Specialized and Fragile Systems

Question 1

What is the process of installing applications that are unapproved for the device or that came from a source that is unapproved?

Answer 1

Sideloading

Question 2

What is the process of exploiting a software vulnerability in a mobile OS that enables low-level execution with elevated privileges to bypass security mechanisms in a mobile OS?

Answer 2

Jailbreaking

Question 3

What are the four classifications of a jailbroken device?

Answer 3

1. Untethered - can be powered on and off without the help of a computer
2. Tethered - a computer and software are required to boot the jailbroken device each time
3. Semi-tethered - if the device is rebooted, you will need to jailbreak the device again to patch the kernel using a computer
4. Semi-untethered - Same as semi-tethered but can be accomplished using the jailbreak app that is already installed on the device

Question 4

What is the difference between an emulator and a simulator for mobile devices?

Answer 4

An emulator will mimic the hardware and operating system for the application being tested, but a simulator will only mimic the software environment

Question 5

What is a tool Apple provides to allow researches to test iOS without having to defeat Apple’s protection mechanisms?

Answer 5

Apple Security Research Device (Apple SRD)

Question 6

What kind of devices are mobile devices typically built on?

Answer 6

System on Chip (SoC), which is an integrated circuit that connects together common components that makes up a mobile device

Question 7

What kind of interface is a hardware mechanism used for debugging and connecting to embedded devices on a circuit board?

Answer 7

JTAG - Joint Test Action Group

Question 8

Though what feature does Apple mark memory locations as nonexecutable on its devices?

Answer 8

Execute Never (XN)

Question 9

For iOS, how do third-party applications gain access to user information and extensions or other features?

Answer 9

Through dedicated entitlements, which are key-value pairs that allow authentication for applications outside of normal runtime parameters.

Question 10

On which layer of a mobile Android voice do users interact?

Answer 10

Application layer

Question 11

What are the primary components of an Android application?

Answer 11

1. Activities - parts of the application the user can see
2. Fragments - A behavior that is placed in an activity
3. Intents - Used for sending messages between other components
4. Broadcast receivers - Allow an application to receive notifications from other apps
5. Content providers - A SQLite database to store data in the form of a flat file
6. Services - Used to start intents, send notifications, and process data

Question 12

Which layer of the Android operating system interacts with built-in hardware components on the device?

Answer 12

HAL - Hardware Abstraction Layer

Question 13

Which standard describes the common areas of concern to be evaluated during mobile pentests?

Answer 13

The OWASP Mobile App Security Checklist

Question 14

What is the difference between hybrid and progressive web apps?

Answer 14

Hybrid apps are a combination of web and native applications. They use a web-to-native abstraction layer to use both web and native features. Progressive web apps load like web pages, but allow offline use and can access limited device functions depending on the platform.

Question 15

How does Apple ensure only approved applications are run in iOS?

Answer 15

Using code signing via certificate validation

Question 16

What tool is a GUI used to install IPA files to an iDevice?

Answer 16

Cydia Impractor

Question 17

What is the app store for “jailbroken” iDevices?

Answer 17

Cydia Package Manager

Question 18

What is a modular framework designed for assessing the security of mobile apps on iOS, Android, Windows, Linux, macOS, and QNX?

Answer 18

Frida

Question 19

What are the three modes of Frida testing?

Answer 19

Injected, embedded, and preloaded

Question 20

What tool can you use to bypass SSL pinning, which is how applications sometimes communicate to external server back-ends?

Answer 20

Objection

Question 21

What is an all-in-one automated pentesting framework for mobile applications for Android, iOS, and Windows platforms?

Answer 21

MobSF (Mobile Security Framework)

Question 22

When you have physical access to your Android devices, what is the most reliable way to connect to it?

Answer 22

The Android Debug Bridge (ADB).

Question 23

What is a reverse-engineering framework for disassembling and rebuilding Android applications?

Answer 23

APK Studio

Question 24

If you receive an “Unsupported major.minor version…” error in the APK Studio console window when opening an APK, what is the likely reason?

Answer 24

You are running an older version of JRE and try installing a newer version of the Java SDK

Question 25

What is a security auditing framework for Android that can help pentesters identify vulnerabilities and validate them with exploitation?

Answer 25

Drozer

Question 26

What is a free tool for building and interacting with APIs?

Answer 26

Postman

Question 27

What is a free tool that can be used as an interception proxy, and can work independently or with Burp Suite to enumerate and attack API endpoints?

Answer 27

Postman

Question 28

Which part of a virtual machine handles hardware virtualization and resource management for each guest it hosts?

Answer 28

Hypervisor

Question 29

What are commercial systems that are considered high-value targets because their embedded controllers systems have direct control over the hardware of their host systems?

Answer 29

Intelligent Platform Management Interface (IPMI)

Question 30

What kind of systems relate to industry automation of all types, including manufacturing, power generation, water treatment and distribution systems?

Answer 30

Industrial Control Systems (ICS)

Question 31

Which component of ICS systems pulls data and coordinate transfer of data to a centralized place so it can be controlled?

Answer 31

Supervisory control and data acquisition (SCADA)

Question 32

What are the common components of a SCADA system?

Answer 32

1. Supervisory workstation
2. Remote terminal unit
3. Programmable logic controller
4. Communication infrastructure
5. Human-machine interface

Question 33

What is an Nmap NSE script that enumerates SCADA modules and collects device and vendor information available?

Answer 33

modbus-discover, and it operates on port 502

Question 34

What kinds of systems are made up of a combination of computer hardware and software designed and programmed for a specific purpose?

Answer 34

Embedded systems

Question 35

What are the three kinds of Real-Time Operating Systems (RTOS)?

Answer 35

Hard, firm, and soft

Question 36

What is the name of the user interface framework that enables developers to build software applications on the iOS platform?

Answer 36

Cocoa Touch

Question 37

What is an advantage of developing a mobile application in Swift versus Objective-C?

Answer 37

Swift is a modern-day language that closely resembles English

Question 38

Apple users code signing to ensure only approved applications are installed on the iDevice. This is one of the core security features of iOS. Which method can you use on a supported iDevice to gain privileged-level access?

Answer 38

Jailbreaking

Question 39

The Android platform provides core components that are used to enhance the user’s experience with the product. Which type of component is sometimes visible to the user and helps provide a cohesive user experience in mobile applications?

Answer 39

Activities

Question 40

Older versions of the Android operating system (5.0 and earlier) do not use Android Runtime (ART); they use Dalvik Virtual Machine. Smali files, written in a type of assembly, are created during what process?

Answer 40

Disassembling DEX executables.

Question 41

An IEEE standard used to address the issue of debugging and connecting to embedded systems on a circuit board is called what?

Answer 41

JTAG

Question 42

SSH and iProxy are two ways of connecting to jailbroken iDevices. If the iDevice fails and you have to re-establish connectivity, what is the easiest way to ensure there are no iProxy processes still running on your MacOS laptop?

Answer 42

killall iproxy

Question 43

After installing a customer’s mobile application from the Google Play Store to your jailbroken iPhone, your next step is to dump the application bundle into an IPA using Clutch so you can use it to conduct static analysis. By default, where does Clutch store IPA files postprocessing?

Answer 43

/var/tmp/clutch

Question 44

Properly list (plist) files contain configuration data about an app installed on iOS. By default, Apple best security practices implement a security feature called App Transport Security (ATS) to improve data privacy and integrity. However, there is a way to bypass this within the application settings in the plist files. What is the name of the key used to control the behavior of http connections?

Answer 44

NSAppTransportSecurity

Question 45

What are two method you can use to install third-party applications to a jailbroken iDevice?

Answer 45

Cydia and Impractor tool

Question 46

What is the correct command option to use with the Android Debug Bridge (ADB) that enables you to download files from the Android device?

Answer 46

pull

Question 47

Using Drozer to conduct an Android assessment of two separate applications that share the same vendor, you can execute the command rum app package.list to list the permission of the application. You observe in the report that applications are permitted to read and write files on external storage. Which component of the application would you want to test for injection flaws?

Answer 47

Content provider. Content providers could provide an injection point from within the application. Some mobile applications share the same external storage locations. Thus, if an injection point could be exploited, it could enable a malicious user to read content outside of the sandbox environment of the application.