for new Android development due to known weaknesses? A) AES‑GCM B) RSA with 2048‑bit keys C) DES D) SHA‑ 256 Answer: C Explanation: DES uses a 56‑bit key and is vulnerable to brute‑force attacks; it should be avoided.

Explanation: Fetching the key from a backend after authentication avoids exposing it in the APK, reducing the risk of extraction. Question 26. An app uses a WebView and calls addJavascriptInterface() with a Java object. Which setting must be disabled to avoid code injection? A) setJavaScriptEnabled(true) B) setAllowFileAccess(true) C) setDomStorageEnabled(true) D) setAllowUniversalAccessFromFileURLs(true) Answer: A (with caution) Explanation: Enabling JavaScript allows the injected object to be accessed from malicious JavaScript; if the WebView loads untrusted content, the interface can be abused. Developers should avoid addJavascriptInterface on untrusted pages or restrict the interface. Question 27. Which of the following best describes an IDOR (Insecure Direct Object Reference) vulnerability in Android? A) Using a hard‑coded API key in the app B) Allowing a user to modify a file path parameter to access another user’s data without proper authorization checks C) Storing passwords in recycle bin D) Using an outdated TLS version Answer: B Explanation: IDOR occurs when an app trusts user‑supplied identifiers (e.g., file names, database IDs) without verifying the caller’s rights, leading to unauthorized data access. Question 28. Which tool can be used to automatically obfuscate Android bytecode during the build process? A) ProGuard

B) Android Debug Bridge (ADB) C) SQLiteStudio D) Gradle Wrapper Answer: A Explanation: ProGuard (or its successor R8) shrinks, optimizes, and obfuscates code, making reverse engineering more difficult. Question 29. To prevent SQL injection in a SQLite database, a developer should use: A) Direct string concatenation for queries B) rawQuery() with user‑supplied SQL C) Parameterized queries (? placeholders) with SQLiteStatement or room DAO methods D) No input validation, relying on SQLite’s internal checks Answer: C Explanation: Parameterized statements separate code from data, eliminating the risk of malicious input altering query structure. Question 30. Which Android permission is required for an app to read the device’s contacts? A) android.permission.READ_CONTACTS (dangerous) B) android.permission.INTERNET (normal) C) android.permission.ACCESS_NETWORK_STATE (normal) D) android.permission.READ_PHONE_STATE (dangerous) Answer: A Explanation: Accessing contacts is a dangerous permission that requires explicit user consent at runtime. Question 31. What is the purpose of SELinux in Android?

Question 34. Which of the following is a recommended practice to avoid leaking sensitive data through Logcat? A) Use Log.d() for all messages B) Never log any data in production builds C) Mask or omit sensitive values before logging, and remove debug logs from release builds using ProGuard rules D) Store logs in external storage for later analysis Answer: C Explanation: Masking sensitive information and stripping logs from release builds prevents accidental exposure. Question 35. What is the effect of setting android:exported="false" on an Activity? A) The Activity can only be launched by components of the same app or by explicit intents from other apps that hold a matching permission B) The Activity becomes a system app C) The Activity can be launched by any app without restriction D) The Activity is removed from the manifest at runtime Answer: A Explanation: exported="false" prevents other apps from launching the Activity via implicit intents, limiting exposure. Question 36. Which of the following is a secure way to share a file with another app without making it globally readable? A) Write the file to external storage and send the path via intent B) Use FileProvider to generate a content URI and grant temporary read permission with Intent.FLAG_GRANT_READ_URI_PERMISSION C) Copy the file to the other app’s internal storage via root access

D) Store the file in a public directory and rely on the other app to read it Answer: B Explanation: FileProvider creates a content URI that can be shared securely, and permission flags limit access to the intended recipient. Question 37. In Android, which lifecycle callback is the appropriate place to release a رابط to a bound Service when the Activity is no longer visible? A) onCreate() B) onStart() C) onPause() D) onStop() Answer: D Explanation: onStop() is called when the Activity is no longer visible; releasing the service here prevents leaks while the UI is not needed. Question 38. Which of the following best describes the purpose of the android:process attribute in a component declaration? A) To set the priority of the component’s thread B) To specify a separate Linux process name, providing isolation from other components of the same app C) To enable multi‑threading within the component D) To define the component’s memory allocation limit Answer: B Explanation: Declaring a different process runs the component in its own Linux process, adding an extra layer of isolation. Question 39. Which of the following cryptographic modes provides both confidentiality and integrity for data stored on Android?

Question 42. Which of the following is NOT a recommended mitigation for reverse engineering of Android APKs? A) Enable code shrinking and obfuscation with R8/ProGuard B) Use native code (NDK) for critical algorithms only C) Store all secret keys in plain text within the APK D) Use resource shrinking to remove unused assets Answer: C Explanation: Storing secrets in plain text directly in the APK makes them trivially extractable and is a poor practice. Question 43. Which Android component is most appropriate for performing short‑lived background work that must complete even if the app is killed? A) Service with START_STICKY B) BroadcastReceiver C) JobScheduler/WorkManager task D) Activity Answer: C Explanation: WorkManager (or JobScheduler) guarantees execution of deferrable background work with system‑managed constraints, even after app termination. Question 44. When an app targets API level 31, which new permission requirement applies to accessing nearby Wi‑Fi devices? A) ACCESS_FINE_LOCATION only B) NEARBY_WIFI_DEVICES (new dangerous permission) C) No permission is needed D) BLUETOOTH_CONNECT permission

Answer: B Explanation: API 31 introduced the NEARBY_WIFI_DEVICES permission for scanning Wi‑Fi networks near the device. Question 45. Which of the following statements about Android’s “debuggable” flag is true? A) Setting android:debuggable="true" in production releases improves performance B) It allows the app to be attached to a debugger and can expose internal data if the device is compromised C) It automatically grants all permissions without user consent D) It disables SELinux enforcement for the app Answer: B Explanation: A debuggable app can be inspected via ADB, making it easier for attackers to extract data or tamper with the app. Question 46. Which of the following is the most secure way to validate input received from a remote server before displaying it in a WebView? A) Directly load the URL using loadUrl() without any checks B) Use loadDataWithBaseURL() after sanitizing the HTML content and disabling JavaScript if not required C) Enable JavaScript and addJavascriptInterface() for all content D) Store the content in a temporary file on external storage and load it Answer: B Explanation: Sanitizing content and disabling JavaScript reduces the risk of XSS or malicious code execution inside the WebView. Question 47. Which Android API level introduced the android:exported attribute requirement for components with intent filters? A) API 23

Question 50. A developer wants to ensure that a BroadcastReceiver only receives broadcasts from the system. Which approach should be used? A) Declare the receiver with android:exported="true" and no permission B) Register the receiver dynamically in code without a permission C) Set android:permission="android.permission.BROADCAST_STICKY" in the receiver declaration D) Use a permission that only the system holds, such as android.permission.RECEIVE_BOOT_COMPLETED Answer: D Explanation: Using a system‑only permission restricts broadcasts to those sent by the OS, preventing third‑party apps from spoofing them. Question 51. Which method should be used to securely generate a random cryptographic key on Android? A) new Random().nextBytes() B) SecureRandom.getInstanceStrong() C) Math.random() D) System.currentTimeMillis() Answer: B Explanation: SecureRandom provides cryptographically strong random numbers suitable for key generation. Question 52. What is the primary security advantage of using Android’s WorkManager over a plain Service for background tasks? A) WorkManager runs tasks with root privileges B) WorkManager can enforce network and battery constraints and survives app restarts, reducing the chance of abuse by malicious code

C) WorkManager disables all permissions automatically D) WorkManager always runs on the UI thread Answer: B Explanation: WorkManager schedules work with system‑managed constraints and persists across device reboots, providing better control and less opportunity for abuse. Question 53. Which of the following is a correct statement about SharedPreferences? A) Data stored in SharedPreferences is automatically encrypted on all Android versions B) SharedPreferences files are stored in internal storage and are private to the app unless the device is rooted C) SharedPreferences can be accessed by any app without permission D) SharedPreferences is only available on Android TV devices Answer: B Explanation: SharedPreferences are stored as XML files in the app’s internal storage directory, which is protected by the app’s UID. Question 54. Which Android manifest attribute controls whether a component can be instantiated by other apps via an implicit intent? A) android:enabled B) android:exported C) android:process D) android:theme Answer: B Explanation: android:exported determines if a component is visible to other apps. Question 55. When using HTTPS, which TLS version should be disabled on Android to avoid known vulnerabilities?