1. Which of the following is the most secure way to store sensitive data in an Android application?
A) SharedPreferences
B) SQLite Database
C) Internal Storage
D) Android Keystore
β Answer: D) Android Keystore
π Explanation: The Android Keystore provides a secure environment to store cryptographic keys, ensuring they cannot be extracted from the device. Other storage options, such as SharedPreferences and SQLite, are more vulnerable to attacks like rooting, data extraction, and reverse engineering.
2. What is the primary purpose of iOS App Transport Security (ATS)?
A) To enforce HTTPS connections
B) To block insecure Wi-Fi networks
C) To prevent reverse engineering
D) To limit background data usage
β Answer: A) To enforce HTTPS connections
π Explanation: App Transport Security (ATS) ensures that all connections made by an iOS app use HTTPS with strong encryption (TLS 1.2 or higher). It improves security by preventing data from being intercepted via man-in-the-middle (MITM) attacks.
3. What security risk is associated with hardcoding API keys in mobile applications?
A) Key reusability
B) Easy retrieval through reverse engineering
C) API rate-limiting
D) Slow application performance
β Answer: B) Easy retrieval through reverse engineering
π Explanation: Hardcoding API keys in an app makes them easily accessible to attackers using tools like decompilers and static analysis tools. A better approach is to use backend authentication mechanisms or secure vaults.
4. Which Android security mechanism helps to prevent unauthorized access to user data by restricting an appβs permissions?
A) Runtime Permissions
B) ProGuard
C) Android Manifest
D) Keystore
β Answer: A) Runtime Permissions
π Explanation: Runtime Permissions (introduced in Android 6.0) require users to grant permissions at runtime instead of during installation, reducing the risk of excessive permissions being misused.
5. In iOS, which security feature ensures that only Apple-approved apps run on a device?
A) App Sandboxing
B) Code Signing
C) Keychain
D) ATS
β Answer: B) Code Signing
π Explanation: Code Signing ensures that all iOS apps are signed with a valid Apple Developer certificate, preventing malicious or unauthorized applications from running on iOS devices.
6. What is the purpose of Android’s ProGuard tool?
A) Secure app permissions
B) Detect security vulnerabilities
C) Obfuscate and optimize code
D) Encrypt user data
β Answer: C) Obfuscate and optimize code
π Explanation: ProGuard helps protect Android apps by obfuscating code, making it harder for attackers to reverse-engineer an application. It also reduces app size and removes unused code.
7. Why is storing passwords in plaintext within an app a bad practice?
A) It increases app size
B) It makes authentication faster
C) It exposes user credentials if the app is compromised
D) It improves data recovery
β Answer: C) It exposes user credentials if the app is compromised
π Explanation: Storing passwords in plaintext makes them vulnerable to data leaks, memory dumps, and reverse engineering attacks. Always use hashed and salted storage mechanisms.
8. What is the best way to prevent SQL Injection attacks in a mobile app?
A) Use input validation
B) Use parameterized queries
C) Escape special characters
D) Hide the database location
β Answer: B) Use parameterized queries
π Explanation: Parameterized queries prevent SQL injection by ensuring that user input is treated as data rather than executable code. Input validation also helps, but it is not foolproof.
9. Which iOS security feature provides a secure way to store credentials like usernames and passwords?
A) iCloud Backup
B) Secure Enclave
C) Keychain
D) UserDefaults
β Answer: C) Keychain
π Explanation: The iOS Keychain provides a secure, encrypted storage mechanism for sensitive user data such as passwords and authentication tokens.
10. What does Androidβs SELinux (Security-Enhanced Linux) do?
A) Encrypts application data
B) Implements mandatory access control (MAC)
C) Restricts internet access
D) Blocks malicious apps
β Answer: B) Implements mandatory access control (MAC)
π Explanation: SELinux enforces mandatory access control (MAC) policies, ensuring apps and processes only access resources they are authorized to use.
11. What is an effective way to prevent reverse engineering of Android APKs?
A) Encrypting the APK file
B) Using code obfuscation
C) Hiding the app icon
D) Removing debug logs
β Answer: B) Using code obfuscation
π Explanation: Obfuscation makes code difficult to decompile and understand, reducing the risk of attackers extracting sensitive logic from an APK.
12. Which of the following is a common attack on insecure mobile APIs?
A) Buffer Overflow
B) Credential Stuffing
C) Rate-Limiting Attack
D) Man-in-the-middle (MITM)
β Answer: D) Man-in-the-middle (MITM)
π Explanation: Mobile apps often communicate with APIs, and if they don’t use HTTPS (TLS) properly, attackers can intercept and modify requests via MITM attacks.
13. What is the best way to securely handle session tokens in a mobile app?
A) Store them in local storage
B) Store them in SharedPreferences
C) Store them in a secure keychain/keystore
D) Encode them in Base64
β Answer: C) Store them in a secure keychain/keystore
π Explanation: Session tokens should be stored in secure locations like Android Keystore or iOS Keychain, which prevent unauthorized access.
14. Which attack is most likely if a mobile app does not validate SSL/TLS certificates properly?
A) SQL Injection
B) Cross-Site Scripting (XSS)
C) Man-in-the-middle (MITM) attack
D) Remote Code Execution
β Answer: C) Man-in-the-middle (MITM) attack
π Explanation: Without proper SSL/TLS validation, attackers can intercept traffic and inject malicious data via MITM attacks.
15. How can mobile apps prevent data leakage via logs?
A) Disable logging in production
B) Encrypt all log files
C) Store logs in external storage
D) Use shorter log messages
β Answer: A) Disable logging in production
π Explanation: Logs may contain sensitive information, so verbose logging should be disabled in production builds to prevent unintentional data exposure.
16. What is the primary risk of allowing an Android app to run on a rooted device?
A) Increased battery usage
B) Higher network bandwidth consumption
C) Elevated privileges for malware and unauthorized access
D) Reduced app performance
β Answer: C) Elevated privileges for malware and unauthorized access
π Explanation: Rooted devices bypass Androidβs security model, allowing malware or attackers to gain full system access. Security-sensitive apps should detect rooting and prevent execution.
17. Which of the following techniques can help detect if an iOS app is running on a jailbroken device?
A) Checking for existence of Cydia app
B) Scanning network traffic
C) Verifying app store installation date
D) Checking GPS location
β Answer: A) Checking for existence of Cydia app
π Explanation: Jailbreaking allows installation of apps like Cydia, which are unavailable on non-jailbroken iOS devices. Apps can check for jailbreak indicators like write access outside the sandbox.
18. Why should mobile applications avoid storing sensitive data in clipboard memory?
A) Clipboard can be accessed by other apps
B) It increases app size
C) It slows down performance
D) It makes debugging harder
β Answer: A) Clipboard can be accessed by other apps
π Explanation: Clipboard data is globally accessible, meaning malicious apps can read sensitive data like passwords, credit card details, or authentication tokens.
19. What is an effective way to secure biometric authentication in mobile apps?
A) Store biometric data in the app database
B) Use platform-provided biometric APIs
C) Convert biometric data into Base64 format
D) Send biometric data to the server for processing
β Answer: B) Use platform-provided biometric APIs
π Explanation: Both Android (BiometricPrompt API) and iOS (Face ID, Touch ID) provide secure, hardware-backed biometric authentication without exposing raw biometric data.
20. What security measure can protect sensitive mobile app data from being intercepted via screen recording?
A) Using App Transport Security (ATS)
B) Enabling Secure Flag in Android
C) Storing data in local storage
D) Encrypting the screen pixels
β Answer: B) Enabling Secure Flag in Android
π Explanation: Androidβs Secure Flag (FLAG_SECURE) prevents sensitive screens from being captured via screenshots, screen recording, or recent apps preview.
21. What type of security flaw occurs if an app does not properly validate user authentication tokens?
A) SQL Injection
B) Token Replay Attack
C) Buffer Overflow
D) Side-Channel Attack
β Answer: B) Token Replay Attack
π Explanation: Token Replay Attacks occur when authentication tokens are stolen and reused, leading to unauthorized access. Tokens should have short lifespans and be validated on the backend.
22. How can an Android app securely store API keys?
A) Hardcode them in the app source code
B) Store them in SharedPreferences
C) Use environment variables
D) Store them in Android Keystore
β Answer: D) Store them in Android Keystore
π Explanation: Android Keystore securely stores cryptographic keys, preventing them from being extracted through reverse engineering.
23. What is a common security risk when using third-party SDKs in mobile apps?
A) Increased battery consumption
B) Harder debugging process
C) Unintended data leakage
D) Slower app updates
β Answer: C) Unintended data leakage
π Explanation: Some third-party SDKs collect user data without explicit consent. Always review SDK permissions and use privacy-focused alternatives.
24. Which is the most secure way to handle session management in a mobile app?
A) Use JWT stored in local storage
B) Use HTTP-only cookies with secure attributes
C) Store session tokens in a text file
D) Use Base64-encoded tokens
β Answer: B) Use HTTP-only cookies with secure attributes
π Explanation: HTTP-only, Secure, and SameSite cookies prevent session hijacking, XSS, and CSRF attacks in mobile web apps.
25. What is the risk of exposing an appβs manifest file in Android?
A) Performance issues
B) Unauthorized access to app components
C) Slow internet speed
D) Higher power consumption
β Answer: B) Unauthorized access to app components
π Explanation: A poorly configured AndroidManifest.xml can expose sensitive components (activities, services, broadcast receivers) to unauthorized apps.
26. What is a common risk when using deep linking in mobile apps?
A) Phishing attacks
B) Longer app launch time
C) Increased app crashes
D) Higher memory usage
β Answer: A) Phishing attacks
π Explanation: If deep links are not properly validated, attackers can redirect users to malicious sites or applications.
27. How can iOS apps securely handle sensitive configuration data?
A) Store it in UserDefaults
B) Use the iOS Keychain
C) Hardcode in Swift code
D) Store in plaintext files
β Answer: B) Use the iOS Keychain
π Explanation: iOS Keychain provides an encrypted and secure storage mechanism for API keys, passwords, and sensitive configurations.
28. Which type of attack exploits a lack of proper SSL/TLS certificate validation?
A) SQL Injection
B) SSL Stripping Attack
C) Cross-Site Scripting (XSS)
D) Buffer Overflow
β Answer: B) SSL Stripping Attack
π Explanation: SSL Stripping downgrades HTTPS connections to HTTP, exposing sensitive data to attackers.
29. What security risk is associated with improper use of WebView in Android apps?
A) JavaScript Injection
B) Increased memory consumption
C) Screen flickering
D) Slow animations
β Answer: A) JavaScript Injection
π Explanation: If WebView loads external JavaScript without restrictions, attackers can execute JavaScript Injection (XSS-like attacks).
30. What technique can prevent API abuse in mobile apps?
A) Using hardcoded API keys
B) Implementing rate limiting
C) Storing API responses locally
D) Removing API authentication
β Answer: B) Implementing rate limiting
π Explanation: Rate limiting prevents brute force and DoS attacks by restricting the number of API requests per user/IP.
31. What is the purpose of Certificate Pinning in mobile applications?
A) To speed up HTTPS connections
B) To prevent SSL/TLS certificate forgery and MITM attacks
C) To store SSL certificates locally for offline use
D) To allow self-signed certificates
β Answer: B) To prevent SSL/TLS certificate forgery and MITM attacks
π Explanation: Certificate Pinning ensures that a mobile app only trusts a specific SSL/TLS certificate or certificate authority (CA), preventing attackers from using forged certificates in MITM attacks.
32. How can an iOS app detect runtime code injection attacks?
A) Monitoring system logs
B) Checking for unsigned dynamic libraries (dylibs)
C) Analyzing network traffic
D) Disabling push notifications
β Answer: B) Checking for unsigned dynamic libraries (dylibs)
π Explanation: Attackers may inject unsigned dylibs to manipulate iOS applications. Apps can detect this by scanning their runtime environment for unauthorized libraries.
33. What is the most secure way to store cryptographic keys in an iOS app?
A) Storing them in CoreData
B) Hardcoding them in the app source code
C) Using the iOS Secure Enclave
D) Saving them in UserDefaults
β Answer: C) Using the iOS Secure Enclave
π Explanation: The Secure Enclave is a dedicated hardware-based security module in iOS devices that securely handles cryptographic operations and prevents key extraction.
34. What is a potential risk of using weak hashing algorithms like MD5 or SHA-1 in mobile apps?
A) Increased memory consumption
B) Susceptibility to collision attacks
C) Slower encryption speeds
D) Excessive CPU usage
β Answer: B) Susceptibility to collision attacks
π Explanation: MD5 and SHA-1 are considered weak because attackers can generate collision attacks, where two different inputs produce the same hash, leading to security breaches.
35. How can an Android app verify its integrity at runtime?
A) Checking the appβs digital signature
B) Scanning installed apps
C) Disabling third-party app stores
D) Encrypting the appβs manifest file
β Answer: A) Checking the appβs digital signature
π Explanation: By verifying the digital signature at runtime, an Android app can detect if it has been tampered with or modified by an attacker.
36. What attack occurs when an attacker replaces a legitimate Android app with a malicious one without the user noticing?
A) Tapjacking
B) Fake ID Attack
C) Overlay Attack
D) Trojan Injection
β Answer: B) Fake ID Attack
π Explanation: The Fake ID vulnerability allows malicious apps to impersonate trusted applications by exploiting certificate validation weaknesses in Android.
37. Why should sensitive user data never be stored in the app’s local cache?
A) Cached data is hard to retrieve
B) It can be easily accessed if the device is rooted
C) It slows down the app
D) Cached data increases battery consumption
β Answer: B) It can be easily accessed if the device is rooted
π Explanation: Local cache is not encrypted by default and can be accessed by attackers if the device is compromised. Instead, secure storage mechanisms should be used.
38. What is a key security risk when using push notifications for mobile apps?
A) Excessive battery consumption
B) Unauthorized message interception
C) Limited message size
D) Slow message delivery
β Answer: B) Unauthorized message interception
π Explanation: Push notification data can be intercepted if proper encryption and authentication are not applied, leading to leaks of sensitive information.
39. How can Android apps prevent unauthorized code execution via dynamic code loading?
A) Using ProGuard for code obfuscation
B) Restricting app components in the manifest
C) Disabling DexClassLoader and WebView dynamic execution
D) Encrypting the appβs assets folder
β Answer: C) Disabling DexClassLoader and WebView dynamic execution
π Explanation: Attackers can load malicious dynamic code (DEX files) at runtime using DexClassLoader or execute JavaScript via WebView. Disabling these features improves security.
40. What security measure should be taken when implementing OAuth 2.0 in mobile applications?
A) Storing OAuth tokens in plaintext
B) Using client secrets in mobile apps
C) Implementing PKCE (Proof Key for Code Exchange)
D) Allowing unrestricted token expiration
β Answer: C) Implementing PKCE (Proof Key for Code Exchange)
π Explanation: PKCE enhances OAuth 2.0 security by preventing authorization code interception and is especially important in mobile apps.
41. Why is it dangerous to grant unnecessary Android permissions to an app?
A) It slows down the installation process
B) It increases security risks if an attacker exploits a vulnerability
C) It makes the app consume more storage
D) It reduces network speed
β Answer: B) It increases security risks if an attacker exploits a vulnerability
π Explanation: Excessive app permissions can be misused by malicious apps or attackers to gain access to sensitive data.
42. What is the purpose of Secure Boot in mobile devices?
A) Preventing malware from running at startup
B) Encrypting internal storage
C) Improving battery performance
D) Speeding up system updates
β Answer: A) Preventing malware from running at startup
π Explanation: Secure Boot ensures that only signed and verified software runs at device startup, preventing boot-level malware.
43. What is an effective way to detect repackaged malware versions of mobile apps?
A) Using content delivery networks (CDNs)
B) Checking the app package signature
C) Enabling automatic app updates
D) Reducing app permissions
β Answer: B) Checking the app package signature
π Explanation: Repackaged malware often modifies the original app and resigns it with a different digital signature. Apps can verify their package signature to detect tampering.
44. What mobile attack involves tricking users into clicking an invisible layer over an app?
A) Keylogging
B) Clickjacking
C) Overlay Injection
D) Buffer Overflow
β Answer: B) Clickjacking
π Explanation: Clickjacking occurs when an attacker places an invisible UI layer over an app, causing users to click on unintended elements.
45. Why should mobile apps avoid using WebView to load sensitive information?
A) WebView increases app size
B) WebView can be exploited for phishing attacks
C) WebView reduces screen resolution
D) WebView increases battery consumption
β Answer: B) WebView can be exploited for phishing attacks
π Explanation: Attackers can inject malicious scripts into WebView to steal credentials or conduct phishing attacks.
46. What is a secure way to handle mobile session expiration?
A) Automatically logging users out after a fixed time
B) Allowing indefinite session persistence
C) Storing session data in a cookie
D) Encrypting session data in local storage
β Answer: A) Automatically logging users out after a fixed time
π Explanation: Implementing session expiration prevents session hijacking and replay attacks.
47. What is the best way to prevent side-channel attacks on mobile devices?
A) Using strong cryptographic algorithms
B) Disabling debugging features in production
C) Avoiding excessive logging
D) Preventing unauthorized memory access
β Answer: D) Preventing unauthorized memory access
π Explanation: Side-channel attacks exploit leakage of sensitive data from power usage, cache access, or memory interactions.
48. What is the primary risk associated with biometric authentication in mobile applications?
A) High power consumption
B) Susceptibility to biometric spoofing attacks
C) Reduced app performance
D) Slower authentication process
β Answer: B) Susceptibility to biometric spoofing attacks
π Explanation: Biometric spoofing attacks involve using fake fingerprints, face masks, or synthetic voice recordings to trick biometric authentication systems. Apps should use liveness detection and multi-factor authentication (MFA) to mitigate these risks.
49. What security measure can help prevent SIM swapping attacks on mobile applications?
A) Implementing rate limiting
B) Using SMS-based authentication as the only factor
C) Enforcing multi-factor authentication (MFA)
D) Storing user credentials in plaintext
β Answer: C) Enforcing multi-factor authentication (MFA)
π Explanation: SIM swapping attacks occur when an attacker convinces a carrier to transfer a userβs phone number to a new SIM card, intercepting SMS-based authentication codes. Using MFA (e.g., hardware tokens, authentication apps) reduces reliance on SMS for security.
50. Which method is recommended for securing mobile API communication?
A) Sending API requests over HTTP
B) Using OAuth 2.0 with token-based authentication
C) Hardcoding API credentials in the app
D) Allowing unlimited API requests without verification
β Answer: B) Using OAuth 2.0 with token-based authentication
π Explanation: OAuth 2.0 is a secure authentication framework that ensures API communications are protected using tokens, preventing credential leaks and unauthorized access.
51. How can mobile apps prevent side-loading of malicious third-party APKs?
A) Encrypting the appβs assets folder
B) Blocking third-party app stores at the OS level
C) Enforcing app signature verification
D) Disabling internet access for the app
β Answer: C) Enforcing app signature verification
π Explanation: Signature verification ensures that the installed app has not been modified or repackaged by a third party before installation.
52. What is the risk of using weak or hardcoded encryption keys in mobile applications?
A) Increased app latency
B) Easier decryption by attackers
C) Higher memory consumption
D) Increased API request times
β Answer: B) Easier decryption by attackers
π Explanation: Hardcoded encryption keys are easy to extract through reverse engineering, making encryption ineffective. Keys should be securely generated and stored in a secure vault (e.g., Android Keystore, iOS Secure Enclave).
53. Which of the following is an example of a supply chain attack in mobile applications?
A) Phishing attacks targeting mobile users
B) Attackers injecting malicious code into third-party libraries used by an app
C) Man-in-the-middle attacks on app traffic
D) Over-the-air updates
β Answer: B) Attackers injecting malicious code into third-party libraries used by an app
π Explanation: Supply chain attacks occur when attackers compromise third-party dependencies or SDKs, injecting malicious code that gets distributed in trusted mobile applications.
54. What security risk is associated with exposing debug logs in a mobile application?
A) Increased app performance
B) Exposing sensitive information (API keys, tokens, stack traces)
C) Faster authentication process
D) Slower network connections
β Answer: B) Exposing sensitive information (API keys, tokens, stack traces)
π Explanation: Debug logs may contain sensitive details like authentication tokens, API keys, and system information, which can be exploited by attackers.
55. How does Androidβs SafetyNet API enhance app security?
A) Detecting rooted/jailbroken devices and unauthorized modifications
B) Encrypting all user data
C) Improving battery optimization
D) Disabling access to web content
β Answer: A) Detecting rooted/jailbroken devices and unauthorized modifications
π Explanation: SafetyNet helps developers check if an Android device has been compromised (rooted, bootloader unlocked, or modified), preventing security-sensitive applications from running on untrusted environments.
56. What is a best practice for handling mobile app updates securely?
A) Allowing users to install updates from any source
B) Using code signing and secure over-the-air (OTA) updates
C) Disabling app version checks
D) Encouraging users to sideload APKs for faster updates
β Answer: B) Using code signing and secure over-the-air (OTA) updates
π Explanation: Code signing ensures that app updates are from a trusted source, and secure OTA updates prevent attackers from injecting malicious code.
57. What type of mobile app vulnerability involves tricking a user into installing an app disguised as a legitimate one?
A) Clickjacking
B) Phishing
C) Rogue App Attack
D) Cryptographic Attack
β Answer: C) Rogue App Attack
π Explanation: Rogue app attacks involve distributing fake or malicious apps that impersonate legitimate applications to steal credentials, payment information, or personal data.
58. What is the main security concern with granting an Android app the “READ_SMS” permission?
A) Increased app storage size
B) Potential exposure of OTPs and personal messages
C) Reduced app performance
D) Increased app startup time
β Answer: B) Potential exposure of OTPs and personal messages
π Explanation: READ_SMS permission can allow apps to access and read SMS messages, making it a target for malware that steals OTPs or personal communication.
59. How can a mobile app protect against session hijacking attacks?
A) Using secure session tokens with short expiration times
B) Allowing unlimited session duration
C) Storing session tokens in plaintext
D) Hardcoding session IDs in the app
β Answer: A) Using secure session tokens with short expiration times
π Explanation: Session hijacking occurs when an attacker steals a valid session token. Using short-lived, securely stored tokens with refresh mechanisms reduces the risk.
60. What is a security risk of using WebSockets in mobile applications?
A) High memory consumption
B) Lack of encryption and authentication can expose sensitive data
C) Slower data transmission
D) Incompatibility with Android and iOS
β Answer: B) Lack of encryption and authentication can expose sensitive data
π Explanation: WebSockets provide real-time communication but must be properly secured using TLS (wss://) and authentication tokens to prevent eavesdropping, MITM attacks, and data interception.
61. What security risk arises from improper WebView implementation in mobile apps?
A) Faster loading of web content
B) Increased memory usage
C) Exposure to JavaScript injection and phishing attacks
D) Reduced battery life
β Answer: C) Exposure to JavaScript injection and phishing attacks
π Explanation: Improper WebView implementation can expose mobile apps to JavaScript Injection (XSS) and phishing attacks, allowing malicious sites to steal user data.
62. What is the recommended security measure to prevent token theft in OAuth 2.0-based mobile applications?
A) Using short-lived tokens with refresh tokens
B) Hardcoding access tokens in the app
C) Using only bearer tokens without expiration
D) Disabling SSL/TLS verification
β Answer: A) Using short-lived tokens with refresh tokens
π Explanation: Short-lived tokens reduce the window of exposure if compromised. Refresh tokens allow re-authentication without exposing user credentials.
63. Which of the following is an effective way to prevent unauthorized screen overlays in Android?
A) Disabling keyboard input
B) Checking for SYSTEM_ALERT_WINDOW overlays
C) Encrypting user data
D) Using full-screen mode
β Answer: B) Checking for SYSTEM_ALERT_WINDOW overlays
π Explanation: Malicious overlays (Tapjacking attacks) trick users into interacting with invisible elements. Detecting overlays prevents fraudulent interactions.
64. What is the best way to handle API rate limiting in mobile applications?
A) Allow unlimited API requests
B) Implementing server-side request throttling
C) Using client-side rate limiting
D) Encrypting API requests
β Answer: B) Implementing server-side request throttling
π Explanation: Rate limiting prevents brute force attacks, API abuse, and denial-of-service (DoS) attacks by restricting the number of API requests per user or IP.
65. What security feature should be used to prevent iOS Keychain data from being accessible if the device is compromised?
A) Secure Boot
B) Keychain Access Control with biometric authentication
C) Disabling background services
D) Removing stored credentials after 24 hours
β Answer: B) Keychain Access Control with biometric authentication
π Explanation: Keychain Access Control can be configured to require Face ID, Touch ID, or passcode before accessing stored data, enhancing protection against unauthorized access.
66. Why should mobile apps avoid using the “android:debuggable” attribute in production builds?
A) It increases the app size
B) It allows attackers to attach a debugger and analyze app behavior
C) It prevents the app from being installed on rooted devices
D) It slows down application performance
β Answer: B) It allows attackers to attach a debugger and analyze app behavior
π Explanation: If an app is marked android:debuggable=”true”, attackers can attach debugging tools to manipulate or extract sensitive data.
67. How can mobile apps protect against Clipboard Sniffing Attacks?
A) Encrypting clipboard content
B) Clearing clipboard data after use
C) Storing clipboard data in local storage
D) Restricting clipboard usage to user sessions only
β Answer: B) Clearing clipboard data after use
π Explanation: Clipboard Sniffing Attacks occur when apps read clipboard content without user consent. Clearing clipboard data after sensitive actions prevents data leakage.
68. Which of the following is a security risk when using deep linking in mobile apps?
A) Enabling faster app navigation
B) Allowing arbitrary intents to be executed
C) Increased network latency
D) Battery drainage
β Answer: B) Allowing arbitrary intents to be executed
π Explanation: Unvalidated deep links can be exploited to execute arbitrary intents, leading to account takeovers, phishing, or data exfiltration.
69. What attack can occur if an app does not properly validate user authentication tokens?
A) SQL Injection
B) Token replay attack
C) Stack overflow attack
D) Cross-Site Request Forgery (CSRF)
β Answer: B) Token replay attack
π Explanation: Token replay attacks happen when stolen authentication tokens are reused by attackers to gain unauthorized access.
70. What is an effective way to prevent brute-force attacks on mobile login screens?
A) Using a weak password policy
B) Allowing unlimited login attempts
C) Implementing account lockout after multiple failed attempts
D) Disabling user authentication
β Answer: C) Implementing account lockout after multiple failed attempts
π Explanation: Account lockout mechanisms help mitigate brute-force attacks by temporarily locking an account after multiple failed login attempts.
71. How can mobile apps prevent unauthorized access to sensitive files stored on the device?
A) Storing files in external storage
B) Using encrypted storage mechanisms
C) Keeping all files in plaintext format
D) Allowing unrestricted file access
β Answer: B) Using encrypted storage mechanisms
π Explanation: File encryption ensures that even if an attacker gains access to stored files, they cannot read or modify the data.
72. Why should developers avoid using βallowBackupβ in Android applications?
A) It increases application size
B) It allows unauthorized backup of app data, leading to data leakage
C) It slows down application execution
D) It prevents app installation on older devices
β Answer: B) It allows unauthorized backup of app data, leading to data leakage
π Explanation: allowBackup=true enables ADB backup, which allows attackers to extract app data without root access.
73. What is a security concern when using third-party keyboard apps on mobile devices?
A) High CPU usage
B) Unauthorized data collection and keylogging
C) Slow response times
D) Increased battery consumption
β Answer: B) Unauthorized data collection and keylogging
π Explanation: Third-party keyboards can capture everything typed, leading to potential password theft or personal data leaks.
74. How can mobile apps prevent clickjacking attacks?
A) Disabling logging
B) Implementing X-Frame-Options header
C) Allowing full-screen mode
D) Using WebView to load external pages
β Answer: B) Implementing X-Frame-Options header
π Explanation: The X-Frame-Options header prevents clickjacking attacks by blocking maliciously embedded iframes.
75. What is the primary risk of using Bluetooth for mobile data transfer without security configurations?
A) High battery consumption
B) Exposure to BlueBorne attacks
C) Increased latency
D) Reduced app performance
β Answer: B) Exposure to BlueBorne attacks
π Explanation: BlueBorne attacks exploit Bluetooth vulnerabilities to gain unauthorized control over devices.
76. How can mobile apps securely implement biometric authentication?
A) Storing biometric data in app local storage
B) Using platform-provided biometric APIs
C) Sending biometric data to external servers
D) Using MD5 to hash biometric data
β Answer: B) Using platform-provided biometric APIs
π Explanation: Android BiometricPrompt API and iOS Face ID/Touch ID securely handle biometric authentication without exposing raw biometric data.
77. What is the risk of allowing app installation from “unknown sources” in Android?
A) Increased installation speed
B) Potential installation of malware-infected apps
C) Reduced app update frequency
D) Improved battery life
β Answer: B) Potential installation of malware-infected apps
π Explanation: Enabling “unknown sources” allows side-loading of untrusted apps, which can contain malware or spyware.
78. What is SIM-jacking in mobile security?
A) A technique to speed up mobile network connections
B) An attack where an attacker transfers a victim’s phone number to a new SIM card
C) A method to improve Bluetooth security
D) A technique for optimizing app performance
β Answer: B) An attack where an attacker transfers a victim’s phone number to a new SIM card
π Explanation: SIM-jacking (SIM swap attack) occurs when an attacker fraudulently transfers a victimβs phone number to a new SIM card, allowing them to bypass SMS-based authentication and take over accounts.
79. What is a major security concern when using NFC (Near Field Communication) for mobile payments?
A) Reduced battery life
B) Increased data consumption
C) Eavesdropping and relay attacks
D) Slow transaction processing
β Answer: C) Eavesdropping and relay attacks
π Explanation: NFC-based payments are susceptible to eavesdropping and relay attacks, where an attacker intercepts or relays transaction data to bypass security mechanisms.
80. How can mobile applications protect users from advanced phishing attacks?
A) Encouraging users to disable 2FA
B) Using machine learning to detect phishing attempts
C) Allowing users to install unverified apps
D) Encouraging weak password policies
β Answer: B) Using machine learning to detect phishing attempts
π Explanation: AI-powered phishing detection can analyze URLs, text, and user behavior to detect and block phishing attacks in real-time.
81. What is the primary risk of allowing JavaScript execution inside WebView without restrictions?
A) Increased app load time
B) Exposure to JavaScript Injection (XSS)
C) Reduced screen resolution
D) Higher RAM usage
β Answer: B) Exposure to JavaScript Injection (XSS)
π Explanation: If JavaScript execution is not properly controlled, attackers can inject malicious scripts to steal user data or manipulate the appβs behavior.
82. What is a security risk associated with failing to implement proper session expiration in mobile applications?
A) Increased storage consumption
B) Session hijacking and unauthorized access
C) Reduced app loading speed
D) Higher data usage
β Answer: B) Session hijacking and unauthorized access
π Explanation: Long-lived or never-expiring sessions increase the risk of session hijacking, allowing attackers to gain access to user accounts without reauthentication.
83. How can mobile applications detect and prevent unauthorized root access?
A) Checking for the presence of root access indicators (e.g., SU binary, Magisk)
B) Allowing app installation from unknown sources
C) Disabling user authentication
D) Hardcoding passwords in the app
β Answer: A) Checking for the presence of root access indicators (e.g., SU binary, Magisk)
π Explanation: Mobile apps can detect root access by checking for root management apps (Magisk, SuperSU) and restricted system file modifications.
84. What is a key security concern when using Bluetooth Low Energy (BLE) in mobile apps?
A) Higher power consumption
B) Increased app installation size
C) Susceptibility to MITM (Man-in-the-Middle) attacks
D) Slower data transfer
β Answer: C) Susceptibility to MITM (Man-in-the-Middle) attacks
π Explanation: BLE communication can be intercepted and modified by MITM attackers if it is not properly encrypted and authenticated.
85. What security mechanism should be implemented to prevent unauthorized API access in mobile apps?
A) Allowing open API endpoints
B) Using API keys without validation
C) Implementing OAuth 2.0 with proper token validation
D) Hardcoding API credentials in the source code
β Answer: C) Implementing OAuth 2.0 with proper token validation
π Explanation: OAuth 2.0 provides secure API authentication, ensuring only authorized clients can access protected resources.
86. Why is it important to remove unused permissions from a mobile app?
A) To improve app UI
B) To reduce attack surface and limit potential exploits
C) To increase app startup speed
D) To improve screen responsiveness
β Answer: B) To reduce attack surface and limit potential exploits
π Explanation: Unnecessary permissions increase the attack surface, making the app more vulnerable to exploits, privilege escalation, and data leakage.
87. What type of attack occurs when a mobile app allows excessive API calls without any rate limiting?
A) Stack overflow attack
B) Denial-of-service (DoS) attack
C) Side-channel attack
D) Heap corruption
β Answer: B) Denial-of-service (DoS) attack
π Explanation: Without rate limiting, attackers can flood APIs with excessive requests, leading to DoS attacks that degrade or crash app services.
88. What is a primary risk of allowing unrestricted inter-process communication (IPC) in Android apps?
A) Increased app performance
B) Unauthorized data access between apps
C) Slower animation rendering
D) Lower network latency
β Answer: B) Unauthorized data access between apps
π Explanation: Unrestricted IPC allows malicious apps to read, modify, or intercept sensitive data shared between components.
89. What is an effective way to prevent unauthorized access to an iOS app’s sensitive user data?
A) Encrypting sensitive data using iOS Secure Enclave
B) Storing passwords in plaintext
C) Using hardcoded encryption keys
D) Disabling biometric authentication
β Answer: A) Encrypting sensitive data using iOS Secure Enclave
π Explanation: Secure Enclave provides hardware-backed encryption, protecting sensitive data even if the device is compromised.
90. How can developers protect Android apps from repackaging and tampering attacks?
A) Using Play Store security features and app signature verification
B) Removing app permissions
C) Allowing third-party app stores to distribute the app
D) Encrypting all API requests
β Answer: A) Using Play Store security features and app signature verification
π Explanation: App signature verification prevents attackers from modifying and repackaging apps with malware. Google Play Protect also helps detect tampered apps.
91. What is the primary security risk associated with improper implementation of biometric authentication in mobile apps?
A) Increased battery usage
B) Biometric spoofing attacks using fake fingerprints or facial images
C) Higher network latency
D) Reduced app performance
β Answer: B) Biometric spoofing attacks using fake fingerprints or facial images
π Explanation: If biometric authentication lacks liveness detection, attackers can use fake fingerprints, 3D-printed faces, or high-resolution photos to bypass security.
92. What attack exploits an unsecured broadcast receiver in an Android application?
A) Keylogging
B) Intent Sniffing
C) Memory Corruption
D) File Inclusion
β Answer: B) Intent Sniffing
π Explanation: Intent Sniffing occurs when an attacker listens to broadcast messages sent by an application, gaining access to sensitive data if proper permissions and security checks are not implemented.
93. What is a recommended security measure for securing mobile app network communication?
A) Using plaintext HTTP requests
B) Enforcing TLS 1.2+ with proper certificate validation
C) Disabling SSL/TLS
D) Using self-signed certificates
β Answer: B) Enforcing TLS 1.2+ with proper certificate validation
π Explanation: TLS 1.2 or higher ensures encrypted communication between mobile apps and servers, preventing MITM (Man-in-the-Middle) attacks and data interception.
94. What is the primary risk of using “Allow Arbitrary Loads” in iOS App Transport Security (ATS)?
A) Allows excessive API requests
B) Reduces app performance
C) Allows insecure HTTP communication, leading to MITM attacks
D) Slows down encryption
β Answer: C) Allows insecure HTTP communication, leading to MITM attacks
π Explanation: Allow Arbitrary Loads permits HTTP connections instead of HTTPS, making apps vulnerable to MITM and eavesdropping attacks.
95. What is the risk of exposing content providers without proper permission enforcement in Android?
A) High CPU usage
B) Unauthorized access to sensitive data
C) Reduced screen brightness
D) Increased power consumption
β Answer: B) Unauthorized access to sensitive data
π Explanation: Unprotected content providers can be queried by unauthorized apps, leading to data leaks of user-sensitive information.
96. Which security feature ensures that iOS apps only load trusted dynamic libraries?
A) Code Obfuscation
B) App Transport Security (ATS)
C) Library Validation and Code Signing
D) Secure Clipboard Access
β Answer: C) Library Validation and Code Signing
π Explanation: Code Signing and Library Validation ensure that only Apple-approved libraries are loaded, preventing attackers from injecting malicious dynamic libraries into apps.
97. What is the main security concern when allowing auto-fill functionality for sensitive fields in mobile apps?
A) Increased API calls
B) Exposure of credentials to malicious apps
C) Slower app response time
D) Higher memory consumption
β Answer: B) Exposure of credentials to malicious apps
π Explanation: Auto-fill can be exploited by malicious apps to steal stored passwords and authentication data, leading to account takeovers.
98. How can developers prevent mobile apps from loading unauthorized web content?
A) Allowing all URLs to be loaded inside WebView
B) Using URL whitelisting and Content Security Policy (CSP)
C) Disabling WebView
D) Removing JavaScript support
β Answer: B) Using URL whitelisting and Content Security Policy (CSP)
π Explanation: URL whitelisting ensures that only trusted domains are allowed, while CSP helps prevent XSS and unauthorized content loading.
99. What security risk is introduced when allowing JavaScript execution inside WebView?
A) Slower network speeds
B) JavaScript Injection (XSS) attacks
C) Increased power consumption
D) Reduced app load time
β Answer: B) JavaScript Injection (XSS) attacks
π Explanation: JavaScript execution in WebView can lead to XSS attacks, allowing attackers to execute malicious scripts and steal user data.
100. What security measure helps detect unauthorized tampering with a mobile application?
A) Implementing app integrity checks and signature verification
B) Allowing third-party modifications
C) Hardcoding credentials in the source code
D) Using external authentication services
β Answer: A) Implementing app integrity checks and signature verification
π Explanation: App integrity checks verify that the application has not been modified, helping detect malicious modifications or repackaging.
101. What attack takes advantage of weak multi-factor authentication implementations?
A) Relay Attack
B) Smishing Attack
C) DoS Attack
D) Cache Poisoning
β Answer: A) Relay Attack
π Explanation: Relay attacks involve intercepting MFA authentication data and replaying it to bypass authentication mechanisms.
102. What is a common security risk when using weak cryptographic functions in mobile applications?
A) Slower app execution
B) Susceptibility to brute-force and collision attacks
C) Increased storage consumption
D) Reduced screen refresh rate
β Answer: B) Susceptibility to brute-force and collision attacks
π Explanation: Weak cryptographic algorithms (e.g., MD5, SHA-1) can be brute-forced or exploited using collision attacks, compromising encrypted data.
103. What security concern arises from improper handling of user session tokens?
A) Increased API response time
B) Session fixation and replay attacks
C) Reduced mobile network speed
D) Increased memory consumption
β Answer: B) Session fixation and replay attacks
π Explanation: If session tokens are not properly managed, attackers can reuse old tokens (replay attacks) or fix a session identifier before login (session fixation) to gain access.
104. What is the best way to securely store user authentication data in a mobile app?
A) Storing credentials in SharedPreferences (Android) or UserDefaults (iOS)
B) Using secure storage mechanisms like iOS Keychain or Android Keystore
C) Hardcoding authentication tokens in the app
D) Storing passwords in plaintext
β Answer: B) Using secure storage mechanisms like iOS Keychain or Android Keystore
π Explanation: Android Keystore and iOS Keychain provide hardware-backed, encrypted storage to securely store authentication credentials.
105. What security risk is introduced when using weak password complexity requirements in mobile applications?
A) Increased authentication speed
B) Vulnerability to brute-force and credential stuffing attacks
C) Reduced API latency
D) Faster data encryption
β Answer: B) Vulnerability to brute-force and credential stuffing attacks
π Explanation: Weak password policies make brute-force attacks easier, allowing attackers to guess user credentials and gain access.
106. How can developers prevent token theft in OAuth-based mobile authentication?
A) Storing tokens in plaintext files
B) Using refresh tokens and secure storage
C) Hardcoding access tokens in source code
D) Allowing tokens with unlimited validity
β Answer: B) Using refresh tokens and secure storage
π Explanation: Refresh tokens reduce exposure, and secure storage mechanisms (Keystore, Keychain) prevent unauthorized access to authentication tokens.
107. What is the primary security risk when integrating AI-powered chatbots in mobile applications?
A) Increased app latency
B) Exposure to prompt injection and data leakage attacks
C) Higher CPU consumption
D) Reduced network performance
β Answer: B) Exposure to prompt injection and data leakage attacks
π Explanation: AI-powered chatbots can be manipulated using prompt injection attacks, leading to data leakage, unauthorized API access, or bias exploitation.
108. How can developers prevent API abuse in mobile applications using AI-driven security measures?
A) Hardcoding API keys in the source code
B) Implementing behavioral analytics and anomaly detection
C) Allowing unrestricted API access
D) Using long-lived access tokens without expiration
β Answer: B) Implementing behavioral analytics and anomaly detection
π Explanation: AI-driven security can analyze user behavior, detect anomalies, and block API abuse, automated bot traffic, and credential stuffing attacks.
109. What is a security concern when integrating cloud-based authentication in mobile apps?
A) Slow authentication speed
B) Exposure to misconfigured cloud permissions and data leaks
C) Increased data storage usage
D) Reduced app UI performance
β Answer: B) Exposure to misconfigured cloud permissions and data leaks
π Explanation: Improperly configured cloud authentication services (e.g., AWS Cognito, Firebase Authentication) can lead to unintended data exposure and unauthorized access.
110. What is the primary advantage of using blockchain-based authentication in mobile applications?
A) Increased battery consumption
B) Decentralized authentication, reducing reliance on central identity providers
C) Faster network speed
D) Reduced API request times
β Answer: B) Decentralized authentication, reducing reliance on central identity providers
π Explanation: Blockchain-based authentication offers decentralized identity verification, reducing the risk of data breaches and single points of failure.
111. How can mobile applications securely handle Internet of Things (IoT) device authentication?
A) Using hardcoded device credentials
B) Implementing mutual TLS (mTLS) authentication
C) Allowing unauthenticated device connections
D) Storing authentication tokens in plaintext
β Answer: B) Implementing mutual TLS (mTLS) authentication
π Explanation: mTLS authentication ensures that both mobile apps and IoT devices authenticate each other, preventing unauthorized device access.
112. What is a potential risk of integrating third-party SDKs into a mobile application?
A) Increased user engagement
B) Data leakage and unauthorized tracking
C) Improved app performance
D) Reduced app size
β Answer: B) Data leakage and unauthorized tracking
π Explanation: Some third-party SDKs collect and transmit user data without consent, posing privacy and security risks.
113. What is the main security risk of exposing analytics endpoints in mobile apps?
A) Faster data processing
B) API scraping and data enumeration attacks
C) Improved user engagement
D) Increased network bandwidth usage
β Answer: B) API scraping and data enumeration attacks
π Explanation: If analytics endpoints are publicly accessible without proper authentication, attackers can scrape data or perform enumeration attacks.
114. What mobile security risk is associated with improper cryptographic key management?
A) Higher CPU consumption
B) Keys being exposed through reverse engineering or memory leaks
C) Increased app size
D) Reduced screen brightness
β Answer: B) Keys being exposed through reverse engineering or memory leaks
π Explanation: Weak cryptographic key management (e.g., hardcoded keys, improper storage) can lead to key theft and data decryption by attackers.
115. What type of security attack targets mobile apps by modifying app code and redistributing malicious versions?
A) Zero-click attack
B) Repackaging attack
C) Session hijacking
D) Cross-origin request forgery (CSRF)
β Answer: B) Repackaging attack
π Explanation: Repackaging attacks involve attackers modifying an appβs source code and re-signing it with a new certificate to distribute a malicious version.
116. How can mobile apps protect against biometric replay attacks?
A) Using biometric data in plaintext
B) Implementing anti-replay mechanisms with cryptographic signing
C) Storing biometric templates in local storage
D) Disabling biometric authentication
β Answer: B) Implementing anti-replay mechanisms with cryptographic signing
π Explanation: Replay attacks occur when captured biometric data is reused for authentication. Cryptographic signing and liveness detection prevent such attacks.
117. What is a major security concern when handling sensitive mobile push notification data?
A) High CPU utilization
B) Data leakage if notifications are displayed on a locked screen
C) Faster authentication speed
D) Slower app startup
β Answer: B) Data leakage if notifications are displayed on a locked screen
π Explanation: Push notifications containing sensitive information (OTP, 2FA codes, personal messages) can be viewed by unauthorized users if displayed on the lock screen.
118. What security mechanism helps detect and prevent code injection attacks in mobile apps?
A) Allowing dynamic code execution
B) Implementing runtime application self-protection (RASP)
C) Disabling authentication
D) Storing logs in plaintext
β Answer: B) Implementing runtime application self-protection (RASP)
π Explanation: RASP solutions monitor and prevent code injection, hooking, and runtime manipulation attacks on mobile apps.
119. Why should mobile applications limit the use of background location tracking?
A) To prevent unauthorized tracking and privacy violations
B) To reduce CPU load
C) To increase battery life
D) To improve screen performance
β Answer: A) To prevent unauthorized tracking and privacy violations
π Explanation: Unrestricted background location tracking can be misused for stalking, unauthorized user tracking, and privacy violations.
120. What mobile security risk arises from allowing untrusted external links in WebView components?
A) Increased app load time
B) Exposure to phishing and drive-by download attacks
C) Increased RAM consumption
D) Lower screen resolution
β Answer: B) Exposure to phishing and drive-by download attacks
π Explanation: Untrusted links in WebView can lead to phishing scams and drive-by malware downloads, compromising the userβs device security.
121. What is a common security flaw when using OAuth 2.0 for mobile authentication?
A) Not using a secure random state parameter
B) Using strong passwords
C) Enforcing biometric authentication
D) Allowing multiple logins
β Answer: A) Not using a secure random state parameter
π Explanation: Without a secure state parameter, OAuth 2.0 implementations are vulnerable to Cross-Site Request Forgery (CSRF) attacks.
122. What mobile security risk arises from improperly handling push notifications?
A) High latency in message delivery
B) Leakage of sensitive data via exposed notifications
C) Increased app size
D) Reduced network speed
β Answer: B) Leakage of sensitive data via exposed notifications
π Explanation: Push notifications containing sensitive data (e.g., OTPs, authentication codes) can be viewed by unauthorized users if displayed on the lock screen.
123. What security control prevents unauthorized access to an Android appβs exported components?
A) Declaring components as “exported=true”
B) Using android:exported=”false” in the manifest
C) Allowing deep linking without validation
D) Storing sensitive data in SharedPreferences
β Answer: B) Using android:exported=”false” in the manifest
π Explanation: Android components (activities, services, broadcast receivers) should not be exported unless explicitly required, preventing unauthorized access by other apps.
124. What is the main risk of using weak JWT (JSON Web Token) secrets?
A) Reduced app startup speed
B) Susceptibility to brute-force and token forgery attacks
C) Increased API response time
D) Higher memory usage
β Answer: B) Susceptibility to brute-force and token forgery attacks
π Explanation: Weak JWT secrets can be brute-forced, allowing attackers to forge authentication tokens and impersonate users.
125. What type of attack occurs when an attacker intercepts and manipulates mobile app update packages?
A) Drive-by Download Attack
B) Man-in-the-middle (MITM) Attack
C) Side-Channel Attack
D) Phishing Attack
β Answer: B) Man-in-the-middle (MITM) Attack
π Explanation: If app updates are not signed and verified, attackers can modify or replace update packages via MITM attacks, injecting malware into the app.
126. What is a best practice for handling session timeouts in mobile applications?
A) Keeping sessions active indefinitely
B) Automatically logging out inactive users after a set period
C) Hardcoding session tokens
D) Allowing users to disable session expiration
β Answer: B) Automatically logging out inactive users after a set period
π Explanation: Session expiration prevents session hijacking and unauthorized access by automatically logging out users after inactivity.
127. How can developers protect a mobile app from API scraping attacks?
A) Implementing API rate limiting and user-agent validation
B) Allowing unlimited API requests
C) Hardcoding API keys in the app
D) Removing API authentication
β Answer: A) Implementing API rate limiting and user-agent validation
π Explanation: Rate limiting, user-agent checks, and bot detection help prevent scraping attacks, which involve extracting large amounts of data from APIs.
128. What type of attack exploits weak password reset mechanisms in mobile apps?
A) Token Replay Attack
B) Account Takeover Attack
C) XSS Attack
D) Memory Corruption Attack
β Answer: B) Account Takeover Attack
π Explanation: Weak password reset flows (e.g., guessable security questions, no email verification) allow attackers to take over user accounts.
129. How can mobile applications prevent unauthorized access to stored files?
A) Using encrypted file storage
B) Storing files in external storage
C) Using plaintext file formats
D) Disabling app updates
β Answer: A) Using encrypted file storage
π Explanation: Encrypted storage ensures that stored files cannot be accessed without proper authentication, preventing data breaches.
130. What security risk arises when mobile apps use weak encryption for local databases?
A) Higher CPU consumption
B) Increased risk of database decryption by attackers
C) Reduced network speed
D) Faster app loading times
β Answer: B) Increased risk of database decryption by attackers
π Explanation: Weak encryption (e.g., using outdated algorithms) allows attackers to decrypt local database contents, exposing user data.
131. What is the purpose of using a nonce in mobile authentication mechanisms?
A) To generate a static token for authentication
B) To prevent replay attacks by ensuring a request is unique
C) To slow down API requests
D) To encrypt passwords
β Answer: B) To prevent replay attacks by ensuring a request is unique
π Explanation: A nonce (number used once) prevents replay attacks, ensuring that each request is unique and cannot be reused.
132. What type of security risk occurs when mobile apps store authentication tokens in local storage?
A) Increased app performance
B) Exposure to token theft and session hijacking
C) Faster authentication speed
D) Improved app UI
β Answer: B) Exposure to token theft and session hijacking
π Explanation: Local storage is not secure for storing authentication tokens, as attackers can extract and reuse them for session hijacking.
133. How can mobile apps prevent insecure direct object references (IDOR)?
A) Implementing proper authorization checks on the backend
B) Allowing users to directly modify database queries
C) Hardcoding user roles in the app
D) Disabling encryption
β Answer: A) Implementing proper authorization checks on the backend
π Explanation: IDOR vulnerabilities occur when users can access or modify data without proper authorization. Backend validation is required to prevent this.
134. What is a recommended security control for securing biometric authentication in mobile apps?
A) Storing biometric data in plaintext
B) Using hardware-backed biometric APIs
C) Allowing remote biometric authentication
D) Disabling authentication logs
β Answer: B) Using hardware-backed biometric APIs
π Explanation: Secure biometric APIs (e.g., Android BiometricPrompt, iOS Face ID) ensure biometric data is processed in a secure enclave.
135. How can mobile apps detect unauthorized runtime modifications?
A) Implementing Runtime Application Self-Protection (RASP)
B) Hardcoding user credentials
C) Disabling application logging
D) Allowing unrestricted debugging
β Answer: A) Implementing Runtime Application Self-Protection (RASP)
π Explanation: RASP solutions monitor runtime behavior to detect tampering, hooking, and debugging attempts.
136. What is a major security risk when mobile apps allow unrestricted file uploads?
A) Excessive storage usage
B) Remote Code Execution (RCE) vulnerabilities
C) Reduced app performance
D) Higher memory consumption
β Answer: B) Remote Code Execution (RCE) vulnerabilities
π Explanation: Unrestricted file uploads can be exploited to upload malicious scripts, leading to RCE attacks.
137. How can developers protect API keys in a mobile application?
A) Storing API keys in backend servers instead of mobile apps
B) Hardcoding API keys in the app
C) Embedding API keys in HTML files
D) Allowing unrestricted access
β Answer: A) Storing API keys in backend servers instead of mobile apps
π Explanation: API keys should be stored on secure backend servers rather than in the app to prevent key theft.
138. What is the main security risk of failing to implement proper logging and monitoring in a mobile application?
A) Slower application performance
B) Difficulty detecting security breaches and attacks
C) Increased battery consumption
D) Higher network bandwidth usage
β Answer: B) Difficulty detecting security breaches and attacks
π Explanation: Without proper logging and monitoring, security breaches, unauthorized access, and API abuse may go unnoticed, delaying response actions.
139. How can developers prevent excessive permissions in mobile apps?
A) Requesting only necessary permissions based on app functionality
B) Requesting all possible permissions at installation
C) Using hardcoded access tokens
D) Allowing the app to run without authentication
β Answer: A) Requesting only necessary permissions based on app functionality
π Explanation: Excessive permissions can be exploited by malware or malicious apps. Requesting only what is necessary follows the principle of least privilege.
140. What type of vulnerability occurs when a mobile application allows unrestricted inter-app communication (IPC)?
A) Keylogging
B) Unauthorized data leakage and privilege escalation
C) Battery drain attacks
D) Reduced user experience
β Answer: B) Unauthorized data leakage and privilege escalation
π Explanation: Unrestricted IPC (Inter-Process Communication) can lead to unauthorized data access and privilege escalation attacks, allowing malicious apps to interact with secure components.
141. What mobile security risk is associated with allowing unrestricted intent redirections in Android apps?
A) Intent Spoofing Attacks
B) Faster background processing
C) Increased API response time
D) Improved app efficiency
β Answer: A) Intent Spoofing Attacks
π Explanation: Intent Spoofing occurs when a malicious app sends fake intents to manipulate the behavior of another app, potentially leading to unauthorized actions or data leaks.
142. How can developers mitigate the risks of code tampering and reverse engineering in mobile apps?
A) Using code obfuscation and integrity checks
B) Removing SSL/TLS encryption
C) Hardcoding user passwords
D) Allowing unrestricted debugging
β Answer: A) Using code obfuscation and integrity checks
π Explanation: Code obfuscation makes it difficult to reverse-engineer an app, while integrity checks detect unauthorized modifications and tampering.
143. What is the primary security risk when using weak SSL/TLS configurations in mobile applications?
A) Increased CPU consumption
B) Susceptibility to Man-in-the-Middle (MITM) attacks
C) Reduced battery life
D) Slower UI response
β Answer: B) Susceptibility to Man-in-the-Middle (MITM) attacks
π Explanation: Weak SSL/TLS configurations (e.g., TLS 1.0, self-signed certificates) make data interception and manipulation easier for attackers.
144. How can mobile applications detect and prevent unauthorized debugging attempts?
A) Checking for attached debuggers at runtime
B) Allowing unrestricted app modifications
C) Removing error logs
D) Storing debug logs in plaintext
β Answer: A) Checking for attached debuggers at runtime
π Explanation: Mobile apps can detect attached debuggers at runtime and terminate execution or trigger alerts to prevent unauthorized reverse engineering.
145. What is the purpose of App Transport Security (ATS) in iOS applications?
A) Enforcing HTTPS connections to prevent data interception
B) Improving screen resolution
C) Reducing battery consumption
D) Enhancing app startup speed
β Answer: A) Enforcing HTTPS connections to prevent data interception
π Explanation: App Transport Security (ATS) in iOS forces HTTPS connections, ensuring secure data transmission and preventing MITM attacks.
146. Why is it important to validate user-generated file uploads in mobile apps?
A) To prevent malicious file execution and code injection attacks
B) To reduce app startup time
C) To improve UI performance
D) To increase file transfer speeds
β Answer: A) To prevent malicious file execution and code injection attacks
π Explanation: Without proper validation, attackers can upload malicious files (e.g., scripts, executables) leading to Remote Code Execution (RCE) attacks.
147. What type of mobile security attack involves tricking a user into providing credentials via a fake login screen?
A) Phishing Attack
B) Clickjacking
C) SQL Injection
D) XML External Entity (XXE) Attack
β Answer: A) Phishing Attack
π Explanation: Phishing attacks use fake login screens to trick users into entering credentials, which are then stolen by attackers.
148. How can mobile applications prevent replay attacks on authentication requests?
A) Using time-based one-time passwords (TOTPs) and nonce values
B) Allowing indefinite session tokens
C) Storing passwords in plaintext
D) Removing session expiration
β Answer: A) Using time-based one-time passwords (TOTPs) and nonce values
π Explanation: Replay attacks occur when an attacker reuses old authentication data. Using TOTPs and nonce values ensures each request is unique.
149. What security feature prevents session hijacking in mobile applications?
A) Implementing secure session tokens with short expiration times
B) Allowing users to remain logged in indefinitely
C) Hardcoding session credentials in the app
D) Using plaintext authentication
β Answer: A) Implementing secure session tokens with short expiration times
π Explanation: Session hijacking can be mitigated by limiting token lifespan, using secure storage, and enforcing automatic logouts.
150. How can developers prevent side-channel attacks in mobile applications?
A) Using constant-time cryptographic operations
B) Allowing unrestricted root access
C) Removing authentication logs
D) Disabling session encryption
β Answer: A) Using constant-time cryptographic operations
π Explanation: Side-channel attacks analyze power consumption, execution time, or electromagnetic leaks to extract sensitive data. Constant-time operations mitigate this risk.
151. What security risk arises when mobile applications store authentication credentials in SharedPreferences or UserDefaults?
A) Increased app performance
B) Credentials can be extracted by attackers through device compromise
C) Faster authentication process
D) Improved session persistence
β Answer: B) Credentials can be extracted by attackers through device compromise
π Explanation: SharedPreferences (Android) and UserDefaults (iOS) are not secure storage locations for sensitive data. Attackers can retrieve stored credentials if the device is compromised.
152. What is the main risk of allowing web content loading inside a mobile applicationβs WebView?
A) WebView content loads faster
B) The app is vulnerable to phishing and JavaScript injection attacks
C) Reduced CPU usage
D) Improved web navigation
β Answer: B) The app is vulnerable to phishing and JavaScript injection attacks
π Explanation: If WebView is not properly secured, attackers can inject malicious JavaScript, perform phishing attacks, or steal user data.
153. How can mobile apps prevent unauthorized access to clipboard data?
A) Automatically clearing clipboard content after a short time
B) Allowing unlimited clipboard access
C) Storing clipboard data in a local file
D) Disabling clipboard functionality
β Answer: A) Automatically clearing clipboard content after a short time
π Explanation: Sensitive data (e.g., passwords, API keys) copied to the clipboard can be stolen by other apps. Clearing clipboard content prevents data leaks.
154. What security measure prevents a mobile app from being modified or repackaged by attackers?
A) Implementing App Integrity Checks and Signature Verification
B) Removing authentication mechanisms
C) Allowing unrestricted debugging
D) Using hardcoded encryption keys
β Answer: A) Implementing App Integrity Checks and Signature Verification
π Explanation: App integrity checks ensure that an application has not been altered. Signature verification prevents attackers from modifying and redistributing a malicious version.
155. How can developers prevent mobile apps from exposing internal error messages to attackers?
A) Enabling generic error handling and logging errors securely
B) Displaying full stack traces to the user
C) Allowing apps to crash without error messages
D) Hardcoding API keys in the app
β Answer: A) Enabling generic error handling and logging errors securely
π Explanation: Detailed error messages may expose sensitive system information. Using generic error messages and secure logging prevents information leakage.
156. What security risk arises when mobile apps use hardcoded encryption keys?
A) Encryption performance is improved
B) Hardcoded keys can be extracted through reverse engineering
C) App performance is optimized
D) Memory usage is reduced
β Answer: B) Hardcoded keys can be extracted through reverse engineering
π Explanation: Attackers can decompile an app and retrieve hardcoded encryption keys, decrypt sensitive data, or bypass authentication mechanisms.
157. What security measure ensures that mobile apps establish secure connections to backend servers?
A) Certificate Pinning
B) Allowing self-signed certificates
C) Using HTTP instead of HTTPS
D) Disabling SSL/TLS
β Answer: A) Certificate Pinning
π Explanation: Certificate pinning prevents MITM (Man-in-the-Middle) attacks by ensuring that only a specific, trusted certificate is accepted by the app.
158. How can mobile applications prevent replay attacks during authentication?
A) Using nonce values and time-based tokens
B) Hardcoding session identifiers
C) Disabling multi-factor authentication
D) Storing passwords in plaintext
β Answer: A) Using nonce values and time-based tokens
π Explanation: Nonce values and one-time passwords (OTP) ensure that authentication requests are unique and cannot be replayed by attackers.
159. What is the best way to protect API secrets in a mobile application?
A) Storing them on a secure backend server instead of the app
B) Hardcoding API secrets in the source code
C) Embedding API keys in WebView scripts
D) Allowing unrestricted API access
β Answer: A) Storing them on a secure backend server instead of the app
π Explanation: API secrets should never be stored in mobile apps, as they can be extracted through reverse engineering. Instead, store them on a secure backend.
160. How can mobile apps detect if they are running on a rooted or jailbroken device?
A) Checking for the presence of root management apps (e.g., Magisk, Cydia)
B) Disabling user authentication
C) Allowing unrestricted file system access
D) Storing sensitive data in external storage
β Answer: A) Checking for the presence of root management apps (e.g., Magisk, Cydia)
π Explanation: Rooted/jailbroken devices bypass security protections, allowing attackers to modify apps, extract data, or bypass authentication.
161. How can mobile applications prevent tapjacking attacks?
A) Enforcing the FLAG_SECURE flag to prevent screen overlays
B) Allowing all apps to access screen content
C) Using transparent background UI elements
D) Allowing unrestricted UI modifications
β Answer: A) Enforcing the FLAG_SECURE flag to prevent screen overlays
π Explanation: Tapjacking attacks occur when an invisible overlay tricks users into clicking malicious buttons. FLAG_SECURE prevents overlays from capturing screen content.
162. What security risk occurs if an app does not verify input parameters sent to APIs?
A) Injection attacks, such as SQL Injection (SQLi) or Command Injection
B) Improved app performance
C) Reduced network bandwidth usage
D) Faster API responses
β Answer: A) Injection attacks, such as SQL Injection (SQLi) or Command Injection
π Explanation: Input validation is necessary to prevent attackers from injecting malicious commands into API requests.
163. What security mechanism helps protect against side-channel attacks in mobile applications?
A) Using constant-time cryptographic operations
B) Disabling all cryptographic functions
C) Storing encryption keys in plaintext
D) Hardcoding user passwords
β Answer: A) Using constant-time cryptographic operations
π Explanation: Side-channel attacks exploit timing differences in cryptographic operations. Using constant-time operations helps prevent such attacks.
164. What is a recommended practice for securing biometric authentication in mobile applications?
A) Using hardware-backed biometric APIs
B) Storing biometric data in local storage
C) Disabling biometric authentication
D) Using plaintext passwords instead
β Answer: A) Using hardware-backed biometric APIs
π Explanation: Hardware-backed biometric APIs (e.g., Android BiometricPrompt, iOS Face ID) provide secure authentication mechanisms that prevent biometric data leaks.
165. How can developers prevent session fixation attacks in mobile applications?
A) Generating a new session ID upon login
B) Reusing the same session ID for all users
C) Storing session IDs in plaintext
D) Allowing session persistence across devices
β Answer: A) Generating a new session ID upon login
π Explanation: Session fixation attacks occur when attackers set a known session ID before login. Regenerating session IDs upon authentication mitigates this risk.
166. What is the main security risk of using implicit intents in Android applications?
A) Increased battery consumption
B) Unintentional exposure of sensitive data to malicious apps
C) Slower app performance
D) Higher memory usage
β Answer: B) Unintentional exposure of sensitive data to malicious apps
π Explanation: Implicit intents can be intercepted by malicious apps, leading to data leakage or unauthorized execution of activities.
167. What type of attack exploits a mobile application that does not validate SSL/TLS certificates properly?
A) Man-in-the-Middle (MITM) Attack
B) SQL Injection Attack
C) Buffer Overflow Attack
D) XML External Entity (XXE) Attack
β Answer: A) Man-in-the-Middle (MITM) Attack
π Explanation: If a mobile app does not validate SSL/TLS certificates properly, attackers can intercept and manipulate network traffic using MITM attacks.
168. How can mobile applications protect sensitive user data stored in memory?
A) Clearing sensitive data from memory after use
B) Storing all data in plaintext format
C) Allowing unrestricted access to memory
D) Keeping sensitive data in cache indefinitely
β Answer: A) Clearing sensitive data from memory after use
π Explanation: Clearing sensitive data from memory ensures that attackers cannot extract passwords, tokens, or other confidential information from memory dumps.
169. What is the primary security risk when mobile applications allow unrestricted file downloads?
A) Increased storage consumption
B) Drive-by download attacks that install malware without user consent
C) Reduced internet speed
D) High CPU usage
β Answer: B) Drive-by download attacks that install malware without user consent
π Explanation: Unrestricted file downloads can lead to malicious file execution or automatic installation of malware, compromising the device.
170. What is a best practice for securing OAuth 2.0-based authentication in mobile apps?
A) Using PKCE (Proof Key for Code Exchange) for public clients
B) Storing access tokens in local storage
C) Allowing long-lived access tokens
D) Using hardcoded API keys
β Answer: A) Using PKCE (Proof Key for Code Exchange) for public clients
π Explanation: PKCE prevents authorization code interception attacks in OAuth 2.0 by ensuring that the authorization code can only be exchanged by the legitimate client.
171. How can mobile applications prevent unauthorized execution of background services?
A) Using proper permission checks and service restrictions
B) Allowing all apps to start background services
C) Storing service execution logs in plaintext
D) Disabling all authentication mechanisms
β Answer: A) Using proper permission checks and service restrictions
π Explanation: Background services should only be accessible to authorized applications to prevent privilege escalation attacks.
172. What security risk arises from exposing sensitive data through logging mechanisms in mobile applications?
A) Increased disk space usage
B) Sensitive data leaks if logs are accessed by unauthorized users
C) Improved debugging capabilities
D) Faster app performance
β Answer: B) Sensitive data leaks if logs are accessed by unauthorized users
π Explanation: Logging mechanisms may store authentication tokens, API keys, or user data, which can be exploited by attackers if logs are exposed.
173. How can mobile applications prevent unauthorized overlay attacks?
A) Enforcing the FLAG_SECURE flag to prevent screen overlays
B) Allowing all apps to access screen content
C) Using transparent background UI elements
D) Allowing unrestricted UI modifications
β Answer: A) Enforcing the FLAG_SECURE flag to prevent screen overlays
π Explanation: Overlay attacks trick users into interacting with fake UI elements. FLAG_SECURE prevents overlays from capturing screen content.
174. What is the best way to prevent API keys from being exposed in mobile applications?
A) Storing API keys on a secure backend server instead of embedding them in the app
B) Hardcoding API keys in the app
C) Storing API keys in SharedPreferences
D) Using API keys without authentication
β Answer: A) Storing API keys on a secure backend server instead of embedding them in the app
π Explanation: API keys should never be stored in mobile apps because attackers can extract them through reverse engineering.
175. How can mobile applications securely store sensitive configuration data?
A) Using encrypted storage mechanisms like Android Keystore and iOS Keychain
B) Storing them in plaintext files
C) Hardcoding them in the source code
D) Using weak encryption algorithms
β Answer: A) Using encrypted storage mechanisms like Android Keystore and iOS Keychain
π Explanation: Keystore (Android) and Keychain (iOS) provide secure, encrypted storage for sensitive configuration data.
176. How can developers protect mobile applications from brute-force login attacks?
A) Implementing account lockout and CAPTCHA verification
B) Allowing unlimited login attempts
C) Using weak password policies
D) Disabling authentication logs
β Answer: A) Implementing account lockout and CAPTCHA verification
π Explanation: Brute-force attacks attempt multiple login attempts until the correct credentials are found. Account lockouts and CAPTCHA prevent automated attacks.
177. What is the main purpose of Runtime Application Self-Protection (RASP) in mobile security?
A) Detecting and preventing real-time attacks such as tampering, debugging, and hooking
B) Improving app performance
C) Reducing network requests
D) Allowing unrestricted debugging
β Answer: A) Detecting and preventing real-time attacks such as tampering, debugging, and hooking
π Explanation: RASP solutions provide real-time security monitoring and prevent runtime-based attacks like memory modification and reverse engineering.
178. How can developers prevent mobile applications from exposing API endpoints to unauthorized users?
A) Implementing authentication and access control checks on the backend
B) Allowing all users to access API endpoints
C) Removing API authentication
D) Hardcoding API responses in the app
β Answer: A) Implementing authentication and access control checks on the backend
π Explanation: API endpoints should be protected with authentication, authorization, and role-based access control (RBAC) mechanisms to prevent unauthorized access.
179. What is the primary risk of using weak encryption algorithms in mobile applications?
A) Increased battery drain
B) Encryption keys can be brute-forced by attackers
C) Reduced app UI performance
D) Lower app installation speed
β Answer: B) Encryption keys can be brute-forced by attackers
π Explanation: Weak encryption algorithms (e.g., MD5, SHA-1) can be cracked using brute-force attacks, exposing encrypted data.
180. How can mobile applications securely handle user sessions?
A) Using short-lived session tokens stored securely
B) Allowing indefinite session persistence
C) Hardcoding session tokens in the app
D) Storing session tokens in plaintext files
β Answer: A) Using short-lived session tokens stored securely
π Explanation: Short-lived session tokens reduce the risk of session hijacking, and secure storage mechanisms prevent unauthorized access.
181. What security risk arises if a mobile app does not enforce access control on sensitive actions?
A) Increased UI response time
B) Privilege escalation and unauthorized actions
C) Improved API response speed
D) Reduced network latency
β Answer: B) Privilege escalation and unauthorized actions
π Explanation: If a mobile app lacks access control, attackers can perform unauthorized actions, escalate privileges, and access restricted functionalities.
182. How can mobile applications prevent Cross-Site Request Forgery (CSRF) attacks on API endpoints?
A) Using anti-CSRF tokens and requiring authentication for state-changing requests
B) Allowing all cross-origin requests
C) Using weak authentication mechanisms
D) Storing CSRF tokens in local storage
β Answer: A) Using anti-CSRF tokens and requiring authentication for state-changing requests
π Explanation: CSRF tokens ensure that only legitimate user requests are executed, preventing attackers from forcing users to perform unintended actions.
183. What security risk occurs when a mobile application allows unrestricted deep linking?
A) Faster app launch time
B) Account takeovers and unauthorized actions
C) Reduced battery consumption
D) Improved user experience
β Answer: B) Account takeovers and unauthorized actions
π Explanation: Improperly secured deep links can be exploited for account takeovers, data leaks, or forced actions, compromising user security.
184. What is the most effective way to prevent session hijacking in mobile applications?
A) Using secure session tokens with short expiration times and HTTPS
B) Allowing persistent sessions indefinitely
C) Using hardcoded session tokens
D) Storing session IDs in local storage
β Answer: A) Using secure session tokens with short expiration times and HTTPS
π Explanation: Short-lived session tokens, secure storage, and TLS encryption protect against session hijacking attacks.
185. How can mobile applications prevent unauthorized WebSocket connections?
A) Using authentication tokens and TLS encryption for WebSockets
B) Allowing all WebSocket connections by default
C) Disabling authentication for WebSockets
D) Storing WebSocket session tokens in local storage
β Answer: A) Using authentication tokens and TLS encryption for WebSockets
π Explanation: Authenticated WebSocket connections with TLS encryption prevent session hijacking and unauthorized access.
186. What mobile security risk arises from improper implementation of biometric authentication?
A) Faster authentication speed
B) Biometric spoofing and replay attacks
C) Improved user experience
D) Lower network bandwidth usage
β Answer: B) Biometric spoofing and replay attacks
π Explanation: Lack of liveness detection and weak biometric implementations can allow spoofing attacks using fake fingerprints or facial images.
187. How can developers secure WebView-based authentication flows in mobile apps?
A) Using OAuth-based authentication with a secure external browser
B) Hardcoding user credentials in WebView
C) Allowing any domain to load within WebView
D) Using self-signed certificates
β Answer: A) Using OAuth-based authentication with a secure external browser
π Explanation: OAuth with secure browsers prevents credential theft and man-in-the-middle (MITM) attacks.
188. What is a common security risk of using hybrid mobile frameworks (e.g., Cordova, React Native)?
A) Higher memory usage
B) Exposure to web-based security vulnerabilities like XSS
C) Reduced app startup time
D) Increased UI performance
β Answer: B) Exposure to web-based security vulnerabilities like XSS
π Explanation: Hybrid apps often expose WebView components, making them susceptible to JavaScript Injection (XSS) and other web-based attacks.
189. How can developers protect against SQL Injection in mobile applications?
A) Using parameterized queries and ORM frameworks
B) Allowing direct SQL query execution from the frontend
C) Hardcoding database queries in the app
D) Using plaintext passwords for database connections
β Answer: A) Using parameterized queries and ORM frameworks
π Explanation: Parameterized queries ensure that user input is treated as data, preventing SQL injection attacks.
190. How can mobile apps prevent unauthorized device pairing via Bluetooth?
A) Requiring user authentication before allowing Bluetooth pairing
B) Allowing unrestricted Bluetooth connections
C) Disabling Bluetooth encryption
D) Using default PINs for pairing
β Answer: A) Requiring user authentication before allowing Bluetooth pairing
π Explanation: Unauthorized Bluetooth pairing can lead to device hijacking, data interception, and malicious remote access.
191. What mobile security risk arises from improper push notification handling?
A) Increased API response time
B) Leakage of sensitive information via exposed notifications
C) Reduced app installation time
D) Faster push message delivery
β Answer: B) Leakage of sensitive information via exposed notifications
π Explanation: Push notifications containing sensitive data (OTP, authentication codes, messages) can be viewed by unauthorized users if displayed on the lock screen.
192. What is an effective way to prevent reverse engineering of mobile applications?
A) Using code obfuscation and anti-tampering mechanisms
B) Removing authentication mechanisms
C) Allowing unrestricted debugging
D) Hardcoding sensitive information in the app
β Answer: A) Using code obfuscation and anti-tampering mechanisms
π Explanation: Code obfuscation makes reverse engineering difficult, and tamper detection can prevent unauthorized modifications.
193. How can mobile applications securely handle lost or stolen devices?
A) Implementing remote wipe and logout mechanisms
B) Allowing persistent authentication without expiration
C) Storing user passwords in plaintext
D) Disabling session timeouts
β Answer: A) Implementing remote wipe and logout mechanisms
π Explanation: Remote wipe and forced logout help protect user data when a device is lost or stolen.
194. What is the purpose of enforcing the SameSite attribute for cookies in mobile web apps?
A) Preventing Cross-Site Request Forgery (CSRF) attacks
B) Improving web page load speed
C) Reducing memory usage
D) Enhancing UI responsiveness
β Answer: A) Preventing Cross-Site Request Forgery (CSRF) attacks
π Explanation: SameSite cookies prevent CSRF attacks by restricting cross-site cookie access.
195. What is the main security risk of weak encryption key management in mobile apps?
A) Encryption keys can be stolen and used to decrypt sensitive data
B) Reduced API request latency
C) Improved authentication speed
D) Faster UI performance
β Answer: A) Encryption keys can be stolen and used to decrypt sensitive data
π Explanation: Weak key management (e.g., hardcoded keys) makes encrypted data vulnerable to brute-force attacks.
196. How can mobile applications prevent unauthorized clipboard access?
A) Automatically clearing clipboard data after sensitive operations
B) Storing clipboard data in external storage
C) Allowing unrestricted clipboard access
D) Keeping clipboard data indefinitely
β Answer: A) Automatically clearing clipboard data after sensitive operations
π Explanation: Attackers can read clipboard data, including passwords or authentication codes, if not properly managed.
197. What is the primary risk of allowing third-party keyboards in mobile apps?
A) Keylogging and unauthorized data collection
B) Higher CPU usage
C) Increased battery drain
D) Slower typing speed
β Answer: A) Keylogging and unauthorized data collection
π Explanation: Malicious keyboards can capture everything typed, including passwords, OTPs, and private messages.
198. How can mobile applications prevent unauthorized access to cached data?
A) Encrypting cache data and setting an expiration policy
B) Allowing unlimited caching of sensitive data
C) Storing cache data in plaintext
D) Keeping cache indefinitely
β Answer: A) Encrypting cache data and setting an expiration policy
π Explanation: Cached data may contain sensitive information. Encryption and automatic expiration prevent unauthorized access even if the device is compromised.
199. What security risk arises from improper handling of biometric fallback authentication?
A) Increased CPU usage
B) Attackers bypassing biometrics with weak fallback mechanisms (e.g., PINs or passwords)
C) Faster authentication speed
D) Reduced battery consumption
β Answer: B) Attackers bypassing biometrics with weak fallback mechanisms (e.g., PINs or passwords)
π Explanation: If biometric fallback mechanisms (e.g., PIN, password) are weak, attackers can bypass biometric authentication using brute-force or credential stuffing attacks.
200. What is a potential security risk of enabling auto-login functionality in mobile applications?
A) Faster app startup
B) Exposure to session hijacking and unauthorized access if the device is lost
C) Improved user experience
D) Increased battery drain
β Answer: B) Exposure to session hijacking and unauthorized access if the device is lost
π Explanation: Auto-login features that store authentication tokens persistently may allow attackers to gain access if a device is stolen or compromised.
201. What is an effective way to prevent Insecure Direct Object References (IDOR) in mobile applications?
A) Enforcing authorization checks on the server-side
B) Allowing unrestricted access to API resources
C) Using only client-side validation
D) Hardcoding user roles in the app
β Answer: A) Enforcing authorization checks on the server-side
π Explanation: IDOR vulnerabilities occur when users can directly access resources they shouldnβt. Server-side authorization checks prevent unauthorized access.
202. What is the best security practice for handling cryptographic operations in a mobile app?
A) Using platform-provided secure storage for cryptographic keys (e.g., Android Keystore, iOS Secure Enclave)
B) Hardcoding encryption keys in the source code
C) Storing encrypted data in plaintext
D) Using deprecated cryptographic algorithms
β Answer: A) Using platform-provided secure storage for cryptographic keys (e.g., Android Keystore, iOS Secure Enclave)
π Explanation: Android Keystore and iOS Secure Enclave provide hardware-backed security to store and manage cryptographic keys securely.
203. How can mobile applications prevent unauthorized use of accessibility services for privilege escalation?
A) Restricting access to accessibility services and detecting abuse
B) Allowing all applications to use accessibility services
C) Disabling authentication mechanisms
D) Using only client-side validation
β Answer: A) Restricting access to accessibility services and detecting abuse
π Explanation: Malware and malicious apps can misuse accessibility services to perform privilege escalation attacks. Restricting access and monitoring abuse prevents exploitation.
204. What security risk is associated with failing to implement proper app update security mechanisms?
A) Faster app updates
B) Attackers distributing modified malicious app versions (e.g., downgrade attacks)
C) Improved API performance
D) Lower memory consumption
β Answer: B) Attackers distributing modified malicious app versions (e.g., downgrade attacks)
π Explanation: Secure app updates ensure that only legitimate, signed updates are applied, preventing attackers from replacing apps with malicious versions.
205. What security risk arises when an app uses weak session management practices?
A) Faster authentication speed
B) Session fixation and session hijacking attacks
C) Reduced UI responsiveness
D) Increased API request latency
β Answer: B) Session fixation and session hijacking attacks
π Explanation: Weak session management can allow attackers to steal or manipulate session tokens, leading to account takeovers and unauthorized access.