Certified Mobile Pentester Android CMPenAndroid Exam, Exams of Technology

This exam assesses specialized skills in testing the security of Android mobile applications and platforms. It covers mobile threat models, reverse engineering, runtime analysis, data protection, and secure storage. Candidates are evaluated on identifying mobile-specific vulnerabilities and providing remediation guidance. The exam emphasizes secure mobile ecosystems and responsible testing practices.

Typology: Exams

2025/2026

Available from 01/22/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 93

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Certified Mobile Pentester Android
CMPenAndroid Exam
**Question 1. Which component of the Android stack provides a consistent interface to
hardware drivers?**
A) Android Runtime (ART)
B) Hardware Abstraction Layer (HAL)
C) Native Libraries
D) Linux Kernel
Answer: B
Explanation: HAL abstracts hardware specifics so the Android framework can interact with
devices uniformly, regardless of the underlying hardware implementation.
**Question 2. In Android’s sandbox model, what primary mechanism isolates each application’s
memory space?**
A) Process priority levels
B) User ID (UID) separation
C) File system permissions only
D) Network namespace isolation
Answer: B
Explanation: Android assigns a unique UID to each app, ensuring that apps run in separate Linux
processes and cannot directly access each other’s memory or files.
**Question 3. Which permission protection level requires the user to explicitly grant access at
runtime on Android 6.0 and later?**
A) Normal
B) Signature
C) Dangerous
D) System
Answer: C
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d

Partial preview of the text

Download Certified Mobile Pentester Android CMPenAndroid Exam and more Exams Technology in PDF only on Docsity!

CMPenAndroid Exam

Question 1. Which component of the Android stack provides a consistent interface to hardware drivers? A) Android Runtime (ART) B) Hardware Abstraction Layer (HAL) C) Native Libraries D) Linux Kernel Answer: B Explanation: HAL abstracts hardware specifics so the Android framework can interact with devices uniformly, regardless of the underlying hardware implementation. Question 2. In Android’s sandbox model, what primary mechanism isolates each application’s memory space? A) Process priority levels B) User ID (UID) separation C) File system permissions only D) Network namespace isolation Answer: B Explanation: Android assigns a unique UID to each app, ensuring that apps run in separate Linux processes and cannot directly access each other’s memory or files. Question 3. Which permission protection level requires the user to explicitly grant access at runtime on Android 6.0 and later? A) Normal B) Signature C) Dangerous D) System Answer: C

CMPenAndroid Exam

Explanation: Dangerous permissions protect user‑privacy data; they must be requested and approved by the user during app execution starting with Marshmallow (API 23). Question 4. Which ADB command lists all installed packages on a connected device? A) adb shell pm list packages B) adb install - l C) adb devices - p D) adb logcat - b packages Answer: A Explanation: adb shell pm list packages queries the package manager on the device and returns a list of all installed package names. Question 5. When configuring a proxy for an Android device running Android 7.0+, where must the CA certificate be installed to allow user‑installed apps to trust it? A) System trusted store (/system/etc/security/cacerts) B) User trusted store (/data/misc/user/0) C) External SD card root directory D) No installation needed; Android trusts all proxies by default Answer: A Explanation: From Android 7.0 onward, user‑installed certificates are not trusted by apps targeting API 24+. Installing the certificate in the system store (requires root) makes it globally trusted. Question 6. Which tool converts an APK’s DEX files into Java bytecode that can be inspected with JD‑GUI? A) apktool B) dex2jar

CMPenAndroid Exam

Question 9. Which Android storage location is most vulnerable to being read by any other app without root? A) Internal private files (/data/data/<pkg>/files) B) SharedPreferences with MODE_PRIVATE C) External storage root (/sdcard/) D) SQLite database in internal storage Answer: C Explanation: Files placed on external storage are world‑readable (and writable) by default, allowing any app with storage permission to access them. Question 10. Which command captures a live network trace from the device using ADB and saves it to the host machine? A) adb shell tcpdump - i any - w /sdcard/capture.pcap && adb pull /sdcard/capture.pcap B) adb logcat - b net > net.log C) adb shell netstat - p > net.txt D) adb forward tcp:8080 tcp: Answer: A Explanation: tcpdump runs on the device, writes a PCAP file, and adb pull retrieves it for analysis on the host. Question 11. Which Frida API is used to replace the implementation of a Java method at runtime? A) Interceptor.attach() B) Java.use() C) Java.perform() D) Java.override() Answer: B

CMPenAndroid Exam

Explanation: Java.use('com.example.Class') returns a wrapper that lets you replace or overload methods of the target Java class. Question 12. When bypassing SSL pinning with Frida, which class is commonly hooked on Android to disable certificate validation? A) java.net.URLConnection B) okhttp3.CertificatePinner C) android.webkit.WebView D) javax.net.ssl.X509TrustManager Answer: D Explanation: Overriding methods of X509TrustManager (e.g., checkServerTrusted) allows acceptance of any certificate, effectively disabling SSL pinning. Question 13. Which Android component is primarily used to receive broadcast intents from the system or other apps? A) Service B) Activity C) BroadcastReceiver D) ContentProvider Answer: C Explanation: BroadcastReceiver classes are registered to listen for specific intent actions and are invoked when those intents are broadcast. Question 14. An exported ContentProvider allows query operations without authentication. Which SQL injection technique can be used to extract data? A) UNION SELECT attack in the selection argument B) Buffer overflow in the uri parameter

CMPenAndroid Exam

A) READ_PHONE_STATE

B) ACCESS_FINE_LOCATION

C) READ_CONTACTS

D) READ_EXTERNAL_STORAGE

Answer: A Explanation: READ_PHONE_STATE grants access to telephony identifiers such as IMEI, MEID, and device serial number. Question 18. Which cryptographic algorithm is considered insecure for hashing passwords in Android apps? A) SHA‑ 256 B) PBKDF2WithHmacSHA C) MD D) Argon Answer: C Explanation: MD5 is vulnerable to collision attacks and fast brute‑forcing; it should never be used for password hashing. Question 19. Which Android flag, when set on an Activity, prevents screenshots and screen recordings? A) android:windowIsTranslucent="true" B) android:secure="true" in the layout XML C) getWindow().addFlags(WindowManager.LayoutParams.FLAG_SECURE) D) android:allowBackup="false" Answer: C Explanation: FLAG_SECURE tells the system to treat the window as secure, disallowing screenshots and screen captures.

CMPenAndroid Exam

Question 20. Which of the following best describes a “tapjacking” attack on Android? A) Overriding the back button to exit the app silently B) Displaying a transparent overlay that captures user taps intended for the underlying app C) Injecting malicious code into the app’s APK during build time D) Exploiting a buffer overflow in native libraries Answer: B Explanation: Tapjacking uses an invisible UI element to trick users into tapping buttons they cannot see, potentially performing privileged actions. Question 21. When performing dynamic analysis, which tool can automatically detect and disable root detection checks in an app? A. Frida‑Gadget B. Objection C. Apktool D. Burp Suite Answer: B Explanation: Objection provides built‑in commands like android root detection disable to bypass common root‑check implementations at runtime. Question 22. Which Android API level introduced runtime permissions for dangerous permissions? A) API 19 (KitKat) B) API 21 (Lollipop) C) API 23 (Marshmallow) D) API 26 (Oreo)

CMPenAndroid Exam

C) Encrypt the database content with SQLCipher D) Disable android:allowBackup in the manifest only Answer: C Explanation: SQLCipher provides transparent encryption of SQLite databases, preventing unauthorized reading even if the file is accessed. Question 26. Which of the following intent flags can be abused to launch an activity in a different task, facilitating a “task hijacking” attack? A) FLAG_ACTIVITY_NEW_TASK B) FLAG_ACTIVITY_SINGLE_TOP C) FLAG_ACTIVITY_CLEAR_TOP D) FLAG_ACTIVITY_NO_HISTORY Answer: A Explanation: FLAG_ACTIVITY_NEW_TASK forces the activity to start in a new task, which can be leveraged to overlay a malicious task over a legitimate one (StrandHogg). Question 27. When a developer uses android:debuggable="true" in production, which risk is introduced? A) The app cannot be installed on devices running Android 10+ B) Attackers can attach a debugger and manipulate runtime behavior C) The app’s APK size doubles automatically D) The app’s network traffic is automatically encrypted Answer: B Explanation: debuggable enables debugging tools (e.g., JDWP) to attach, allowing inspection, memory dumping, and code manipulation.

CMPenAndroid Exam

Question 28. Which of the following is a recommended practice to avoid insecure data leakage through Logcat? A) Log all user inputs for audit purposes B) Use Log.e for every message regardless of severity C) Strip sensitive information before calling any Log.* method D) Store log files on external storage for easier access Answer: C Explanation: Removing or masking PII before logging prevents accidental exposure via Logcat, which can be read by other apps with the READ_LOGS permission (or on rooted devices). Question 29. Which Android component can be declared as “exported” implicitly if it contains an intent filter? A) Service B) BroadcastReceiver C) ContentProvider D) All of the above Answer: D Explanation: Any component with an <intent-filter> is implicitly exported unless android:exported="false" is explicitly set. Question 30. In a Frida script, which function is used to hook native (C/C++) functions? A) Interceptor.attach() B) Java.use() C) ObjC.import() D) Module.enumerateExports() Answer: A

CMPenAndroid Exam

C) READ_EXTERNAL_STORAGE

D) ACCESS_MEDIA_LOCATION

Answer: A Explanation: Under the legacy model (before scoped storage), WRITE_EXTERNAL_STORAGE grants write access to external storage. Question 34. Which of the following is a sign that an app is using a custom (and potentially weak) encryption routine? A) Presence of javax.crypto.Cipher classes in the source code B) Use of Base64.encodeToString() for “encryption” of data C) Calls to MessageDigest.getInstance("SHA-256") D) Implementation of KeyStore for key management Answer: B Explanation: Developers sometimes misuse Base64 encoding as “encryption,” which offers no confidentiality and is a clear indicator of weak protection. Question 35. Which Android manifest attribute controls whether an app’s data can be backed up to Google Drive? A) android:allowBackup B) android:fullBackupOnly C) android:restoreAnyVersion D) android:backupAgent Answer: A Explanation: Setting android:allowBackup="false" disables the automatic backup of the app’s data to the cloud.

CMPenAndroid Exam

Question 36. When analyzing an APK with apktool, which folder contains the decompiled resources (XML, images, etc.)? A) smali/ B) res/ C) assets/ D) lib/ Answer: B Explanation: apktool extracts and decodes the res/ directory, providing human‑readable XML layout files and other resources. Question 37. Which HTTP header is most commonly used to enforce strict transport security on Android apps communicating with a backend? A) X-Content-Type-Options B) Strict-Transport-Security (STS) C) X-Frame-Options D) Content-Security-Policy Answer: B Explanation: The Strict-Transport-Security header tells browsers (and WebView) to only use HTTPS for subsequent connections to the domain. Question 38. Which of the following is a typical way to bypass a client‑side checksum validation in an Android app? A) Modify the APK’s AndroidManifest.xml to remove the checksum tag B) Hook the checksum method with Frida and force it to return true C) Change the device’s timezone to affect checksum calculation D) Disable the device’s Wi‑Fi to prevent checksum updates Answer: B

CMPenAndroid Exam

D) TelephonyManager.getNetworkOperatorName() returns “Emulator” Answer: A Explanation: Emulators often have identifiable fingerprints such as “generic” or “unknown” in Build.FINGERPRINT. Question 42. Which of the following is the most reliable way to ensure that a WebView does not expose the JavaScript interface to untrusted content? A) Call setJavaScriptEnabled(true) only after loading the page B) Add the interface after the page finishes loading C) Use removeJavascriptInterface("android") before loading untrusted URLs D) Disable JavaScript completely with setJavaScriptEnabled(false) Answer: D Explanation: Disabling JavaScript eliminates the risk of any JavaScript‑based interaction, including misuse of added interfaces. Question 43. Which Android permission is required for an app to read the device’s contacts? A) READ_CONTACTS B) ACCESS_FINE_LOCATION C) READ_PHONE_STATE D) WRITE_CONTACTS Answer: A Explanation: READ_CONTACTS grants permission to query the contacts provider for stored contacts. Question 44. Which of the following is a correct method to protect an exported BroadcastReceiver from unauthorized intents?

CMPenAndroid Exam

A) Set android:exported="false" in the manifest B) Use a custom permission in <intent-filter> and require it in the receiver’s declaration C) Declare the receiver in the android:process attribute D) Add android:debuggable="true" to the receiver tag Answer: B Explanation: Requiring a custom permission forces any sender to hold that permission, limiting who can broadcast to the receiver. Question 45. Which of the following statements about Android’s “Scoped Storage” introduced in Android 10 is true? A) Apps can freely read/write any file on external storage without permission B) Apps must use MediaStore or app‑specific directories for most external files C) Scoped storage removes the need for the READ_EXTERNAL_STORAGE permission entirely D) It only affects system apps, not third‑party apps Answer: B Explanation: Scoped storage restricts direct file path access; apps should use MediaStore APIs or their own private external directories. Question 46. Which tool can be used to automatically generate a list of all exported components in an APK? A) apktool B) dex2jar C) jadx D) mobSF (Mobile Security Framework) Answer: D Explanation: mobSF parses the manifest and provides a detailed report of exported activities, services, receivers, and providers.

CMPenAndroid Exam

Answer: C Explanation: A hidden activity that accepts a secret action can act as a backdoor, allowing privileged operations when invoked. Question 50. Which of the following is the correct way to protect a SQLite database using SQLCipher? A) Call SQLiteDatabase.openOrCreateDatabase(path, null, null) B) Use net.sqlcipher.database.SQLiteDatabase with a passphrase via openOrCreateDatabase C) Store the database on external storage and set file permissions to 600 D) Enable android:exported="false" on the ContentProvider that accesses the DB Answer: B Explanation: SQLCipher’s SQLiteDatabase class requires a passphrase to encrypt/decrypt the database file. Question 51. Which Android manifest attribute determines whether an activity can be launched from a URL scheme? A) android:launchMode B) android:taskAffinity C) android:exported D) android:scheme Answer: C Explanation: android:exported="true" allows external intents (including those from custom URL schemes) to start the activity. Question 52. Which of the following best describes the purpose of the android:networkSecurityConfig attribute? A) Define VPN configurations for the app

CMPenAndroid Exam

B) Specify custom certificate authorities and cleartext traffic policies C) Set the maximum number of concurrent network threads D) Enable or disable Wi‑Fi scanning Answer: B Explanation: networkSecurityConfig points to an XML resource that can whitelist CAs, enable cleartext, and configure pinning. Question 53. Which of the following is a common method to detect if an Android device is rooted? A) Check for the existence of /system/app/Superuser.apk B) Verify that the device’s IMEI starts with “ROOT” C) Query Build.VERSION.SDK_INT for a special root value D) Attempt to open a Bluetooth socket without permission Answer: A Explanation: The presence of known root management apps (e.g., Superuser) or binaries (e.g., su) is a typical indicator of a rooted device. Question 54. Which of the following is the correct way to disable SSL pinning using the Objection tool? A) objection --gadget android sslpinning disable B) objection android hook sslpinning off C) objection --startup-script disable_sslpinning.js D) objection android patch sslpinning true Answer: A Explanation: The command objection --gadget android sslpinning disable instructs Objection to patch SSL pinning checks at runtime.