1. What is the primary security risk associated with Android applications using exported activities without proper permissions?
A) Increased battery consumption
B) Unauthorized access by other applications
C) Slower app performance
D) Inability to install updates
β Answer: B) Unauthorized access by other applications
π Explanation:
Androidβs exported attribute in the AndroidManifest.xml file determines whether an activity, service, or broadcast receiver is accessible by other apps. If an activity is exported without proper permissions, malicious apps can invoke it, leading to unauthorized access or data leakage. To prevent this, use permissions and intent filters.
2. What is a common security vulnerability in improperly configured WebViews in Android applications?
A) Remote Code Execution
B) Cross-Site Scripting (XSS)
C) SQL Injection
D) Stack Overflow
β Answer: B) Cross-Site Scripting (XSS)
π Explanation:
WebView allows applications to render web content inside Android apps. If JavaScript is enabled and untrusted input is loaded without sanitization, attackers can execute Cross-Site Scripting (XSS) attacks. This can lead to session hijacking, phishing, and sensitive data theft. Use setJavaScriptEnabled(false) and validate all inputs.
3. Which iOS security feature ensures applications are executed only if they are signed by a trusted entity?
A) Sandboxing
B) Code Signing
C) ASLR
D) App Transport Security (ATS)
β Answer: B) Code Signing
π Explanation:
iOS requires all applications to be code-signed with a valid certificate issued by Apple. This ensures that only trusted and authorized applications run on an iOS device. Without proper signing, apps cannot be installed or executed, preventing malware and unauthorized modifications.
4. What is the recommended approach to store sensitive user data securely in an Android application?
A) SharedPreferences
B) SQLite Database
C) External Storage
D) Android Keystore
β Answer: D) Android Keystore
π Explanation:
The Android Keystore system is designed to store cryptographic keys securely. Unlike SharedPreferences or SQLite, which can be accessed if an attacker gains root access, the Keystore API provides hardware-backed protection and ensures keys cannot be extracted from the device.
5. Which attack involves repackaging an Android app with malicious code and redistributing it?
A) Man-in-the-Middle (MitM) Attack
B) Reverse Engineering
C) Tapjacking
D) Trojanizing
β Answer: D) Trojanizing
π Explanation:
Trojanizing refers to modifying an existing application by injecting malicious code and redistributing it. Attackers reverse engineer an app using tools like APKTool, Smali, or JADX, add backdoors or keyloggers, and trick users into installing it from unofficial sources.
6. What is the purpose of iOS App Transport Security (ATS)?
A) Enforces secure network connections
B) Encrypts local storage
C) Prevents app tampering
D) Blocks malware from running
β Answer: A) Enforces secure network connections
π Explanation:
App Transport Security (ATS) enforces HTTPS-only connections in iOS applications. It prevents plaintext HTTP requests, mitigating Man-in-the-Middle (MitM) attacks. Developers can configure ATS settings in Info.plist.
7. Which tool is commonly used for reverse engineering Android applications?
A) Burp Suite
B) APKTool
C) Nikto
D) Wireshark
β Answer: B) APKTool
π Explanation:
APKTool is widely used to decompile, analyze, and modify Android applications. It helps in reconstructing AndroidManifest.xml, smali code, and resources for reverse engineering or security analysis.
8. What is the best security practice for handling API keys in mobile apps?
A) Hardcoding them in the source code
B) Storing them in SharedPreferences
C) Using a secure backend proxy
D) Embedding them in HTML files
β Answer: C) Using a secure backend proxy
π Explanation:
Hardcoding API keys in mobile apps exposes them to reverse engineering. Instead, use a secure backend proxy to handle API requests server-side, ensuring keys remain hidden from attackers.
9. What is the purpose of certificate pinning in mobile applications?
A) Preventing man-in-the-middle (MitM) attacks
B) Reducing app size
C) Improving app performance
D) Storing user passwords
β Answer: A) Preventing man-in-the-middle (MitM) attacks
π Explanation:
Certificate pinning ensures an app only trusts predefined certificates instead of the deviceβs root CA store. This prevents attackers from using fake SSL certificates to intercept encrypted communication via MitM attacks.
10. What is the role of SELinux in Android security?
A) Protects against reverse engineering
B) Controls access between applications and system resources
C) Encrypts network traffic
D) Detects malware
β Answer: B) Controls access between applications and system resources
π Explanation:
SELinux (Security-Enhanced Linux) enforces Mandatory Access Control (MAC) in Android. It restricts unauthorized interactions between apps and system components, preventing privilege escalation attacks.
11. Which of the following is a common security issue in improperly implemented biometric authentication in mobile apps?
A) High CPU usage
B) Bypassing authentication using replay attacks
C) Increased storage consumption
D) Slow performance
β Answer: B) Bypassing authentication using replay attacks
π Explanation:
If biometric authentication lacks liveness detection, attackers can replay captured biometric data to bypass authentication. Secure implementations should use encrypted challenge-response mechanisms.
12. Why should developers avoid using WebView for handling login pages?
A) WebView is slower than native authentication
B) WebView does not support HTTPS
C) It exposes users to phishing attacks
D) WebView cannot render login pages properly
β Answer: C) It exposes users to phishing attacks
π Explanation:
WebView does not provide the same security controls as a browser. If used for authentication, attackers can inject phishing pages to steal credentials. Instead, use OAuth with in-app browsers (e.g., Chrome Custom Tabs, SafariViewController).
12. Why should developers avoid using WebView for handling login pages?
A) WebView is slower than native authentication
B) WebView does not support HTTPS
C) It exposes users to phishing attacks
D) WebView cannot render login pages properly
β Answer: C) It exposes users to phishing attacks
π Explanation:
WebView does not provide the same security controls as a browser. If used for authentication, attackers can inject phishing pages to steal credentials. Instead, use OAuth with in-app browsers (e.g., Chrome Custom Tabs, SafariViewController).
13. What is the primary security risk associated with using external storage in Android?
A) Increased battery consumption
B) Slower file read/write operations
C) Unauthorized access by other applications
D) Loss of network connectivity
β Answer: C) Unauthorized access by other applications
π Explanation:
External storage in Android is not private to an application. Any app with READ/WRITE_EXTERNAL_STORAGE permission can access files stored there, leading to data leakage. Store sensitive data in internal storage or use the Android Keystore.
14. Which of the following is a common iOS application security vulnerability?
A) Unprotected Keychain storage
B) Lack of network connectivity
C) Inconsistent UI design
D) Incompatible with older iOS versions
β Answer: A) Unprotected Keychain storage
π Explanation:
The iOS Keychain securely stores credentials and sensitive data, but improper configurations (e.g., not setting the right accessibility levels) can allow attackers to extract sensitive data from a jailbroken device.
15. What is Tapjacking in Android applications?
A) A technique to inject ads into mobile apps
B) A security flaw allowing screen overlays to hijack clicks
C) A method to improve touchscreen accuracy
D) A form of keylogging attack
β Answer: B) A security flaw allowing screen overlays to hijack clicks
π Explanation:
Tapjacking involves an attacker placing an invisible UI overlay to trick users into tapping malicious elements unknowingly (e.g., granting permissions). To prevent it, use FLAG_SECURE in Android UI components.
16. How can developers prevent Reverse Engineering of Android applications?
A) Enabling JavaScript in WebView
B) Using ProGuard or R8 for code obfuscation
C) Hardcoding API keys in the source code
D) Storing sensitive data in SharedPreferences
β Answer: B) Using ProGuard or R8 for code obfuscation
π Explanation:
ProGuard and R8 obfuscate Java/Kotlin code, making it harder for attackers to reverse-engineer an APK. Combined with native code encryption and anti-debugging techniques, it strengthens app security.
17. What is the primary risk of using Firebase for mobile app authentication without proper security rules?
A) Increased app size
B) Exposure to unauthorized data access
C) Inability to handle multiple users
D) Slower authentication process
β Answer: B) Exposure to unauthorized data access
π Explanation:
Firebase uses Realtime Database and Firestore, and without proper security rules, attackers can modify or retrieve data by directly accessing Firebaseβs API endpoints. Always configure role-based access control (RBAC) and Firestore security rules.
18. Which security mechanism prevents an iOS application from accessing another app’s data?
A) ASLR (Address Space Layout Randomization)
B) Sandboxing
C) SSL Pinning
D) Keychain Encryption
β Answer: B) Sandboxing
π Explanation:
iOS Sandboxing enforces strict boundaries between apps, preventing data leaks and unauthorized access. Each app runs in an isolated environment, restricting it from accessing another appβs files, memory, or processes.
19. What is a common security risk in Android apps using deep linking without proper validation?
A) Increased CPU usage
B) Intent hijacking
C) Battery drain
D) Unnecessary API calls
β Answer: B) Intent hijacking
π Explanation:
Deep links allow external apps to launch specific activities inside an app. Without intent filtering and proper validation, attackers can exploit deep links to execute unauthorized actions within the application.
20. Which of the following security measures helps prevent SQL injection in mobile apps?
A) Hardcoding SQL queries
B) Using Prepared Statements and Parameterized Queries
C) Disabling input validation
D) Storing SQL queries in plaintext
β Answer: B) Using Prepared Statements and Parameterized Queries
π Explanation:
Parameterized queries prevent SQL injection by treating user inputs as data, not executable code. Avoid constructing SQL queries with string concatenation, which allows attackers to inject malicious SQL commands.
21. What type of attack does an attacker perform by modifying a mobile app’s network traffic in real-time?
A) Man-in-the-Middle (MitM) Attack
B) XSS Attack
C) SQL Injection
D) Clickjacking
β Answer: A) Man-in-the-Middle (MitM) Attack
π Explanation:
In a MitM attack, an attacker intercepts network traffic between a mobile app and its backend server. Unsecured HTTP traffic or weak TLS configurations can expose sensitive data. Always enforce HTTPS and use SSL Pinning.
22. What does Jailbreaking an iOS device allow attackers to do?
A) Reduce battery consumption
B) Bypass iOS security mechanisms
C) Improve device performance
D) Increase app installation speed
β Answer: B) Bypass iOS security mechanisms
π Explanation:
Jailbreaking removes Appleβs security restrictions, allowing users to install untrusted applications, modify system settings, and bypass security mechanisms like sandboxing and code signing.
23. What is the risk of using hardcoded encryption keys in mobile apps?
A) Increased app size
B) Keys can be extracted through reverse engineering
C) Improved encryption performance
D) Faster key retrieval
β Answer: B) Keys can be extracted through reverse engineering
π Explanation:
If encryption keys are hardcoded in mobile apps, attackers can extract them using static analysis tools like JADX or Hopper. Instead, store keys securely using Android Keystore or iOS Keychain.
24. What is the best practice for implementing biometric authentication in mobile apps?
A) Store biometric data in external storage
B) Use system-provided biometric APIs
C) Disable fallback authentication methods
D) Store biometric hashes in the database
β Answer: B) Use system-provided biometric APIs
π Explanation:
Both Android (BiometricPrompt API) and iOS (Face ID, Touch ID APIs) provide secure biometric authentication without exposing raw biometric data to the application.
25. Which of the following attacks can be prevented using App Transport Security (ATS) in iOS?
A) SQL Injection
B) Cross-Site Scripting (XSS)
C) Man-in-the-Middle (MitM) Attacks
D) Clickjacking
β Answer: C) Man-in-the-Middle (MitM) Attacks
π Explanation:
ATS enforces HTTPS connections, preventing interception of network traffic by attackers attempting MitM attacks.
26. What is the best way to secure sensitive files stored locally in an iOS app?
A) Store files in NSUserDefaults
B) Use File Protection with NSFileProtectionComplete
C) Encrypt files using Base64 encoding
D) Store files in the app’s main bundle
β Answer: B) Use File Protection with NSFileProtectionComplete
π Explanation:
NSFileProtectionComplete ensures that files are encrypted when the device is locked, preventing unauthorized access.
27. What is a common risk associated with allowing WebView to load content from untrusted sources?
A) Performance degradation
B) WebView layout issues
C) Remote Code Execution (RCE)
D) Inability to update the app
β Answer: C) Remote Code Execution (RCE)
π Explanation:
Allowing untrusted sources in WebView without proper restrictions exposes the app to RCE attacks via malicious JavaScript injection or exploiting vulnerabilities in the WebView component. Disable JavaScript unless necessary and use input validation.
28. Which mobile security risk can occur due to improper implementation of OAuth in apps?
A) Keylogging
B) Token leakage and session hijacking
C) Screen flickering
D) Increased network latency
β Answer: B) Token leakage and session hijacking
π Explanation:
If OAuth tokens are stored insecurely (e.g., in SharedPreferences or local storage) or exposed in URLs, attackers can steal them and hijack user sessions. Always use secure token storage (Keychain/Keystore) and implement short-lived access tokens with refresh tokens.
29. What security risk can arise if an Android app does not enforce permissions for accessing broadcast receivers?
A) Unauthorized message interception
B) Slower app launch times
C) Battery drainage
D) Increased memory usage
β Answer: A) Unauthorized message interception
π Explanation:
If a broadcast receiver is publicly accessible without permission enforcement, attackers can send malicious intents or eavesdrop on sensitive broadcasts. Always restrict broadcast receivers with proper permissions.
30. What is a major security issue in improperly implemented session management in mobile apps?
A) The app fails to connect to the server
B) Sessions remain active indefinitely, leading to account takeover
C) The app consumes more storage
D) The app’s UI becomes unresponsive
β Answer: B) Sessions remain active indefinitely, leading to account takeover
π Explanation:
If an app does not expire sessions properly, an attacker who obtains an old session token can reuse it to access user accounts. Implement short session lifetimes, automatic expiration, and secure token revocation mechanisms.
31. What is the best practice for encrypting sensitive data in mobile applications?
A) Use hardcoded encryption keys
B) Use symmetric encryption with a hardcoded IV
C) Use AES encryption with a randomly generated key stored securely
D) Encrypt data using base64 encoding
β Answer: C) Use AES encryption with a randomly generated key stored securely
π Explanation:
Always use AES encryption (AES-256 preferred) with a randomly generated key. Store keys in Android Keystore/iOS Keychain instead of hardcoding them, ensuring secure encryption.
32. What is the main security risk of allowing Android apps to use the debuggable flag in production?
A) The app may crash more frequently
B) Attackers can attach a debugger and extract sensitive information
C) The app runs slower
D) It prevents app updates from being installed
β Answer: B) Attackers can attach a debugger and extract sensitive information
π Explanation:
If android:debuggable="true" is left enabled in production, attackers can attach a debugger, inspect memory, modify app behavior, and bypass security controls. Always disable debugging before releasing the app.
33. What is the primary purpose of iOS entitlements in app security?
A) Grant apps access to specific system features securely
B) Reduce app size
C) Improve battery performance
D) Speed up app execution
β Answer: A) Grant apps access to specific system features securely
π Explanation:
iOS entitlements control access to restricted system features (e.g., Keychain, Push Notifications, Background Tasks). Apps must declare entitlements explicitly and sign them to ensure only trusted apps get access.
34. What type of security vulnerability occurs when an attacker manipulates an insecure API request to gain unauthorized access?
A) Cross-Site Scripting (XSS)
B) API Parameter Tampering
C) Phishing
D) Clickjacking
β Answer: B) API Parameter Tampering
π Explanation:
API Parameter Tampering occurs when attackers modify API request parameters (e.g., changing a user ID to access another user’s data). To prevent this, use proper authentication, access controls, and request validation.
35. How can developers prevent Side-Channel Attacks on mobile applications?
A) By reducing app permissions
B) By using constant-time cryptographic operations
C) By disabling HTTPS
D) By allowing background execution
β Answer: B) By using constant-time cryptographic operations
π Explanation:
Side-channel attacks exploit timing differences or power consumption patterns to extract cryptographic keys. Implement constant-time cryptographic algorithms to mitigate such attacks.
36. Which technique can prevent insecure deserialization attacks in mobile applications?
A) Using plaintext storage for objects
B) Validating and sanitizing deserialized input
C) Hardcoding serialized objects
D) Encrypting all serialized data
β Answer: B) Validating and sanitizing deserialized input
π Explanation:
Insecure deserialization allows attackers to inject malicious objects into the app’s serialized data, leading to Remote Code Execution (RCE). Always validate deserialized objects and avoid using eval() or dynamic execution.
37. What is the main purpose of enforcing Secure Boot on mobile devices?
A) Speeding up app execution
B) Ensuring only trusted firmware and OS are loaded
C) Reducing battery consumption
D) Preventing unauthorized app installations
β Answer: B) Ensuring only trusted firmware and OS are loaded
π Explanation:
Secure Boot ensures that only cryptographically signed and verified firmware, OS, and bootloaders are executed. This prevents malware or modified system images from compromising the device.
38. What is a key advantage of using Firebase App Check in mobile security?
A) It prevents app crashes
B) It verifies that requests come from genuine mobile apps
C) It reduces app file size
D) It speeds up database queries
β Answer: B) It verifies that requests come from genuine mobile apps
π Explanation:
Firebase App Check prevents API abuse by verifying requests originate from a legitimate instance of the app, reducing the risk of unauthorized access and bot attacks.
39. What is a common security misconfiguration that allows attackers to steal credentials from an iOS app?
A) Using improper Keychain access controls
B) Storing credentials in an encrypted SQLite database
C) Using strong passwords for authentication
D) Implementing biometric authentication
β Answer: A) Using improper Keychain access controls
π Explanation:
If Keychain access controls are too permissive (kSecAttrAccessibleAlways instead of kSecAttrAccessibleWhenUnlocked), sensitive credentials may be accessible when the device is locked, leading to data theft.
40. What is a common risk when using third-party SDKs in mobile applications?
A) Slower app startup
B) Increased app download size
C) Introduction of security vulnerabilities
D) Increased RAM usage
β Answer: C) Introduction of security vulnerabilities
π Explanation:
Third-party SDKs may contain security flaws, track user data without consent, or introduce malware. Always use trusted sources, review SDK permissions, and keep them updated.
41. What is the main security risk of exposing an Android content provider without proper permissions?
A) Unauthorized access to sensitive data
B) Increased battery consumption
C) Inability to update the application
D) Slower database transactions
β Answer: A) Unauthorized access to sensitive data
π Explanation:
If an Android ContentProvider is exposed without proper permission enforcement, malicious applications can access and manipulate database records stored by the application. Always restrict access with appropriate permissions and use android:exported="false" if external access is not needed.
42. Which of the following is an effective way to prevent Clickjacking attacks in mobile apps?
A) Using CAPTCHA
B) Disabling third-party keyboard access
C) Implementing FLAG_SECURE in Android
D) Enabling dark mode in the app
β
Answer: C) Implementing FLAG_SECURE in Android
π Explanation:
Clickjacking is a UI redressing attack where an attacker overlays a malicious UI over a legitimate one. The FLAG_SECURE setting prevents screen overlay attacks and ensures that screens cannot be captured or manipulated.
43. What is the risk of allowing WebView to access local files (file:// URI scheme)?
A) Faster page rendering
B) Increased app size
C) Local File Inclusion (LFI) vulnerability
D) Improved user experience
β Answer: C) Local File Inclusion (LFI) vulnerability
π Explanation:
Allowing WebView to load local files (file://) can expose sensitive system files to attackers through Local File Inclusion (LFI) attacks, enabling data theft or remote execution.
44. Which of the following is a secure practice for session management in mobile apps?
A) Storing session tokens in SharedPreferences
B) Using long-lived access tokens without expiration
C) Storing session tokens in Secure Storage (Keystore/Keychain)
D) Hardcoding session tokens in the app
β Answer: C) Storing session tokens in Secure Storage (Keystore/Keychain)
π Explanation:
Session tokens should be securely stored using Android Keystore or iOS Keychain. Storing them in SharedPreferences is risky because attackers can extract them if the device is compromised.
45. Which attack exploits insecure direct object references (IDOR) in mobile applications?
A) Bypassing authentication and accessing unauthorized user data
B) Injecting malicious SQL queries
C) Capturing keystrokes from a userβs device
D) Spoofing GPS location
β Answer: A) Bypassing authentication and accessing unauthorized user data
π Explanation:
IDOR (Insecure Direct Object Reference) occurs when an application exposes internal object references (e.g., user IDs) without proper access controls, allowing an attacker to access another userβs data by modifying parameters.
46. What is the best way to prevent attackers from tampering with an Android appβs package?
A) Using ProGuard and code obfuscation
B) Storing sensitive data in external storage
C) Allowing unsigned APK installations
D) Reducing app permissions
β Answer: A) Using ProGuard and code obfuscation
π Explanation:
ProGuard, R8, and code obfuscation make it difficult for attackers to decompile and modify an APK. Additional security measures like app integrity checks and signing with Google Play Signing further protect against tampering.
47. What is the risk of using weak hashing algorithms like MD5 or SHA-1 for password storage in mobile apps?
A) Increased CPU usage
B) Vulnerability to brute-force attacks
C) Slower user authentication
D) Poor user experience
β Answer: B) Vulnerability to brute-force attacks
π Explanation:
MD5 and SHA-1 are cryptographically weak and vulnerable to rainbow table and brute-force attacks. Always use bcrypt, PBKDF2, or Argon2 with a salt for secure password storage.
48. What is the impact of using weak TLS versions (e.g., TLS 1.0) in mobile apps?
A) Enhanced encryption
B) Resistance to attacks
C) Exposure to cryptographic vulnerabilities
D) Improved performance
β Answer: C) Exposure to cryptographic vulnerabilities
π Explanation:
TLS 1.0 and TLS 1.1 contain known vulnerabilities like BEAST and POODLE attacks. Use TLS 1.2 or TLS 1.3 with strong ciphers for secure communication.
49. How can developers prevent screen recording and screenshot capture of sensitive screens in Android apps?
A) Enable WebView debugging
B) Use FLAG_SECURE in the activity window
C) Store passwords in plaintext
D) Allow all apps to access the screen
β
Answer: B) Use FLAG_SECURE in the activity window
π Explanation:
Using FLAG_SECURE in Android prevents screenshots and screen recording, protecting sensitive information from unauthorized capture.
50. Why should biometric authentication in mobile apps always have a fallback mechanism?
A) Biometric systems can fail due to hardware or environmental factors
B) It makes the app more user-friendly
C) It improves biometric recognition speed
D) It allows the user to switch biometric data
β Answer: A) Biometric systems can fail due to hardware or environmental factors
π Explanation:
Biometric systems may fail due to fingerprint sensor malfunctions, poor lighting for facial recognition, or user injuries. Providing a fallback authentication method (e.g., PIN, password) ensures accessibility.
51. What is the security risk of using dynamically loaded code (DexClassLoader) in Android?
A) Increased memory usage
B) Performance optimization
C) Code injection and Remote Code Execution (RCE)
D) Improved app flexibility
β Answer: C) Code injection and Remote Code Execution (RCE)
π Explanation:
Loading dynamic code at runtime (DexClassLoader) allows attackers to inject malicious code, leading to Remote Code Execution (RCE). Always verify and restrict dynamic code loading.
52. Which of the following iOS security mechanisms prevents access to sensitive memory areas?
A) Keychain
B) Address Space Layout Randomization (ASLR)
C) Secure Boot
D) TLS Pinning
β Answer: B) Address Space Layout Randomization (ASLR)
π Explanation:
ASLR randomizes memory addresses, making it harder for attackers to predict memory locations, thereby mitigating buffer overflow and memory corruption attacks.
53. What is a risk of failing to implement proper CORS (Cross-Origin Resource Sharing) policies in mobile apps?
A) Network latency
B) Cross-Site Request Forgery (CSRF) attacks
C) Reduced app performance
D) Battery drainage
β Answer: B) Cross-Site Request Forgery (CSRF) attacks
π Explanation:
Weak CORS policies can allow attackers to send unauthorized API requests on behalf of an authenticated user, leading to CSRF attacks.
54. Why should developers avoid using hardcoded credentials in mobile apps?
A) They make the app larger
B) Attackers can extract credentials using reverse engineering
C) They slow down authentication
D) They consume extra CPU power
β Answer: B) Attackers can extract credentials using reverse engineering
π Explanation:
Hardcoded credentials can be extracted using decompilers like JADX or Hopper, leading to API key leakage and unauthorized access. Always store credentials securely in a backend server.
55. How does a Secure Enclave in iOS protect sensitive data?
A) By using a separate hardware-based encryption module
B) By storing data in the cloud
C) By compressing data for security
D) By encrypting all images in an app
β Answer: A) By using a separate hardware-based encryption module
π Explanation:
The Secure Enclave is a hardware-based secure area in iOS that isolates cryptographic operations, preventing unauthorized access even if the main OS is compromised.
56. What is the primary security risk of improper cryptographic key management in mobile apps?
A) Keys can be exposed and used for data decryption by attackers
B) The app may run slower
C) Users may experience increased battery consumption
D) The app may fail to connect to the network
β Answer: A) Keys can be exposed and used for data decryption by attackers
π Explanation:
If cryptographic keys are hardcoded, stored in plaintext, or not securely managed, attackers can extract them through reverse engineering, leading to data breaches. Always use Android Keystore/iOS Keychain for secure storage.
57. Which of the following measures helps prevent unauthorized app repackaging and redistribution?
A) Using HTTPS for API communication
B) Enforcing application signing with a digital signature
C) Storing sensitive information in SharedPreferences
D) Using JSON Web Tokens (JWT)
β Answer: B) Enforcing application signing with a digital signature
π Explanation:
Signing an app with a digital certificate ensures its integrity and authenticity. If an attacker attempts to modify and repackage the app, the signature becomes invalid, helping detect tampering.
58. What is a major security risk when an Android app is granted excessive permissions?
A) Slower app performance
B) Increased power consumption
C) Potential exploitation by malware
D) Difficulty in updating the app
β Answer: C) Potential exploitation by malware
π Explanation:
Excessive permissions increase attack surfaces for malware or rogue applications. Follow the principle of least privilege (PoLP) to request only necessary permissions.
59. How can developers prevent side-loading of malicious APKs on Android devices?
A) Allow installation only from the Google Play Store
B) Use multiple analytics SDKs
C) Remove unused resources in the APK
D) Enable background service execution
β Answer: A) Allow installation only from the Google Play Store
π Explanation:
Allowing installation from unknown sources increases the risk of malicious APK installations. Organizations can enforce security policies using Mobile Device Management (MDM).
60. Which security mechanism prevents an attacker from tampering with sensitive app data at runtime?
A) Root detection and anti-tampering checks
B) Using an SQLite database
C) Hardcoding API endpoints
D) Encrypting user interface elements
β Answer: A) Root detection and anti-tampering checks
π Explanation:
Attackers often modify mobile apps using tools like Frida or Magisk. Implementing root detection, checksum validation, and integrity verification helps prevent runtime tampering.
61. What is the purpose of using HSTS (HTTP Strict Transport Security) in mobile applications?
A) To enable faster TLS handshakes
B) To enforce the use of HTTPS and prevent downgrade attacks
C) To reduce API request latency
D) To improve app performance
β Answer: B) To enforce the use of HTTPS and prevent downgrade attacks
π Explanation:
HSTS ensures that browsers and mobile apps always use HTTPS, preventing SSL stripping attacks that force unencrypted HTTP connections.
62. Which of the following attacks can occur if a mobile app improperly implements OAuth authentication?
A) Open Redirect attack
B) Integer Overflow attack
C) Denial-of-Service (DoS) attack
D) XML Injection attack
β Answer: A) Open Redirect attack
π Explanation:
If OAuth redirect URIs are not properly validated, attackers can exploit Open Redirect vulnerabilities to steal access tokens or redirect users to phishing sites.
63. What is the main risk of using weak password policies in mobile apps?
A) Increased app storage usage
B) Higher server costs
C) Increased likelihood of brute-force attacks
D) Slower user authentication
β Answer: C) Increased likelihood of brute-force attacks
π Explanation:
Weak password policies (e.g., short passwords, no complexity requirements) make it easier for attackers to brute-force or guess user credentials. Enforce strong password policies and implement rate-limiting mechanisms.
64. How can developers protect sensitive data stored in SQLite databases on mobile devices?
A) Store the database file in external storage
B) Use SQLCipher for encryption
C) Remove table indexes
D) Use large primary keys
β Answer: B) Use SQLCipher for encryption
π Explanation:
SQLite databases store plaintext data by default. SQLCipher encrypts SQLite database files, ensuring that data remains protected even if the database is extracted.
65. Which iOS security feature prevents unsigned or modified code from running on the device?
A) Data Execution Prevention (DEP)
B) App Transport Security (ATS)
C) Code Signing
D) Biometric Authentication
β Answer: C) Code Signing
π Explanation:
Apple enforces code signing to ensure that only trusted applications run on iOS devices, preventing malicious or unauthorized code execution.
66. Why is it important to restrict clipboard access in mobile applications?
A) To improve user experience
B) To prevent unauthorized access to copied sensitive data
C) To reduce memory consumption
D) To optimize app performance
β Answer: B) To prevent unauthorized access to copied sensitive data
π Explanation:
If sensitive data (e.g., passwords, OTPs) is copied to the clipboard, other applications may read or steal it. To prevent this, clear sensitive clipboard data after a short duration.
67. What is the impact of an insecure API endpoint used by a mobile application?
A) API response time improves
B) Attackers can exploit it to perform unauthorized actions
C) The app loads faster
D) It consumes less network bandwidth
β Answer: B) Attackers can exploit it to perform unauthorized actions
π Explanation:
Insecure API endpoints that lack authentication and proper access controls allow attackers to steal user data, modify account settings, or perform unintended actions.
68. How can developers prevent phishing attacks in mobile applications?
A) Use WebView for login authentication
B) Implement domain whitelisting and avoid loading unknown URLs
C) Allow users to enter credentials in embedded iFrames
D) Store user passwords in plaintext
β Answer: B) Implement domain whitelisting and avoid loading unknown URLs
π Explanation:
Phishing attacks trick users into entering credentials on malicious websites. Prevent this by whitelisting trusted domains, warning users about untrusted links, and enforcing secure authentication methods.
69. What is a security risk when enabling JavaScript in WebView without restrictions?
A) Increased power consumption
B) Exposure to Cross-Site Scripting (XSS) attacks
C) Improved page rendering speed
D) Larger app download size
β Answer: B) Exposure to Cross-Site Scripting (XSS) attacks
π Explanation:
JavaScript in WebView can execute malicious scripts if untrusted content is loaded, leading to XSS attacks, data theft, and remote code execution.
70. What is the best approach to protect sensitive data in push notifications?
A) Encrypt the message payload before sending
B) Include user passwords in push notifications
C) Store push notification messages in local storage
D) Send sensitive data directly in plaintext
β Answer: A) Encrypt the message payload before sending
π Explanation:
Push notifications travel over external servers and may be exposed to interception. Always encrypt sensitive data before sending and avoid including confidential information in push notifications.
71. What is a security risk of allowing Android apps to run in rooted environments?
A) The app consumes more RAM
B) The app may execute faster
C) Attackers can bypass security mechanisms and access sensitive data
D) Users may experience longer app launch times
β Answer: C) Attackers can bypass security mechanisms and access sensitive data
π Explanation:
Rooted devices bypass Androidβs security model, allowing attackers to access protected files, modify system settings, and run unauthorized apps. Implement root detection and block execution on compromised devices when necessary.
72. What is the main security risk of using third-party keyboards on mobile devices?
A) Increased latency in typing
B) Unintended data collection or keystroke logging
C) Reduced storage availability
D) Higher battery consumption
β Answer: B) Unintended data collection or keystroke logging
π Explanation:
Third-party keyboards may log and transmit keystrokes, potentially exposing passwords, credit card details, and sensitive data. Avoid allowing input of sensitive data in fields when third-party keyboards are active.
73. How can developers prevent Intent Spoofing in Android applications?
A) By enabling JavaScript in WebView
B) By setting proper Intent filters and permissions
C) By using plaintext API requests
D) By hardcoding encryption keys in the app
β Answer: B) By setting proper Intent filters and permissions
π Explanation:
Intent Spoofing occurs when an attacker sends malicious intents to an application that does not properly verify them. Developers should set permissions and filter incoming intents to prevent unauthorized access.
74. Which technique helps protect mobile applications from memory-based exploits?
A) Base64 encoding sensitive data
B) Address Space Layout Randomization (ASLR)
C) Using large database indexes
D) Increasing RAM usage
β Answer: B) Address Space Layout Randomization (ASLR)
π Explanation:
ASLR randomizes memory locations for system and application components, making it difficult for attackers to predict and exploit memory addresses.
75. What is the purpose of using Secure Remote Password (SRP) protocol in mobile authentication?
A) To prevent password cracking attacks
B) To enable automatic login
C) To reduce app storage size
D) To improve UI responsiveness
β Answer: A) To prevent password cracking attacks
π Explanation:
SRP is a zero-knowledge proof-based authentication method that prevents attackers from intercepting or guessing passwords, even if network traffic is compromised.
76. Why should mobile applications avoid using static secret keys in source code?
A) It increases app startup time
B) Keys can be extracted through reverse engineering
C) It makes the app larger
D) It improves app performance
β Answer: B) Keys can be extracted through reverse engineering
π Explanation:
Static API keys, encryption keys, or tokens in the source code can be easily extracted using decompilers (e.g., JADX, Hopper). Instead, use secure key management solutions like Keystore (Android) or Secure Enclave (iOS).
77. What is a common method to detect jailbroken iOS devices in an application?
A) Checking for the presence of Cydia or other jailbreaking tools
B) Measuring the screen brightness
C) Disabling biometric authentication
D) Enabling location tracking
β Answer: A) Checking for the presence of Cydia or other jailbreaking tools
π Explanation:
Jailbreak detection can be done by checking for Cydia, unauthorized file system access, or modification of system binaries. However, advanced jailbreaks may bypass detection mechanisms.
78. What is a potential security issue with implementing autofill functionality in mobile apps?
A) It increases app memory usage
B) It may expose sensitive user data to malicious apps
C) It slows down authentication speed
D) It consumes additional network bandwidth
β Answer: B) It may expose sensitive user data to malicious apps
π Explanation:
Autofill can store and retrieve sensitive credentials, which malicious apps or unauthorized users might exploit. Always ensure secure autofill implementation and use OS-provided secure credential storage.
79. What is the best practice for handling sensitive logs in mobile apps?
A) Encrypt logs before storing them
B) Send logs in plaintext to a remote server
C) Store logs indefinitely for debugging purposes
D) Allow users to export logs
β Answer: A) Encrypt logs before storing them
π Explanation:
Logs may contain sensitive information, including tokens, user data, and debug messages. Always encrypt logs, avoid storing sensitive information, and clear logs periodically.
80. What is the role of Secure Boot in mobile security?
A) It prevents unauthorized firmware or OS modifications
B) It optimizes battery life
C) It speeds up app execution
D) It reduces network latency
β Answer: A) It prevents unauthorized firmware or OS modifications
π Explanation:
Secure Boot ensures that only cryptographically signed and verified system components (bootloader, OS) are loaded, preventing malicious tampering.
81. What is the risk of allowing applications to run background services without proper restrictions?
A) Increased app responsiveness
B) Higher risk of data exfiltration and malware persistence
C) Improved battery performance
D) Reduced CPU usage
β Answer: B) Higher risk of data exfiltration and malware persistence
π Explanation:
Background services can operate without user awareness, potentially stealing data or performing malicious actions. Implement strict background execution policies to prevent abuse.
82. What security mechanism ensures only specific applications can access a mobile app’s APIs?
A) API Key whitelisting and OAuth authentication
B) Storing API credentials in SharedPreferences
C) Allowing all network requests from any source
D) Using unsigned certificates for API requests
β Answer: A) API Key whitelisting and OAuth authentication
π Explanation:
API key whitelisting and OAuth authentication restrict access to only authorized applications, preventing API abuse and unauthorized data access.
83. What is the risk of using deep links without proper validation?
A) The app may crash more frequently
B) It can lead to URL manipulation and unauthorized access
C) It increases app startup time
D) The app may consume more memory
β Answer: B) It can lead to URL manipulation and unauthorized access
π Explanation:
Deep links allow external applications or attackers to trigger app actions if they are not properly validated, leading to unauthorized access or exploits.
84. What is a key method to prevent MITM (Man-in-the-Middle) attacks in mobile applications?
A) Implementing SSL/TLS certificate pinning
B) Using plain HTTP for faster requests
C) Allowing self-signed certificates
D) Disabling network encryption
β Answer: A) Implementing SSL/TLS certificate pinning
π Explanation:
Certificate pinning ensures that the app only trusts specific certificates, preventing attackers from using fake certificates to intercept encrypted communications.
85. How can developers ensure that mobile apps do not expose sensitive data in notifications?
A) Encrypt push notification payloads
B) Use larger font sizes in notifications
C) Disable notifications completely
D) Store notifications in external databases
β Answer: A) Encrypt push notification payloads
π Explanation:
Push notifications can be intercepted if not encrypted. Encrypt sensitive data before transmission, and avoid displaying private information in notifications.
86. What is a primary security risk when mobile applications store authentication tokens in local storage?
A) Increased network latency
B) Exposure to token theft through malware or unauthorized access
C) Reduced app startup time
D) Decreased battery consumption
β Answer: B) Exposure to token theft through malware or unauthorized access
π Explanation:
Storing authentication tokens in local storage (e.g., SharedPreferences, UserDefaults) exposes them to malware and reverse engineering attacks. Always store tokens in secure storage mechanisms like Android Keystore or iOS Keychain.
87. What is the recommended approach for implementing two-factor authentication (2FA) in mobile applications?
A) Sending OTPs via SMS without any additional verification
B) Using Time-based One-Time Passwords (TOTP) or hardware tokens
C) Storing static 2FA codes in the app
D) Using security questions as the only second factor
β Answer: B) Using Time-based One-Time Passwords (TOTP) or hardware tokens
π Explanation:
TOTP-based 2FA (e.g., Google Authenticator, Authy) is more secure than SMS-based 2FA, which is vulnerable to SIM swapping and interception.
88. What security risk arises from enabling Android debugging in production apps?
A) Reduced app performance
B) Exposure to sensitive information through logcat and debugging tools
C) Inability to update the app
D) Faster execution of API calls
β Answer: B) Exposure to sensitive information through logcat and debugging tools
π Explanation:
If debugging is enabled (android:debuggable="true") in a production app, attackers can attach a debugger, extract sensitive data, and modify app behavior.
89. How can developers prevent unauthorized access to mobile application databases?
A) Encrypting database files using SQLCipher
B) Allowing unrestricted database access
C) Using SQLite without encryption
D) Storing database files in external storage
β Answer: A) Encrypting database files using SQLCipher
π Explanation:
By default, SQLite databases store plaintext data. SQLCipher encrypts database files, ensuring protection against unauthorized access and reverse engineering.
90. What is the best way to prevent API abuse in mobile applications?
A) Implementing rate limiting and API authentication mechanisms
B) Allowing all requests without authentication
C) Hardcoding API keys in the mobile app
D) Using API keys without any restrictions
β Answer: A) Implementing rate limiting and API authentication mechanisms
π Explanation:
API abuse occurs when attackers exploit unrestricted API calls. Implement rate limiting, API authentication (OAuth, JWT), and IP whitelisting to prevent abuse.
91. Why should mobile applications avoid using third-party libraries from unverified sources?
A) They may introduce security vulnerabilities or malicious code
B) They can increase app startup time
C) They consume additional storage
D) They slow down network requests
β Answer: A) They may introduce security vulnerabilities or malicious code
π Explanation:
Unverified third-party libraries may contain security flaws or malware, allowing attackers to steal user data or execute remote code.
92. What is the purpose of implementing biometric fallback authentication in mobile applications?
A) To ensure users have an alternative if biometric authentication fails
B) To improve the performance of biometric authentication
C) To make the app faster
D) To store biometric data in local storage
β Answer: A) To ensure users have an alternative if biometric authentication fails
π Explanation:
Biometric authentication may fail due to hardware issues or environmental conditions. Implementing a secure fallback method (PIN, password) ensures users can still access their accounts securely.
93. What is the risk of failing to validate user input in mobile applications?
A) Increased memory usage
B) Vulnerability to SQL injection, XSS, and command injection attacks
C) Reduced app responsiveness
D) Increased network bandwidth usage
β Answer: B) Vulnerability to SQL injection, XSS, and command injection attacks
π Explanation:
Unvalidated input can allow attackers to inject malicious SQL queries, execute scripts (XSS), or perform arbitrary command execution, compromising security.
94. What is a secure way to handle sensitive information in push notifications?
A) Avoid sending sensitive data in push notifications
B) Store notification messages in external storage
C) Allow all applications to read notifications
D) Use simple plaintext messages without encryption
β Answer: A) Avoid sending sensitive data in push notifications
π Explanation:
Push notifications can be intercepted if not secured properly. Avoid sending sensitive data (e.g., passwords, authentication tokens, personal information) in notifications.
95. What is the main purpose of implementing session timeout in mobile applications?
A) To reduce memory consumption
B) To prevent unauthorized access to inactive sessions
C) To improve app performance
D) To enable faster user authentication
β Answer: B) To prevent unauthorized access to inactive sessions
π Explanation:
Session timeouts help automatically log out users after inactivity, preventing unauthorized access if a device is lost or left unattended.
96. How can developers prevent unauthorized modifications to an Android applicationβs APK?
A) Implementing application integrity checks and verifying digital signatures
B) Allowing installation from unknown sources
C) Storing sensitive data in external storage
D) Using larger APK file sizes
β Answer: A) Implementing application integrity checks and verifying digital signatures
π Explanation:
APK modifications can alter app behavior or insert malicious code. Enforcing app integrity checks and verifying digital signatures prevents tampering.
97. What is the impact of failing to secure inter-process communication (IPC) in Android applications?
A) Increased network traffic
B) Unauthorized access to sensitive data by other applications
C) Decreased app startup time
D) Improved API response time
β Answer: B) Unauthorized access to sensitive data by other applications
π Explanation:
Insecure IPC allows malicious applications to send or intercept sensitive data between app components. Use permissions and cryptographic signing to secure IPC.
98. How can mobile applications prevent replay attacks?
A) Implementing nonce values and timestamp-based authentication
B) Using static tokens for authentication
C) Hardcoding credentials in the app
D) Allowing unlimited login attempts
β Answer: A) Implementing nonce values and timestamp-based authentication
π Explanation:
Replay attacks occur when attackers capture and reuse authentication requests. Using nonces (one-time random values) and timestamp verification prevents replay attacks.
99. What is the purpose of enforcing Content Security Policy (CSP) in mobile WebView components?
A) To prevent XSS and other client-side injection attacks
B) To allow unrestricted loading of external content
C) To improve network speed
D) To increase WebView performance
β Answer: A) To prevent XSS and other client-side injection attacks
π Explanation:
CSP helps prevent Cross-Site Scripting (XSS) by restricting the sources from which scripts, styles, and other content can be loaded in WebView.
100. Why is it important to disable clipboard pasting for sensitive fields (e.g., passwords, PINs) in mobile applications?
A) To prevent accidental data leaks through the clipboard
B) To reduce app memory usage
C) To improve UI performance
D) To increase the appβs load time
β Answer: A) To prevent accidental data leaks through the clipboard
π Explanation:
Sensitive data copied to the clipboard can be accessed by other apps or remain in memory, leading to data leaks or unauthorized access. Disable clipboard pasting for password and PIN fields.
101. What is a common risk associated with exporting Android activities in the manifest file without proper restrictions?
A) Increased app size
B) Unauthorized access and activity hijacking
C) Faster app performance
D) Reduced storage consumption
β Answer: B) Unauthorized access and activity hijacking
π Explanation:
If an Android activity is exported without proper restrictions (android:exported="true"), other apps can launch it without permission, leading to unauthorized access and security risks.
102. How can developers ensure secure offline storage of sensitive data in mobile applications?
A) Store sensitive data in plaintext in local databases
B) Use AES encryption and store keys securely in Keystore/Keychain
C) Save sensitive data in external storage for easy access
D) Keep credentials in SharedPreferences
β Answer: B) Use AES encryption and store keys securely in Keystore/Keychain
π Explanation:
Sensitive data should never be stored in plaintext. Always encrypt it using AES-256 encryption and store cryptographic keys in Android Keystore or iOS Keychain.
103. What is the purpose of implementing runtime application self-protection (RASP) in mobile security?
A) To optimize app performance
B) To detect and block runtime attacks in real-time
C) To reduce battery consumption
D) To improve UI animations
β Answer: B) To detect and block runtime attacks in real-time
π Explanation:
RASP monitors an applicationβs runtime behavior and prevents exploits such as code injection, tampering, and reverse engineering attacks.
104. What is the primary risk of using an insecure third-party SDK in a mobile application?
A) It may increase the app size
B) It may introduce malware or data leakage
C) It may slow down API requests
D) It may reduce battery life
β Answer: B) It may introduce malware or data leakage
π Explanation:
Unverified SDKs can contain malicious code that sends sensitive user data to unauthorized servers. Always verify and audit third-party SDKs before integrating them.
105. How can developers protect sensitive information in network traffic for mobile applications?
A) By using TLS 1.2 or TLS 1.3 encryption
B) By sending data in plaintext for faster transmission
C) By allowing self-signed SSL certificates
D) By using unencrypted HTTP connections
β Answer: A) By using TLS 1.2 or TLS 1.3 encryption
π Explanation:
Using strong TLS encryption prevents Man-in-the-Middle (MitM) attacks and ensures that network communication remains confidential.
106. What is the main purpose of sandboxing in mobile security?
A) To prevent apps from accessing unauthorized system resources
B) To improve app performance
C) To optimize battery life
D) To reduce app load times
β Answer: A) To prevent apps from accessing unauthorized system resources
π Explanation:
Sandboxing isolates applications from each other and the system, preventing malware or rogue apps from accessing sensitive system resources.
107. Why should mobile applications avoid storing passwords in plaintext?
A) Plaintext storage allows easy access for the user
B) Plaintext storage makes password recovery easier
C) Attackers can easily extract credentials if the device is compromised
D) It reduces the appβs memory usage
β Answer: C) Attackers can easily extract credentials if the device is compromised
π Explanation:
Passwords must be stored securely using salted hashing algorithms like bcrypt, PBKDF2, or Argon2 to prevent credential theft.
108. How can mobile applications prevent replay attacks?
A) Implementing nonce values and timestamp-based authentication
B) Storing user authentication tokens indefinitely
C) Allowing API requests without validation
D) Disabling session expiration
β Answer: A) Implementing nonce values and timestamp-based authentication
π Explanation:
Replay attacks involve reusing intercepted requests. Using one-time nonces and timestamp-based validation prevents attackers from replaying old requests.
109. What security measure can prevent an attacker from modifying a mobile appβs binary file?
A) Implementing code obfuscation and integrity checks
B) Using larger application sizes
C) Enabling app debugging in production
D) Allowing installation from unknown sources
β Answer: A) Implementing code obfuscation and integrity checks
π Explanation:
Obfuscation makes reverse engineering harder, and integrity checks help detect if an appβs binary has been modified or tampered with.
110. What is the primary security risk of allowing unvalidated redirects in mobile applications?
A) Unvalidated redirects can lead to phishing attacks
B) They improve app navigation
C) They help in faster app load times
D) They allow smoother transitions between screens
β Answer: A) Unvalidated redirects can lead to phishing attacks
π Explanation:
Attackers can redirect users to malicious sites to steal credentials or distribute malware. Always validate and restrict redirect URLs.
111. What is the best practice for implementing OAuth in mobile applications?
A) Using short-lived access tokens with refresh tokens
B) Storing access tokens in local storage
C) Embedding OAuth secrets in the app
D) Using hardcoded OAuth credentials
β Answer: A) Using short-lived access tokens with refresh tokens
π Explanation:
Short-lived access tokens minimize risk if compromised. Use refresh tokens securely stored in Keychain/Keystore to generate new access tokens.
112. What is a major risk of allowing JavaScript execution in WebView?
A) Cross-Site Scripting (XSS) attacks
B) Improved performance
C) Faster page rendering
D) Reduced memory usage
β Answer: A) Cross-Site Scripting (XSS) attacks
π Explanation:
If JavaScript is enabled in WebView, an attacker can execute malicious scripts, leading to data theft and session hijacking.
113. What is the purpose of Content Security Policy (CSP) in mobile web applications?
A) To prevent XSS attacks by restricting script execution sources
B) To improve page load speeds
C) To reduce network latency
D) To allow unrestricted API calls
β Answer: A) To prevent XSS attacks by restricting script execution sources
π Explanation:
CSP allows developers to define allowed script sources, preventing malicious scripts from executing in WebView or browser-based applications.
114. What is a common technique used to bypass biometric authentication in mobile apps?
A) Using fake fingerprint or face images
B) Increasing screen brightness
C) Reducing the app size
D) Encrypting biometric data
β Answer: A) Using fake fingerprint or face images
π Explanation:
Without liveness detection, biometric authentication can be tricked using 3D-printed fingerprints or face masks.
115. Why should mobile apps restrict background execution of services?
A) To prevent malicious data exfiltration
B) To improve app animations
C) To reduce screen flickering
D) To increase battery drain
β Answer: A) To prevent malicious data exfiltration
π Explanation:
Background execution can allow malware to steal sensitive data without user interaction. Implement strict background execution policies.
116. Why is it important to disable WebView debugging in production mobile applications?
A) It prevents attackers from injecting and executing JavaScript code in WebView
B) It speeds up web content rendering
C) It allows faster loading of external websites
D) It helps users to inspect web elements
β Answer: A) It prevents attackers from injecting and executing JavaScript code in WebView
π Explanation:
If WebView debugging is enabled (setWebContentsDebuggingEnabled(true)), attackers can execute JavaScript code remotely and exploit the application. Always disable debugging in production.
117. What is a secure way to handle session cookies in mobile applications?
A) Using HttpOnly and Secure flags on cookies
B) Storing cookies in SharedPreferences
C) Using cookies without expiration
D) Sending cookies in plaintext over HTTP
β Answer: A) Using HttpOnly and Secure flags on cookies
π Explanation:
HttpOnly prevents JavaScript from accessing cookies, while Secure ensures that cookies are only sent over HTTPS, protecting against XSS and MitM attacks.
118. What is a common security risk of using adb backup for Android applications?
A) It allows attackers to extract sensitive app data without root access
B) It improves app security
C) It speeds up device performance
D) It prevents data loss
β Answer: A) It allows attackers to extract sensitive app data without root access
π Explanation:
By default, adb backup can back up app data without root permissions, allowing attackers to extract database files, cache, and private app data. Always set android:allowBackup="false" in the AndroidManifest.xml.
119. How can developers prevent clipboard hijacking attacks in mobile apps?
A) Clearing clipboard contents after copying sensitive data
B) Allowing unlimited clipboard access
C) Encrypting clipboard data
D) Storing clipboard data permanently
β Answer: A) Clearing clipboard contents after copying sensitive data
π Explanation:
Clipboard hijacking allows malicious apps to read copied data (e.g., passwords, OTPs). Always clear clipboard data after a short duration to prevent leakage.
120. Why should mobile applications validate SSL/TLS certificates properly?
A) To prevent Man-in-the-Middle (MitM) attacks
B) To reduce SSL handshake time
C) To allow HTTP requests without encryption
D) To improve network speed
β Answer: A) To prevent Man-in-the-Middle (MitM) attacks
π Explanation:
Improper SSL/TLS validation allows attackers to intercept and modify encrypted traffic, leading to data theft and API hijacking.
121. What is the risk of storing cryptographic keys in environment variables on mobile devices?
A) Attackers can extract keys using debugging tools
B) It increases app performance
C) It optimizes storage space
D) It prevents reverse engineering
β Answer: A) Attackers can extract keys using debugging tools
π Explanation:
Environment variables are not secure for storing cryptographic keys, as they can be accessed via debugging tools or malware. Always store keys in Android Keystore or iOS Secure Enclave.
122. How can mobile applications prevent unauthorized overlays or UI injection attacks?
A) Using FLAG_SECURE to prevent screen overlays
B) Allowing all apps to draw over UI elements
C) Enabling screen recording in production
D) Disabling security logging
β Answer: A) Using FLAG_SECURE to prevent screen overlays
π Explanation:
UI overlay attacks trick users into interacting with hidden elements (e.g., permission popups). Using FLAG_SECURE prevents screen overlays and unauthorized UI manipulation.
123. What is a security risk of exposing excessive application logs in mobile apps?
A) Logs may contain sensitive data, such as credentials and API keys
B) Logs slow down the app performance
C) Logs increase network latency
D) Logs consume additional CPU resources
β Answer: A) Logs may contain sensitive data, such as credentials and API keys
π Explanation:
Debug logs may include API keys, authentication tokens, or error details, making them a target for attackers. Always sanitize and restrict logging in production.
124. How can developers prevent memory-based attacks on mobile applications?
A) Implementing Address Space Layout Randomization (ASLR)
B) Storing all application data in memory
C) Using large buffer sizes for faster processing
D) Allowing applications to access raw memory
β Answer: A) Implementing Address Space Layout Randomization (ASLR)
π Explanation:
ASLR randomizes memory locations, making it harder for attackers to exploit memory corruption vulnerabilities like buffer overflows.
125. What is a potential risk when mobile apps allow universal cross-origin requests (CORS)?
A) Attackers can send unauthorized requests to APIs
B) The app loads faster
C) The app consumes less bandwidth
D) It improves database performance
β Answer: A) Attackers can send unauthorized requests to APIs
π Explanation:
Weak CORS policies allow attackers to make cross-origin requests from malicious sites, leading to data leakage and API abuse.
126. What is the risk of using weak encryption algorithms like DES or RC4 in mobile applications?
A) These algorithms are vulnerable to brute-force and cryptanalysis attacks
B) They improve encryption speed
C) They reduce storage consumption
D) They require less battery power
β Answer: A) These algorithms are vulnerable to brute-force and cryptanalysis attacks
π Explanation:
DES and RC4 are outdated and vulnerable to brute-force and cryptanalysis attacks. Always use AES-256 or modern encryption standards.
127. How can mobile apps prevent unauthorized API key exposure?
A) Using backend proxy authentication instead of hardcoded keys
B) Embedding API keys in the source code
C) Storing API keys in SharedPreferences
D) Allowing API access without authentication
β Answer: A) Using backend proxy authentication instead of hardcoded keys
π Explanation:
Hardcoded API keys can be extracted via reverse engineering. Always handle API authentication server-side to prevent unauthorized access.
128. What is the best approach to securely handling biometric authentication data in mobile apps?
A) Using OS-native biometric APIs (Android BiometricPrompt/iOS Face ID)
B) Storing biometric data in a local database
C) Allowing raw biometric data access to third-party apps
D) Using hardcoded biometric templates
β Answer: A) Using OS-native biometric APIs (Android BiometricPrompt/iOS Face ID)
π Explanation:
Native biometric APIs ensure that biometric data remains secure and never leaves the device, preventing unauthorized access.
129. Why is it important to use an App Transport Security (ATS) policy in iOS applications?
A) It enforces secure HTTPS connections, preventing MitM attacks
B) It allows faster app execution
C) It disables user tracking
D) It improves UI animations
β Answer: A) It enforces secure HTTPS connections, preventing MitM attacks
π Explanation:
ATS requires HTTPS connections with strong encryption, ensuring that network communication remains secure.
130. What is the primary reason for enforcing permissions when using Android’s BroadcastReceiver?
A) To prevent intent hijacking and unauthorized broadcast interception
B) To improve battery performance
C) To reduce app size
D) To enhance UI performance
β Answer: A) To prevent intent hijacking and unauthorized broadcast interception
π Explanation:
If BroadcastReceivers are not properly restricted, attackers can send fake broadcasts or intercept sensitive messages, leading to security risks.
131. What is the best way to prevent reverse engineering of Android applications?
A) Using code obfuscation and encryption techniques
B) Hardcoding API keys in the source code
C) Allowing installation from third-party sources
D) Removing app signing
β Answer: A) Using code obfuscation and encryption techniques
π Explanation:
Attackers can reverse engineer an Android app using tools like APKTool, JADX, or Frida. Code obfuscation (ProGuard, R8) and native code encryption help protect against decompilation.
132. What is the primary risk of using dynamic code loading in mobile applications?
A) It improves app performance
B) It increases network latency
C) It allows attackers to execute arbitrary code at runtime
D) It reduces memory usage
β Answer: C) It allows attackers to execute arbitrary code at runtime
π Explanation:
Dynamic code loading (DexClassLoader in Android) can be abused by attackers to load malicious code dynamically, leading to Remote Code Execution (RCE) attacks.
133. Why should mobile applications avoid using wildcard (*) in CORS policies?
A) It allows cross-origin API abuse and data exfiltration
B) It improves app performance
C) It speeds up database queries
D) It reduces server load
β Answer: A) It allows cross-origin API abuse and data exfiltration
π Explanation:
A wildcard (*) in CORS policy allows any origin to access APIs, which can lead to data leaks, CSRF attacks, and unauthorized API access.
134. What is the main security risk when an iOS app allows arbitrary HTTP connections?
A) Users experience slower network speeds
B) The app becomes larger in size
C) It exposes the app to Man-in-the-Middle (MitM) attacks
D) The app consumes more CPU power
β Answer: C) It exposes the app to Man-in-the-Middle (MitM) attacks
π Explanation:
Allowing arbitrary HTTP connections disables TLS protection, making the app vulnerable to eavesdropping and data interception.
135. What is the recommended way to securely authenticate users in mobile applications?
A) Implementing OAuth 2.0 with token-based authentication
B) Using static passwords without expiration
C) Storing user credentials in local storage
D) Using only biometric authentication
β Answer: A) Implementing OAuth 2.0 with token-based authentication
π Explanation:
OAuth 2.0 with access tokens and refresh tokens ensures secure, scalable authentication, reducing the risk of credential leaks.
136. What is the impact of failing to implement secure input validation in mobile apps?
A) Vulnerability to SQL Injection, XSS, and Command Injection attacks
B) Faster API response times
C) Reduced app size
D) Improved battery performance
β Answer: A) Vulnerability to SQL Injection, XSS, and Command Injection attacks
π Explanation:
Without proper input validation and sanitization, attackers can inject malicious payloads to exploit database queries, web components, or command execution.
137. What is a common attack against weak biometric authentication implementations?
A) Replay attacks using synthetic biometric data
B) Faster authentication speeds
C) Reduced memory usage
D) Improved biometric matching accuracy
β Answer: A) Replay attacks using synthetic biometric data
π Explanation:
Weak biometric systems without liveness detection can be bypassed using recorded fingerprints, face images, or synthetic biometric data.
138. How can mobile apps prevent unauthorized deep link exploitation?
A) Validating incoming deep link parameters and enforcing authentication
B) Allowing all deep links without restriction
C) Using plaintext storage for deep link configurations
D) Ignoring deep link requests
β Answer: A) Validating incoming deep link parameters and enforcing authentication
π Explanation:
Attackers can manipulate deep links to bypass authentication or launch unintended actions. Always validate deep link parameters before processing them.
139. What is the purpose of implementing Mobile Application Management (MAM) policies?
A) To enforce security controls on enterprise mobile apps
B) To increase app download speeds
C) To reduce network latency
D) To allow unrestricted data sharing
β Answer: A) To enforce security controls on enterprise mobile apps
π Explanation:
MAM policies help organizations enforce encryption, remote wipe, app access control, and data loss prevention.
140. Why should developers avoid embedding API credentials in mobile applications?
A) Attackers can extract credentials via reverse engineering
B) It speeds up API requests
C) It reduces the appβs memory footprint
D) It improves user experience
β Answer: A) Attackers can extract credentials via reverse engineering
π Explanation:
Attackers can decompile and inspect mobile apps to extract hardcoded API keys, leading to unauthorized API access and abuse.
141. What is the main security concern with allowing file uploads in mobile applications?
A) Uploading malicious files that lead to Remote Code Execution (RCE)
B) Increased app download size
C) Reduced app performance
D) Increased network usage
β Answer: A) Uploading malicious files that lead to Remote Code Execution (RCE)
π Explanation:
Attackers can upload malicious files (e.g., scripts, shellcode) to exploit server-side vulnerabilities and gain RCE access.
142. How can mobile applications securely store access tokens?
A) Using secure storage mechanisms like Android Keystore or iOS Keychain
B) Storing tokens in plaintext in local storage
C) Embedding tokens in the application source code
D) Allowing unlimited session duration
β Answer: A) Using secure storage mechanisms like Android Keystore or iOS Keychain
π Explanation:
Tokens stored in insecure locations can be stolen by malware or reverse engineering tools. Always store sensitive data in secure storage mechanisms.
143. What is a security risk of using an outdated version of a mobile appβs third-party dependency?
A) Exposure to known vulnerabilities and exploits
B) Reduced app startup time
C) Increased memory efficiency
D) Faster API responses
β Answer: A) Exposure to known vulnerabilities and exploits
π Explanation:
Outdated dependencies often contain security vulnerabilities that attackers can exploit to compromise the application.
144. How can developers detect if an Android device is running in an emulator for security reasons?
A) Checking for emulator-specific properties like hardware, device model, or running processes
B) Measuring battery consumption
C) Disabling background services
D) Checking screen brightness levels
β Answer: A) Checking for emulator-specific properties like hardware, device model, or running processes
π Explanation:
Attackers use emulators to test exploits. Secure apps should check for emulator artifacts to detect potential abuse.
145. Why is it important to enforce session expiration in mobile applications?
A) To prevent session hijacking and unauthorized access
B) To improve app speed
C) To enhance app animations
D) To reduce API calls
β Answer: A) To prevent session hijacking and unauthorized access
π Explanation:
Expired sessions prevent stolen session tokens from being reused for unauthorized access.
146. How can developers prevent excessive permission requests in mobile applications?
A) Following the principle of least privilege and requesting only necessary permissions
B) Requesting all possible permissions at installation
C) Storing permissions in SharedPreferences
D) Allowing the app to auto-grant permissions
β Answer: A) Following the principle of least privilege and requesting only necessary permissions
π Explanation:
Requesting excessive permissions increases attack surface and user privacy risks. Only request permissions essential for the appβs core functionality.
147. What is the main security risk of using WebSockets in mobile applications without proper validation?
A) Exposure to Cross-Site WebSocket Hijacking (CSWH)
B) Reduced battery life
C) Slower API request times
D) Increased app size
β Answer: A) Exposure to Cross-Site WebSocket Hijacking (CSWH)
π Explanation:
If WebSockets lack authentication and proper origin validation, attackers can hijack active WebSocket sessions and steal sensitive data.
148. Why should developers avoid using deep linking for authentication without additional security controls?
A) It can be exploited to bypass authentication mechanisms
B) It improves app navigation
C) It reduces memory usage
D) It speeds up login
β Answer: A) It can be exploited to bypass authentication mechanisms
π Explanation:
Attackers can manipulate deep links to access privileged sections of an app without proper authentication. Always validate and secure deep link parameters.
149. What is a common attack vector against improperly implemented JWT authentication?
A) Token tampering and signature forgery
B) Faster API calls
C) Improved encryption speed
D) Increased app startup time
β Answer: A) Token tampering and signature forgery
π Explanation:
If JWT signatures are weak or unsigned algorithms are used, attackers can forge tokens to gain unauthorized access.
150. How can mobile applications prevent malicious applications from listening to broadcasted intents in Android?
A) Using explicit intents and enforcing signature-based permissions
B) Sending intents without validation
C) Allowing all apps to receive broadcasts
D) Using plaintext storage for messages
β Answer: A) Using explicit intents and enforcing signature-based permissions
π Explanation:
Public broadcasted intents can be intercepted by malicious apps. Use explicit intents or enforce permissions to restrict broadcast exposure.
151. Why is it important to implement a Content Security Policy (CSP) in mobile web applications?
A) To prevent Cross-Site Scripting (XSS) and content injection attacks
B) To reduce network bandwidth consumption
C) To optimize the web page rendering
D) To enable faster response times
β Answer: A) To prevent Cross-Site Scripting (XSS) and content injection attacks
π Explanation:
CSP restricts where scripts and resources can load from, preventing attackers from injecting malicious JavaScript into the app.
152. What is the security risk of failing to encrypt sensitive data stored in cloud-synced mobile applications?
A) Data exposure due to unauthorized cloud access
B) Increased app startup time
C) Higher CPU usage
D) Reduced storage efficiency
β Answer: A) Data exposure due to unauthorized cloud access
π Explanation:
Without encryption, cloud-synced data is at risk of being exposed if the cloud storage is compromised. Always encrypt data at rest and in transit.
153. How can developers prevent unauthorized use of mobile app APIs?
A) Implementing API authentication and rate-limiting mechanisms
B) Allowing API access to all users without verification
C) Storing API keys in plaintext inside the app
D) Using weak JWT secret keys
β Answer: A) Implementing API authentication and rate-limiting mechanisms
π Explanation:
API authentication (OAuth, JWT, API keys) and rate limiting prevent unauthorized access, brute-force, and API abuse.
154. What is a primary risk of failing to implement session timeout in mobile applications?
A) Stolen session tokens can be reused indefinitely
B) Faster authentication processes
C) Improved user experience
D) Increased app performance
β Answer: A) Stolen session tokens can be reused indefinitely
π Explanation:
Without session expiration, an attacker who steals a valid session token can reuse it indefinitely, leading to account takeovers.
155. Why should mobile applications disable JavaScript execution in WebView when not required?
A) To prevent Cross-Site Scripting (XSS) attacks
B) To improve animation performance
C) To reduce power consumption
D) To enable faster navigation
β Answer: A) To prevent Cross-Site Scripting (XSS) attacks
π Explanation:
JavaScript execution in WebView can be exploited for XSS attacks, leading to session hijacking and data theft.
156. How can developers prevent mobile applications from running on jailbroken or rooted devices?
A) Implementing root/jailbreak detection techniques
B) Allowing execution on all devices
C) Disabling authentication checks
D) Using weak encryption algorithms
β Answer: A) Implementing root/jailbreak detection techniques
π Explanation:
Jailbroken/rooted devices bypass security restrictions, allowing attackers to modify and exploit mobile apps.
157. What is the main security risk when mobile apps store authentication credentials in SharedPreferences or UserDefaults?
A) Attackers can extract credentials using malware or reverse engineering
B) Improved app startup time
C) Faster database queries
D) Reduced API response time
β Answer: A) Attackers can extract credentials using malware or reverse engineering
π Explanation:
SharedPreferences/UserDefaults lack encryption, making stored credentials vulnerable to extraction by malware or attackers.
158. How can developers prevent security vulnerabilities in third-party SDKs integrated into mobile apps?
A) Performing regular security audits and updates on third-party SDKs
B) Allowing unrestricted SDK access
C) Using outdated SDK versions
D) Embedding all SDK files inside the source code
β Answer: A) Performing regular security audits and updates on third-party SDKs
π Explanation:
Third-party SDKs can introduce security vulnerabilities. Always review permissions, monitor for security updates, and remove unnecessary SDKs.
159. What is a potential risk of allowing mobile applications to run in the background without restrictions?
A) Unauthorized data collection and increased attack surface
B) Faster user experience
C) Reduced network usage
D) Lower memory consumption
β Answer: A) Unauthorized data collection and increased attack surface
π Explanation:
Malicious apps can exploit background execution to exfiltrate data, execute unauthorized operations, or drain battery life.
160. How can developers prevent privilege escalation attacks in mobile applications?
A) Enforcing proper access controls and permission checks
B) Granting all users administrator privileges
C) Disabling encryption mechanisms
D) Using unrestricted file access
β Answer: A) Enforcing proper access controls and permission checks
π Explanation:
Privilege escalation occurs when attackers exploit weak permissions to gain higher privileges. Always enforce strict access controls and permission validation.
161. What is a major risk of allowing JavaScript execution in WebViews with unrestricted access?
A) Injection of malicious scripts leading to XSS attacks
B) Faster web page rendering
C) Reduced battery consumption
D) Improved app startup time
β Answer: A) Injection of malicious scripts leading to XSS attacks
π Explanation:
Unrestricted JavaScript execution in WebView can allow attackers to inject and execute malicious scripts, leading to data theft, phishing, and session hijacking.
162. How can mobile applications prevent brute-force attacks on authentication systems?
A) Implementing account lockout and CAPTCHA after multiple failed attempts
B) Allowing unlimited login attempts
C) Storing passwords in plaintext
D) Using static passwords for authentication
β Answer: A) Implementing account lockout and CAPTCHA after multiple failed attempts
π Explanation:
Brute-force attacks can crack weak passwords by trying multiple combinations. Locking accounts, implementing rate limits, and using CAPTCHA prevent such attacks.
163. What is the primary reason for using a secure random number generator for session tokens?
A) To prevent session prediction and token hijacking
B) To reduce network latency
C) To improve app UI performance
D) To increase data storage efficiency
β Answer: A) To prevent session prediction and token hijacking
π Explanation:
Weak random number generators produce predictable session tokens, which attackers can guess and use to hijack user sessions.
164. Why should mobile apps restrict clipboard access when handling sensitive data?
A) To prevent unauthorized apps from reading copied sensitive information
B) To improve app animations
C) To increase battery efficiency
D) To reduce app launch time
β Answer: A) To prevent unauthorized apps from reading copied sensitive information
π Explanation:
Clipboard data is accessible to all apps on some mobile platforms. If passwords, API keys, or other sensitive information are copied, malicious apps can steal them.
165. What is the best practice for handling expired access tokens in mobile apps?
A) Using refresh tokens to generate new access tokens securely
B) Allowing users to continue using expired tokens
C) Storing access tokens indefinitely
D) Embedding access tokens in local storage
β Answer: A) Using refresh tokens to generate new access tokens securely
π Explanation:
Expired access tokens should not be reused. Instead, refresh tokens (stored securely) should be used to generate new access tokens without requiring user credentials.
166. How can developers prevent insecure direct object reference (IDOR) attacks in mobile APIs?
A) Enforcing proper authentication and authorization checks on API endpoints
B) Using static API keys
C) Allowing unrestricted access to object IDs
D) Storing API credentials in the frontend
β Answer: A) Enforcing proper authentication and authorization checks on API endpoints
π Explanation:
IDOR attacks occur when APIs fail to validate user permissions, allowing attackers to modify object IDs and access unauthorized data.
167. What is a common security risk of allowing mobile apps to run on rooted or jailbroken devices?
A) Bypassing app security mechanisms and allowing privilege escalation
B) Improved CPU performance
C) Increased app execution speed
D) Faster encryption processing
β Answer: A) Bypassing app security mechanisms and allowing privilege escalation
π Explanation:
Rooted/jailbroken devices allow modification of system settings and app files, making it easier for attackers to bypass security features, inject malicious code, or escalate privileges.
168. What is the primary risk of allowing auto-fill functionality for password fields in mobile apps?
A) Stored credentials can be stolen if a device is compromised
B) It reduces typing effort
C) It improves authentication speed
D) It enhances the user experience
β Answer: A) Stored credentials can be stolen if a device is compromised
π Explanation:
If an attacker gains access to a device, stored credentials in password managers or browser autofill may be extracted, leading to account compromise.
169. How can developers ensure that mobile app logs do not expose sensitive information?
A) Masking or encrypting sensitive data before logging
B) Logging all user activities for debugging purposes
C) Storing logs in external storage without encryption
D) Retaining all logs permanently
β Answer: A) Masking or encrypting sensitive data before logging
π Explanation:
Logs should never contain plaintext passwords, API keys, authentication tokens, or personally identifiable information (PII). Always mask or encrypt sensitive data before logging.
170. What is a security risk of using outdated dependencies in mobile applications?
A) Vulnerabilities in third-party libraries may be exploited by attackers
B) Increased network speed
C) Reduced app storage size
D) Improved API response times
β Answer: A) Vulnerabilities in third-party libraries may be exploited by attackers
π Explanation:
Outdated dependencies often have known vulnerabilities that attackers can exploit. Always keep libraries up to date and remove unused dependencies.
171. How can developers prevent path traversal attacks in mobile applications?
A) Validating and sanitizing user input before accessing file paths
B) Allowing unrestricted file access
C) Storing user-uploaded files in system directories
D) Using hardcoded file paths
β Answer: A) Validating and sanitizing user input before accessing file paths
π Explanation:
Path traversal attacks occur when attackers manipulate file paths to access unauthorized system files. Always sanitize input to prevent directory traversal exploits.
172. What is the purpose of enabling Data Execution Prevention (DEP) in mobile applications?
A) To prevent execution of malicious code in non-executable memory regions
B) To improve device storage efficiency
C) To reduce API request times
D) To allow dynamic execution of all scripts
β Answer: A) To prevent execution of malicious code in non-executable memory regions
π Explanation:
DEP prevents memory-based attacks by ensuring non-executable memory cannot be used to execute malicious shellcode.
173. How can developers prevent clickjacking attacks in mobile web applications?
A) Using X-Frame-Options or Content Security Policy (CSP)
B) Allowing all cross-origin iframe embedding
C) Using large buttons for UI elements
D) Disabling JavaScript
β Answer: A) Using X-Frame-Options or Content Security Policy (CSP)
π Explanation:
Clickjacking attacks trick users into clicking hidden UI elements. X-Frame-Options and CSP prevent the app from being embedded inside an attacker-controlled frame.
174. Why should mobile applications avoid hardcoding cryptographic keys in the source code?
A) Attackers can extract keys via reverse engineering
B) It improves encryption performance
C) It speeds up key retrieval
D) It allows faster API authentication
β Answer: A) Attackers can extract keys via reverse engineering
π Explanation:
Hardcoded cryptographic keys can be extracted using decompilers, leading to unauthorized decryption of sensitive data.
174. What is the risk of failing to implement proper session expiration in mobile applications?
A) Attackers can reuse stolen session tokens indefinitely
B) Increased app responsiveness
C) Reduced API request time
D) Improved user experience
β Answer: A) Attackers can reuse stolen session tokens indefinitely
π Explanation:
Without session expiration, an attacker who steals a valid session token can reuse it indefinitely, leading to account takeovers and unauthorized access.
175. How can developers prevent insecure WebView configuration in mobile applications?
A) Disabling JavaScript and enforcing same-origin policy
B) Enabling unrestricted web execution
C) Storing JavaScript files locally
D) Using non-standard WebView settings
β Answer: A) Disabling JavaScript and enforcing same-origin policy
π Explanation:
Enabling JavaScript execution and allowing cross-origin resource loading in WebView can expose the app to XSS, CSRF, and remote code execution attacks.
176. What is the risk of allowing mobile applications to install third-party APKs without verification?
A) Malware installation and execution of malicious code
B) Increased app performance
C) Reduced battery consumption
D) Faster app installations
β Answer: A) Malware installation and execution of malicious code
π Explanation:
Allowing third-party APK installations without proper security checks can lead to malware infections and compromise device security.
177. How can developers prevent Cross-Site Request Forgery (CSRF) attacks in mobile web applications?
A) Implementing CSRF tokens and enforcing same-site cookies
B) Allowing unrestricted API requests
C) Using GET requests for sensitive actions
D) Hardcoding API keys in the frontend
β Answer: A) Implementing CSRF tokens and enforcing same-site cookies
π Explanation:
CSRF attacks occur when attackers trick authenticated users into executing unauthorized actions. Using CSRF tokens and same-site cookies helps prevent this attack.
178. What is the purpose of implementing Secure Boot in mobile operating systems?
A) Ensuring only signed and verified software is loaded at startup
B) Reducing device startup time
C) Increasing app compatibility
D) Enabling faster authentication
β Answer: A) Ensuring only signed and verified software is loaded at startup
π Explanation:
Secure Boot verifies that only cryptographically signed and authorized firmware is executed, preventing boot-level malware attacks.
179. How can mobile applications prevent attackers from injecting malicious inputs into SQL queries?
A) Using prepared statements and parameterized queries
B) Hardcoding SQL queries
C) Allowing raw SQL input from users
D) Storing SQL queries in local storage
β Answer: A) Using prepared statements and parameterized queries
π Explanation:
Using prepared statements and parameterized queries ensures that user input is treated as data, not executable code, preventing SQL injection attacks.
180. Why should mobile apps restrict access to device sensors such as the microphone and camera?
A) To prevent unauthorized access and spyware attacks
B) To improve app animations
C) To reduce app storage consumption
D) To speed up network requests
β Answer: A) To prevent unauthorized access and spyware attacks
π Explanation:
If an attacker gains access to microphone or camera sensors, they can spy on users, record conversations, or capture sensitive visuals without consent.
**181. How can developers prevent mobile applications from storing sensitive data in logs?
A) Disabling debug logging in production and avoiding sensitive data in logs
B) Keeping logs for future analysis
C) Storing sensitive data in encrypted logs
D) Allowing unrestricted log access
β Answer: A) Disabling debug logging in production and avoiding sensitive data in logs
π Explanation:
Sensitive data should never be stored in logs, as logs are often accessible for debugging purposes. Always sanitize log output and disable logging in production builds.
182. What is the risk of failing to properly validate JSON Web Tokens (JWT) in a mobile application?
A) Attackers can forge tokens and gain unauthorized access
B) Reduced API response times
C) Faster authentication
D) Increased app security
β Answer: A) Attackers can forge tokens and gain unauthorized access
π Explanation:
If JWTs are not properly validated (e.g., using weak signatures, missing expiration checks), attackers can manipulate tokens and impersonate users.
183. What security control helps prevent an attacker from executing arbitrary commands via mobile app input fields?
A) Input validation and sanitization
B) Allowing unrestricted command execution
C) Enabling developer mode permanently
D) Storing user input in local storage
β Answer: A) Input validation and sanitization
π Explanation:
Proper input validation prevents command injection attacks, where attackers attempt to execute malicious system commands via input fields.
184. Why should mobile applications enforce minimum password complexity requirements?
A) To prevent brute-force and dictionary attacks
B) To increase API call speed
C) To reduce encryption time
D) To improve network latency
β Answer: A) To prevent brute-force and dictionary attacks
π Explanation:
Weak passwords make users vulnerable to brute-force and dictionary attacks. Enforcing password complexity (length, special characters, numbers, etc.) increases security.
185. What is the purpose of enforcing HTTP Strict Transport Security (HSTS) in mobile applications?
A) To enforce HTTPS and prevent SSL stripping attacks
B) To reduce SSL handshake time
C) To improve page rendering speed
D) To optimize app startup performance
β Answer: A) To enforce HTTPS and prevent SSL stripping attacks
π Explanation:
HSTS ensures that browsers and apps always use HTTPS, preventing SSL stripping attacks that downgrade secure connections to HTTP.
186. What is the risk of storing authentication tokens in browser local storage for mobile web applications?
A) Tokens can be accessed by malicious scripts via XSS attacks
B) Improved token retrieval speed
C) Faster authentication processes
D) Reduced network latency
β Answer: A) Tokens can be accessed by malicious scripts via XSS attacks
π Explanation:
Storing authentication tokens in local storage makes them vulnerable to XSS attacks, allowing attackers to steal session tokens.
187. How can developers prevent insecure deserialization attacks in mobile applications?
A) Validating and sanitizing serialized data before processing it
B) Allowing all user input in deserialization functions
C) Storing serialized data in plaintext
D) Using hardcoded object values
β Answer: A) Validating and sanitizing serialized data before processing it
π Explanation:
Insecure deserialization occurs when malicious serialized objects are injected into an application. Always validate and restrict what data can be deserialized.
188. Why is certificate pinning an essential security measure in mobile apps?
A) To prevent Man-in-the-Middle (MitM) attacks using forged certificates
B) To increase TLS handshake speed
C) To improve network latency
D) To allow self-signed certificates
β Answer: A) To prevent Man-in-the-Middle (MitM) attacks using forged certificates
π Explanation:
Certificate pinning ensures the app only trusts predefined certificates, preventing attackers from using forged or rogue CA certificates.
189. What is the main risk of failing to implement Multi-Factor Authentication (MFA) in mobile applications?
A) Increased risk of unauthorized account access due to password compromise
B) Reduced server load
C) Faster authentication process
D) Improved UI performance
β Answer: A) Increased risk of unauthorized account access due to password compromise
π Explanation:
MFA adds an extra layer of security, preventing unauthorized access even if an attacker steals or guesses a userβs password.
190. What is the best security measure to prevent attackers from abusing forgotten password functionality in mobile apps?
A) Using rate limiting and verifying identity via email or SMS OTP
B) Allowing unlimited password reset attempts
C) Storing passwords in plaintext for easy recovery
D) Disabling password resets altogether
β Answer: A) Using rate limiting and verifying identity via email or SMS OTP
π Explanation:
Without rate-limiting, attackers can abuse password reset forms to brute-force email addresses or hijack accounts.
191. How can developers prevent mobile malware from exploiting application permissions?
A) Requesting only necessary permissions and enforcing runtime checks
B) Granting all permissions by default
C) Allowing apps to modify their own permissions
D) Using plaintext configuration files for permission settings
β Answer: A) Requesting only necessary permissions and enforcing runtime checks
π Explanation:
Excessive permissions increase attack surfaces. Always use runtime permission checks to prevent unauthorized access to sensitive resources.
192. What is a key method to prevent unauthorized biometric authentication bypass attacks?
A) Enforcing liveness detection and secure biometric storage
B) Using weak biometric templates
C) Allowing all devices to store biometric data in local databases
D) Disabling biometric authentication
β Answer: A) Enforcing liveness detection and secure biometric storage
π Explanation:
Attackers may use printed images, videos, or masks to bypass biometric authentication. Liveness detection ensures only genuine users authenticate.
193. Why should mobile applications avoid storing encryption keys in source code?
A) Attackers can extract keys via reverse engineering and decrypt sensitive data
B) It increases API response times
C) It reduces the storage footprint
D) It improves encryption speed
β Answer: A) Attackers can extract keys via reverse engineering and decrypt sensitive data
π Explanation:
Hardcoded encryption keys can be extracted from decompiled apps, leading to data breaches.
194. What is the primary risk of using outdated cryptographic algorithms like MD5 and SHA-1?
A) They are vulnerable to collision attacks and brute-force decryption
B) They improve hashing speed
C) They require less processing power
D) They reduce app storage size
β Answer: A) They are vulnerable to collision attacks and brute-force decryption
π Explanation:
MD5 and SHA-1 are cryptographically weak and can be easily broken with modern computing power. Always use SHA-256 or higher.
195. How can mobile apps prevent clickjacking attacks on login screens?
A) Using X-Frame-Options and Content Security Policy (CSP) to prevent UI overlays
B) Enabling unrestricted iframe embedding
C) Allowing third-party apps to overlay screens
D) Using only native authentication
β Answer: A) Using X-Frame-Options and Content Security Policy (CSP) to prevent UI overlays
π Explanation:
Clickjacking tricks users into clicking invisible UI elements, leading to unintended actions. CSP and X-Frame-Options prevent unauthorized UI embedding.
196. What is the best method to prevent sensitive data exposure in push notifications?
A) Encrypting push notification payloads and avoiding sensitive content
B) Storing notifications in plaintext logs
C) Allowing all push notifications to contain account details
D) Sending authentication tokens via push messages
β Answer: A) Encrypting push notification payloads and avoiding sensitive content
π Explanation:
Push notifications can be intercepted. Avoid including passwords, authentication tokens, or PII in notifications.
197. How can developers protect mobile applications from repackaging and tampering?
A) Implementing application integrity checks and verifying digital signatures
B) Allowing unsigned APKs to run
C) Removing code obfuscation
D) Using easily guessable encryption keys
β Answer: A) Implementing application integrity checks and verifying digital signatures
π Explanation:
Attackers may modify and repackage apps to inject malware. Integrity verification prevents running tampered versions.
198. Why is it important to use a secure key exchange mechanism in mobile applications?
A) To prevent attackers from intercepting encryption keys during transmission
B) To improve API response time
C) To reduce network latency
D) To allow multiple users to share the same key
β Answer: A) To prevent attackers from intercepting encryption keys during transmission
π Explanation:
Without secure key exchange, attackers can perform Man-in-the-Middle (MitM) attacks to intercept and steal encryption keys.
199. What is a common risk associated with improperly configured Firebase databases?
A) Unauthorized access to stored data
B) Reduced API response times
C) Increased server uptime
D) Faster user authentication
β Answer: A) Unauthorized access to stored data
π Explanation:
By default, Firebase databases may be publicly accessible if security rules are not properly configured, leading to data leaks.
**200. How can developers prevent attackers from modifying Android intents?
A) Using PendingIntents with FLAG_IMMUTABLE and enforcing permission-based access
B) Allowing all apps to access intents
C) Storing intents in plaintext logs
D) Allowing deep linking without validation
β Answer: A) Using PendingIntents with FLAG_IMMUTABLE and enforcing permission-based access
π Explanation:
Improperly protected intents can be modified or hijacked by other apps, leading to unauthorized actions.
201. Why should rooted and jailbroken devices be restricted in mobile applications handling sensitive data?
A) They bypass security restrictions and allow unauthorized access
B) They improve app execution speed
C) They reduce encryption time
D) They increase network performance
β Answer: A) They bypass security restrictions and allow unauthorized access
π Explanation:
Rooted/jailbroken devices allow attackers to modify system-level restrictions, extract app data, and bypass security controls.
202. How can mobile apps prevent denial-of-service (DoS) attacks on login APIs?
A) Implementing rate limiting and CAPTCHA for authentication requests
B) Allowing unlimited failed login attempts
C) Using only static passwords
D) Disabling all authentication logs
β Answer: A) Implementing rate limiting and CAPTCHA for authentication requests
π Explanation:
Rate limiting prevents automated brute-force attacks and DoS attempts on authentication endpoints.
203. What is the best way to handle sensitive user data in mobile applications?
A) Encrypting data at rest and in transit using strong encryption
B) Storing sensitive data in local storage
C) Using weak hashing algorithms
D) Keeping authentication logs in plaintext
β Answer: A) Encrypting data at rest and in transit using strong encryption
π Explanation:
All sensitive data should be encrypted to prevent unauthorized access and data breaches.