CS453 Final Exam

How can an unauthorized app be installed on an iOS device? iOS devices don't allow unauthorized apps A user can accept the unauthorized warning and load the app An app can be downloaded from somewhere besides iTunes A progressive web app can load code from a web site

A progressive web app can load code from a web site

Which of the following best describes the Android permission model? Android apps must declare all permissions prior to installation Android app permissions are reviewed by the Play Store and do not require user intervnetion Current versions of Android no longer use permissions After Android 6, apps are granted all regular permissions by default and only dangerous permissions require user approval

After Android 6, apps are granted all regular permissions by default and only dangerous permissions require user approval

Which of the following is a popular third party platform used to develop apps for both iOS and Android? PhoneGap Unity Xamarin All of the above

All of the above

Which of the following is a security weakness of apps developed with Adobe PhoneGap? Insecure Local Data Storage Insecure Source Files Remotely Loading Javascript All of the above

All of the above

Which of the following might you find when reviewing the file system of an iOS device? A screenshot of each app you have used recently History of websites you visited in Mobile Safari GPS coordinates of locations you have searched All of the above

All of the above

How does iOS ensure a secure boot process? The kernel and OS software are installed in non-programmable memory during device manufacture The boot loader verifies the private key provided by the mobile operator for the kernel The kernel is encrypted and can only be opened on the verified device Apple's public key is used to verify each piece of software that is loaded during the boot proces

Apple's public key is used to verify each piece of software that is loaded during the boot process

Which of the following is a permission that is unique to Android devices and can be used by ransomware attacks to lock a device? Device Admin Privilege RECEIVE_WAP_PUSH GET_ACCOUNTS READ_SMS

Device Admin Privilege

Which of the following is a technical solution to deploy configure and manage devices in an enterprise environment, that has multiple features, depending on the service selected? EMM MDM MAM MITM

EMM

Which of the following is NOT a recommended policy for managing enterprise mobile devices? Encourage users to search for a device on their own before requesting help from IT Enforce policies that require bio metric or strong pass codes to lock devices Enforce device configurations that allow remote lock/wipe Insure data stored on the device is encrupted

Encourage users to search for a device on their own before requesting help from IT

Both iOS and Android require all apps to be signed with a CA certificate registered to the app store. True False

False

iOS devices will lock after ten failed pass code attempts and there are no known methods of cracking iOS pass codes. True False

False

What makes the Apple iPhone with iOS ideal for bring your own device (BYOD)? Apple iOS is an open system. It cannot be jailbroken. Apple iOS doesn't have strong built-in security, which makes it more manageable. It has one operating system and only one or two models of each version of the device.

It has one operating system and only one or two models of each version of the device.

How does Data Execution Prevention (DEP) help to secure against malware attacks on an iOS device? It marks memory locations as either writable or executable but not both (W^X) preventing writing from buffer overflows It Randomizes the locations of system components makes it difficult for attackers to know exactly where to hook their code It uses public keys to ensure all code is signed before executing DEP is not used by iOS

It marks memory locations as either writable or executable but not both (W^X) preventing writing from buffer overflows

Which of the following is an advantage of static app testing? It does not require reverse engineering code It provides a level of assurance that analysis results are an accurate description of the program's behavior regardless of the input or execution environment It uses a large number of test cases to measure how the program responds to all possible inputs All of the above

It provides a level of assurance that analysis results are an accurate description of the program's behavior regardless of the input or execution environment

Which of the following is an advantage of static app testing? It does not require reverse engineering code It provides a level of assurance that analysis results are an accurate description of the program's behavior regardless of the input or execution environment It uses a large number of test cases to measure how the program responds to all possible inputs It allows execution of the program on an emulator

It provides a level of assurance that analysis results are an accurate description of the program's behavior regardless of the input or execution environment

A free Remote Access Trojan can be created and deployed with _______ PhoneGap Android Studio Metasploit Apache Cordova

Metasploit

Which of the following best describes the Apple iOS permission model? Most privileges are controlled by the Apple Store vetting process and users are not notified Apple has a strict policy requiring user approval of all app privileges before it is installed iOS devices are secure and do not allow privileges iOS apps allow users to select which privileges they will allow

Most privileges are controlled by the Apple Store vetting process and users are not notified

Which of the following app types is delivered from web, with offline access and uses Javascript service workers to cache content? Native app Hybrid app Web app Progressive web app

Progressive web app

If you lose an enterprise mobile device, what should be your first response Attempt to look for the device yourself before you report it Send the device a message asking anyone who finds it to contact you Report the device as missing so it can be locked Quit your job, you're in big trouble

Report the device as missing so it can be locked

App data stored locally on Android devices is typically stored in which format? Dex Hex Java SQLite

SQLite

When building PhoneGap apps, which of the following is the preferred method to prevent exposure of user data to attackers? Server-side business logic Client-side business logic Local data storage Using pure JavaScript

Server-side business logic

Which of the following best describes the legality of iPhone jailbreaking It is illegal to jailbreak an iPhone and the jailbreaker can be sued by Apple Jailbreaking is only allowed for pen testers with registered enterprise accounts The U.S. Copyright Office published an exemption permitting device jailbreaking in order to change carriers It is a violation of the U.S. Digital Millennium Copyright Act

The U.S. Copyright Office published an exemption permitting device jailbreaking in order to change carriers

Which of the following best describes the Android secure boot process? Each step of the process is checked against the Android public key The boot ROM is vendor specific and the OEM is the trusted source The Android kernel is verified by the Android public key, but apps are not The Android boot process is not secured

The boot ROM is vendor specific and the OEM is the trusted source

Which of the following is considered the weakest link in protecting a mobile device against malware? The Android operating system The end user The WIFI network connection Third party app stores

The end user

Android unlock codes can be broken with a brute force attack using a USB device. True False

True

If you lose an iOS, you can only find it if Find My [device] was turned on before the device was lost. True False

True

Which of the following is an advantage of dynamic app testing? Useful information can be gained by observing an app's behavior even without knowing the purposes of individual functions It allows a detailed analysis of machine code It relies on byte code instead of machine code It insures all features of the code are tested

Useful information can be gained by observing an app's behavior even without knowing the purposes of individual functions

Which of the following is a cross-platform app development platform owned by Microsoft? Cordova PhoneGap Unity Xamarin

Xamarin

If you lose your Android device, which of the following is true? It can not be found unless location services were setup before it was lost If location services are off, you can only make it play a sound You can use location services to find the device and display a message, but you can't lock the device You can use location services to find the device, and if necessary add a pass code to lock the device

You can use location services to find the device, and if necessary add a pass code to lock the device

When analyzing an apk, which of the following would indicate it was developed with the Xamarin platform? all code is in JavaScript all code is in binary format a NOTICE file is at the top of the archive all class names start with Xam

a NOTICE file is at the top of the archive

In an attempt to reduce OS fragmentation, recent versions of Android have implemented address space layout randomization (ASLR) a standard hardware layer that all vendors must use a hardware abstraction layer that allows changes to the OS without changing hardware drivers a supported hardware list that requires all vendors to use supported hardware and drivers

a hardware abstraction layer that allows changes to the OS without changing hardware drivers

Which of the following is an option for testing an Android app? testing on a rooted phone testing on an emulator in Android Studio Testing on an Android virtual machine all of the above

all of the above

A Remote Access Trojan _____ requires physical possession of the device to install can be delivered by an SMS phishing message can not be installed on an Apple device is only available to governments and law enforcement

can be delivered by an SMS phishing message

Which of the following makes it impossible for cybercriminals to modify or tamper with released Apple iOS applications? BitLocker encryption digital certificate for approved products application isolation permission-based access control

digital certificate for approved products

Which of the following makes static analysis of iOS apps more difficult than static analysis of Android apps? iOS is a fully secure operating system iOS apps cannot be decrypted iOS apps are required to use high levels of obfuscation iOS apps reverse engineer to assembly code

iOS apps reverse engineer to assembly code

Which of the following describes the inter-process communication method used by iOS apps? iOS apps use custom URL handlers to communicate to allow communication between apps iOS apps use intentions to allow sharing of data between apps iOS apps generally communicate directly using the Apple API iOS apps are not allowed to share data with other app

iOS apps use custom URL handlers to communicate to allow communication between apps

Which of the following best describes the difference in app signing between Android and iOS? Both platforms require that apps are signed by keys registered with the app store Both platforms allow developers to sign apps with unverified keys iOS requires apps to be registered developer keys, Android allows unverified developer keys Android requires apps to be registered developer keys, iOS allows unverified developer keys

iOS requires apps to be registered developer keys, Android allows unverified developer keys

Which of the following would be a "white hat" testing use of a Remote Access Trojan? remote wipe a user device to see how they react provide persistent access to a device to gather data over time use it to pivot to attack networks the device uses use it as a test to see if the device user can detect it

provide persistent access to a device to gather data over time

Address space layout randomization (ASLR)____ randomizes the locations of system components makes it difficult for attackers to know exactly where to hook their code is used in Android, but not required by iOS prevents execution of information written to a buffer is a type of ransomeware attack that prevents users from accessing their data

randomizes the locations of system components makes it difficult for attackers to know exactly where to hook their code

Which of the following is a good place to check in Android for credentials stored in an unencrypted format? shared preferences folder system/bin data/apps Manifest.xml

shared preferences folder