
















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The PrepIQ Certified Mobile Pentester Android CMPenAndroid Ultimate Exam assesses expertise in Android application security testing, mobile malware analysis, reverse engineering, API exploitation, and Android vulnerability assessments. The certification covers secure mobile architectures, application tampering, runtime analysis, and Android penetration testing methodologies. It is ideal for mobile security professionals, penetration testers, and Android developers seeking advanced Android security expertise.
Typology: Exams
1 / 88
This page cannot be seen from the preview
Don't miss anything!

















































































Question 1. Which layer of the Android stack is directly responsible for translating hardware-specific calls into a uniform API for the higher-level framework? A) Linux Kernel B) Hardware Abstraction Layer (HAL) C) Android Runtime (ART) D) Native Libraries Answer: B Explanation: The HAL provides a consistent interface to hardware components, allowing the Android framework to interact with diverse hardware without needing to know vendor-specific details. Question 2. In Android’s sandbox model, what primary attribute guarantees that two applications cannot read each other’s private files? A) Package name uniqueness B) UID separation per application C) Signature verification D) SELinux policies Answer: B Explanation: Each app runs under its own Linux UID, which isolates its file system namespace from other apps, enforcing process-level isolation. Question 3. A permission declared with android:protectionLevel="signature" can be granted to which of the following apps? A) Any app that requests it at runtime B) Only apps signed with the same certificate as the declaring app C) System apps only D) Apps installed on the external storage Answer: B Explanation: Signature-level permissions are granted only to apps signed with the same developer certificate, ensuring trusted communication between apps from the same vendor.
Question 4. Which ADB command lists all installed packages on a connected device? A) adb shell pm list packages B) adb install -l C) adb devices -p D) adb logcat -p Answer: A Explanation: pm list packages is a package manager command executed via ADB shell that prints every installed package name. Question 5. When configuring an emulator for API level 30, which setting must be adjusted to allow installation of apps that target API 30 but use cleartext HTTP? A) Enable “Use Host GPU” B) Set android:usesCleartextTraffic="true" in the manifest C) Add -allow-http flag to the emulator start command D) Disable “Play Store” option in AVD configuration Answer: B Explanation: The manifest attribute android:usesCleartextTraffic="true" permits cleartext network traffic for the app, overriding the default block on API 28+ devices. Question 6. To intercept HTTPS traffic from an Android 10 device using Burp Suite, which of the following steps is mandatory? A) Root the device and replace /system/etc/ssl/certs B) Install Burp’s CA certificate as a user-installed certificate and enable “Network security config” to trust user certificates C) Disable SELinux enforcement D) Use a VPN-based proxy instead of a traditional HTTP proxy Answer: B
Answer: B Explanation: The prefix AIzaSy is characteristic of Firebase (Google) API keys, which are often hard-coded in Android apps. Question 10. Which Android storage location is considered private and not accessible by other apps without root privileges? A) /sdcard/ (external storage) B) /data/data//shared_prefs/ C) /storage/emulated/0/ D) /mnt/sdcard/ Answer: B Explanation: The shared_prefs directory resides in the app’s private internal storage, protected by the app’s UID. Question 11. An analyst notices that an app logs the value of access_token using Log.d("Auth", token). Why is this considered insecure? A) Logcat output can be read by any app with READ_LOGS permission on Android 4.0+ B) Logcat buffers are persisted to disk after device reboot C) Debug logs may be captured by an attacker with physical access or via a compromised device D) The token is automatically sent to Google Play for analytics Answer: C Explanation: Logcat entries can be accessed by apps with appropriate permissions or via a rooted device, exposing sensitive tokens. Question 12. Which of the following is a common indicator that a content provider is vulnerable to SQL injection? A) The provider’s uri contains a query parameter named id B) The provider’s query method concatenates the selection argument directly into an SQLite statement without using placeholders C) The provider exports only read-only methods
D) The provider uses SQLiteOpenHelper for database creation Answer: B Explanation: Direct concatenation of user-controlled selection strings enables attackers to inject malicious SQL. Question 13. When attempting to bypass SSL pinning with Frida, which Java method is typically intercepted? A) java.net.Socket.connect B) javax.net.ssl.HttpsURLConnection.getSSLSocketFactory C) android.webkit.WebView.loadUrl D) android.content.Intent.sendBroadcast Answer: B Explanation: Overriding getSSLSocketFactory (or checkServerTrusted) allows the injection of a custom TrustManager that accepts any certificate, effectively disabling pinning. Question 14. An Android app checks for root by executing Runtime.getRuntime().exec("which su"). Which Frida script technique can neutralize this check? A) Hook java.lang.Runtime.exec and force it to return a dummy Process object with empty output B) Replace the /system/xbin/su binary with a non-executable file C) Modify the SELinux policy to deny execve calls D) Delete the su binary from the device filesystem Answer: A Explanation: Hooking Runtime.exec and forcing a benign result prevents the app from detecting the presence of the su binary. Question 15. Which command lists all currently running services on a device, useful for identifying background components an attacker could target? A) adb shell ps -A B) adb shell dumpsys activity services
C) Base64 adds a checksum that can be exploited D) The Android system logs all SharedPreferences content Answer: A Explanation: Base64 is merely an encoding scheme; anyone with access to the file can decode it and retrieve the clear-text password. Question 19. Which Android manifest attribute controls whether an activity can be launched from a URI scheme? A) android:exported B) android:launchMode C) android:autoVerify D) android:taskAffinity Answer: C Explanation: android:autoVerify enables the system to verify the association between the app’s domain and the intent filter, facilitating deep link handling. Question 20. The android:debuggable="true" flag is set in an app’s manifest. What risk does this introduce? A) The app will run with elevated privileges B) Attackers can attach a debugger to the process and inspect memory or bypass checks C) The app’s network traffic will be automatically logged D) The app will be automatically signed with the debug keystore Answer: B Explanation: A debuggable app permits any debugger (including Frida, JDWP) to attach, allowing inspection and modification of runtime behavior. Question 21. Which of the following is the correct ADB command to pull a file from the device’s internal storage when the device is not rooted? A) adb pull /data/data/com.example/files/config.json
B) adb exec-out run-as com.example cat /data/data/com.example/files/config.json > config.json C) adb shell cp /data/data/com.example/files/config.json /sdcard/ D) adb shell su -c "cat /data/data/com.example/files/config.json" Answer: B Explanation: run-as allows a non-rooted app’s UID to read its own private files, and exec-out streams the output to the host. Question 22. Which of the following best describes the purpose of a “network security config” XML file in Android? A) Defines firewall rules for the device B) Specifies which certificates are trusted for TLS connections per app or domain C) Controls Wi-Fi SSID whitelisting D) Enables VPN routing for the app Answer: B Explanation: The network security config allows developers to customize trust anchors, cleartext traffic policies, and certificate pinning per app. Question 23. When performing dynamic analysis, an analyst notices that the app validates the server’s certificate fingerprint against a hardcoded SHA-256 hash. Which mitigation technique can bypass this check? A) Replace the server certificate with one that matches the hash B) Use Frida to hook java.security.MessageDigest.digest and return the expected hash value regardless of input C) Modify the app’s manifest to disable certificate validation D) Use a proxy that injects the hash into the TLS handshake Answer: B Explanation: Hooking the digest function to always return the expected hash defeats the pinning verification. Question 24. Which Android component is most appropriate for receiving a broadcast when the device boots up, and what permission must be declared?
Question 27. Which method in the Android framework can be used to check whether an incoming Intent contains a dangerous permission request? A) PackageManager.checkPermission() B) Context.checkCallingOrSelfPermission() C) Intent.filterEquals() D) ActivityManager.isLowMemory() Answer: B Explanation: checkCallingOrSelfPermission() verifies if the caller (or the app itself) holds a specific permission, enabling runtime checks for dangerous permissions. Question 28. An app uses Cipher.getInstance("AES/CBC/PKCS5Padding") with a hardcoded IV of 0000000000000000. Why is this practice insecure? A) The IV should be random and unique per encryption operation to prevent pattern leakage B) CBC mode is deprecated on Android 10+ C) PKCS5Padding is vulnerable to padding oracle attacks on mobile devices D) AES keys must be at least 256 bits on Android Answer: A Explanation: A static IV defeats the purpose of CBC’s randomness, allowing attackers to infer relationships between ciphertexts. Question 29. Which of the following is a typical sign of a “tapjacking” vulnerability in an Android app? A) The app uses FLAG_SECURE on its windows B) An overlay activity is launched with TYPE_APPLICATION_OVERLAY without checking isTouchModal C) The app disables onTouchEvent handling for all views D) The app’s manifest sets android:hardwareAccelerated="false" Answer: B Explanation: Overlays that can receive touch events while the underlying app is visible enable tapjacking, allowing attackers to trick users into clicking hidden UI elements.
Question 30. When analyzing an APK, you find a proguard.cfg file that maps obfuscated class names to original names. How does this affect the difficulty of reverse engineering? A) It makes reverse engineering easier because the original names are available B) It has no effect; ProGuard only obfuscates resources, not code C) It increases difficulty because the mapping is encrypted D) It prevents the APK from being installed on devices with API 30+ Answer: A Explanation: The presence of a mapping file directly reveals the original class and method names, greatly simplifying static analysis. Question 31. Which ADB command enables the device to forward all TCP traffic on port 8080 to the host’s port 8080, useful for proxying app traffic? A) adb forward tcp:8080 tcp:8080 B) adb reverse tcp:8080 tcp:8080 C) adb tcpip 8080 D) adb port-forward 8080 Answer: A Explanation: adb forward creates a tunnel from the device’s specified port to the host, allowing the device to send traffic to a local proxy listening on the same port. Question 32. An attacker wants to exploit a vulnerable WebView that loads URLs from an intent extra named url. Which technique can lead to Remote Code Execution? A) Supply a file:///android_asset/malicious.html URL that contains a malicious JavaScriptInterface call B) Use a tel: scheme to trigger a phone call C) Provide a mailto: link to the WebView D) Send a malformed HTTP header to crash the WebView Answer: A
Explanation: apksigner verify --print-certs displays the signing certificate details, including SHA-256 fingerprint. Question 36. An app uses SharedPreferences with MODE_WORLD_READABLE. What security implication does this have? A) The preferences are encrypted automatically B) Any other app can read the stored data, potentially exposing sensitive information C) The preferences are only accessible by the system UI D) This mode is ignored on Android 8.0+ Answer: B Explanation: MODE_WORLD_READABLE makes the file world-readable, allowing other apps to access its contents. Question 37. Which of the following is a proper way to protect an exported Service from being started by malicious apps? A) Set android:exported="false" in the manifest B) Require a custom permission in the `` tag and enforce it in onStartCommand C) Use android:enabled="false" D) Declare the service in a separate APK Answer: B Explanation: Declaring a custom permission and checking it at runtime ensures only callers holding that permission can start the service, while still allowing legitimate inter-app communication. Question 38. When analyzing an app’s network traffic, you notice that the Authorization header contains a Base64 string that decodes to user:password. What type of authentication is being used? A) OAuth 2.0 Bearer Token B) Basic Authentication C) Digest Authentication
D) JWT Token Answer: B Explanation: Base64-encoded username:password is the format for HTTP Basic Authentication. Question 39. Which Android API allows an app to detect whether it is running on an emulator? A) Build.FINGERPRINT.contains("generic") B) PackageManager.isEmulator() C) System.getProperty("android.emulator") D) Settings.Global.getInt("emulator_mode", 0) Answer: A Explanation: Checking Build.FINGERPRINT, MODEL, or other properties for strings like “generic” or “google_sdk” is a common emulator detection technique. Question 40. An attacker wants to exploit a vulnerable ContentProvider that concatenates the selection argument directly into a raw query. Which payload could retrieve the entire users table? A) selection = "1=1" B) selection = "username='admin'" C) selection = "id=0" D) selection = "NULL" Answer: A Explanation: 1=1 is always true, causing the query to return all rows if no other constraints are applied. Question 41. Which of the following statements about Android’s WorkProfile is correct? A) Apps in a work profile share the same UID as personal apps B) Network traffic from work profile apps cannot be intercepted by a regular proxy
B) Enables automatic OTA updates for the app C) Allows the app to write to external storage without permission D) Controls whether the app can be installed on multiple users simultaneously Answer: A Explanation: allowBackup indicates if the app’s data may be included in backup operations, potentially exposing sensitive information if set to true. Question 45. When using adb shell to list all installed packages that request the READ_SMS permission, which command chain is appropriate? A) adb shell pm list packages -f | grep READ_SMS B) adb shell dumpsys package permissions | grep READ_SMS C) adb shell pm list packages -3 D) adb shell getprop ro.build.version.sdk Answer: B Explanation: dumpsys package permissions prints permission assignments per package; grepping for READ_SMS reveals which apps request it. Question 46. Which of the following is a recommended practice for protecting API keys in Android applications? A) Hard-code them in Java source and obfuscate with ProGuard B) Store them in plain text inside the assets folder C) Retrieve them from a secure backend after user authentication D) Embed them in the manifest as a custom permission Answer: C Explanation: Fetching secrets from a protected server after authentication reduces the risk of extraction from the APK. Question 47. An app uses FileProvider to share a file via content:// URI. Which Android component must be declared to grant temporary read permission to receiving apps? A) `` in the manifest
B) only C) only D) only Answer: A Explanation: enables the app to grant read/write access to the specific URI when sending an intent. Question 48. Which of the following is a sign that an exported Activity may be vulnerable to “credential dumping” via intent spoofing? A) The activity checks Intent.getExtras() for a token but does not verify the caller’s identity B) The activity requires a login screen before displaying content C) The activity uses android:screenOrientation="portrait" D) The activity is declared with android:launchMode="singleTask" Answer: A Explanation: Accepting data from an intent without confirming the sender allows an attacker to craft a malicious intent containing fabricated credentials. Question 49. In the context of Android’s KeyStore, which statement is true? A) Keys generated in the AndroidKeyStore are exportable by default B) The KeyStore can store symmetric keys only on devices running Android 9+ C) Private keys stored in the hardware-backed Keystore cannot be extracted by the app code D) The KeyStore is accessible to all apps on the device Answer: C Explanation: When hardware-backed, the private key never leaves the secure element, preventing extraction even by the owning app. Question 50. Which of the following is the most effective method to detect a “StrandHogg” attack on an Android device?
Question 53. Which of the following Android permissions is considered “signatureOrSystem” in older API levels? A) android.permission.ACCESS_FINE_LOCATION B) android.permission.INSTALL_PACKAGES C) android.permission.READ_CONTACTS D) android.permission.VIBRATE Answer: B Explanation: INSTALL_PACKAGES is a signature-level permission, granted only to system or apps signed with the same certificate as the OS. Question 54. When performing a dynamic analysis, an analyst uses adb shell setprop log.tag. VERBOSE to increase logging for a specific tag. What is the effect of this command? A) It disables all logging for the tag B) It forces the Android runtime to output verbose logs for that tag, aiding debugging C) It changes the log level globally for all tags D) It writes the logs to a file on the device’s external storage Answer: B Explanation: Setting the property for a specific tag to VERBOSE enables detailed logcat output for that tag. Question 55. Which of the following is a correct way to disable SSL pinning in an app that uses OkHttp’s CertificatePinner class, using Frida? A) Hook okhttp3.CertificatePinner.check and replace it with a no-op function B) Replace the OkHttpClient.Builder with a custom builder that disables pinning C) Modify the app’s network_security_config.xml at runtime D) Delete the CertificatePinner class from the dex file using smali Answer: A Explanation: Overriding the check method to do nothing bypasses the pinning verification without altering the app’s bytecode.
Question 56. An app’s AndroidManifest.xml includes . Which of the following statements is true? A) The app will not run on devices with API level 30 or higher B) The app can request runtime permissions introduced after API 21 C) The app is forced to use the legacy permission model D) The app must be compiled with Java 8 features only Answer: B Explanation: With `targetSdkVersion` 30, the app follows the runtime permission model for dangerous permissions introduced after API 21. **Question 57.** Which of the following is NOT a typical step in the “proxy setup” phase for intercepting Android app traffic? A) Installing the proxy’s CA certificate as a system certificate B) Configuring the device’s Wi-Fi proxy settings to point to the proxy host and port C) Modifying the app’s `AndroidManifest.xml` to include D) Enabling “Allow cleartext traffic” if the app blocks HTTP Answer: C Explanation: Adding the INTERNET permission is a compile-time requirement; it does not affect proxy configuration at runtime. Question 58. Which of the following is the most reliable way to detect that an Android app is running on a rooted device? A) Checking for the existence of /system/xbin/su B) Attempting to write to /system and catching a permission error C) Using the RootBeer library’s comprehensive checks (including native binaries, environment variables, and SELinux status) D) Reading the ro.debuggable system property Answer: C