Page 1 of 53
eMAPT (eLEARN SECURITY MOBILE APPLICATION PENETRATION
TESTER) CERTIFICATION | ACTUAL EXAM WITH 100 QUESTIONS-
CORRECT VERIFIED AND DETAILED ANSWERS |ALREADY GRADED A+
|| LATEST UPDATE -JUST RELEASED
Cybersecurity /Mobile Security / Penetration Testing
Description: -
eMAPT certification domains covered: Mobile App Security Foundations
(OS models, sandboxing), Threat Modeling (PASTA, STRIDE, attack trees),
Reconnaissance and Static Analysis (APK/IPA structure, permissions),
Dynamic Testing (Frida, MITM, runtime hooks), API and Backend Testing
(JWT, IDOR), Reverse Engineering (jadx, Ghidra, Hopper), Malware
Analysis, and Reporting (CVSS, PoC)
Domain 1: Mobile Application Security Foundations (12 questions)
Question 1
Which mobile operating system architectural approach enforces process
isolation through the use of unique Linux UIDs for each application, and
what security mechanism relies on this design?
A) iOS’s XNU kernel uses mandatory access control (MAC) to isolate
apps.
B) Android uses a multi‑user Linux system where each app runs as a
distinct user, and the permission model is enforced by the kernel.
C) Both Android and iOS use a virtual machine sandbox for process
isolation.
D) Neither platform isolates apps at the OS level; they rely solely on code
signing.
, Page 2 of 53
Correct Answer: B
Rationale: Android assigns a unique Linux User ID (UID) to each
application. This user‑based sandboxing, combined with the permission
system enforced by the Linux kernel, isolates each application‘s
resources from others.
Question 2
During a black‑box penetration test of an Android application, you
observe that the app stores a session token in SharedPreferences with
the MODE_WORLD_READABLE flag. The application targets Android API
level 27. What is the primary security implication of this configuration?
A) The token is automatically encrypted and fully protected.
B) Any other application on the device can read the session token,
potentially allowing session hijacking.
C) The token is only accessible through the device’s USB debugging
interface.
D) The token cannot be extracted without rooting the device.
Correct Answer: B
Rationale: In Android versions prior to API level 24,
MODE_WORLD_READABLE allowed any other app to read the file. In API
level 24 and above, this constant is deprecated. The use of this flag
represents a classic insecure direct object reference (IDOR) vulnerability
that violates the principle of least privilege.
Question 3
, Page 3 of 53
A client asks you to explain the security difference between the Android
Application Sandbox and the iOS App Sandbox. What is a key
architectural distinction that affects how malware might spread?
A) Android apps run in a single shared sandbox, while iOS uses per‑app
containers.
B) iOS uses a mandatory access control (MAC) layer called the Apple
Mobile File Integrity (AMFI) and Seatbelt sandbox, whereas Android relies
on Linux‑based discretionary access control (DAC) per user.
C) Both platforms use the exact same sandbox implementation.
D) iOS only uses code signing for security, with no file system sandbox.
Correct Answer: B
Rationale: iOS implements a more restrictive mandatory access control
(MAC) sandbox (the Seatbelt profile) that is further hardened by AMFI.
Android’s sandbox is largely based on the Linux user‑based DAC model.
Question 4
A security analyst is reviewing AndroidManifest.xml and finds an activity
that is exported with no custom permission. What is the most likely
attack vector an adversary could use to exploit this?
A) The activity can be called by the system only when the device boots.
B) Any application that knows the activity’s name can launch or interact
with it, leading to potential activity hijacking or denial of service.
C) The activity is automatically protected by Android’s SELinux policies.
D) The activity cannot be accessed unless it is declared as a launcher
activity.
Correct Answer: B
, Page 4 of 53
Rationale: An exported component (activity, service, receiver, or
provider) can be invoked by other applications. If no custom permission
is enforced, any app can interact with it, exposing sensitive functionality.
Question 5
Which statement accurately describes the SecEnclave and Keychain on
iOS regarding the storage of cryptographic keys?
A) Keys are stored in plain text within the application bundle.
B) Keys stored in the hardware‑backed Secure Enclave never leave the
device and are managed by the Keychain, providing a high level of
protection.
C) Keys stored in Keychain are accessible to any application on the
device.
D) The iOS Keychain does not support asymmetric key pairs.
Correct Answer: B
Rationale: The iOS Keychain uses the Secure Enclave for hardware‑grade
security. Keys are never exposed outside the device and cryptographic
operations can be performed entirely within the Secure Enclave.
Question 6
Which of the following entries in the AndroidManifest.xml would allow an
attacker to launch the activity without permission, assuming the activity
code accepts externally supplied data?
A) <activity android:name=”.VulnerableActivity”
android:exported=”false” />
B) <activity android:name=”.VulnerableActivity” android:exported=”true”
/>
eMAPT (eLEARN SECURITY MOBILE APPLICATION PENETRATION
TESTER) CERTIFICATION | ACTUAL EXAM WITH 100 QUESTIONS-
CORRECT VERIFIED AND DETAILED ANSWERS |ALREADY GRADED A+
|| LATEST UPDATE -JUST RELEASED
Cybersecurity /Mobile Security / Penetration Testing
Description: -
eMAPT certification domains covered: Mobile App Security Foundations
(OS models, sandboxing), Threat Modeling (PASTA, STRIDE, attack trees),
Reconnaissance and Static Analysis (APK/IPA structure, permissions),
Dynamic Testing (Frida, MITM, runtime hooks), API and Backend Testing
(JWT, IDOR), Reverse Engineering (jadx, Ghidra, Hopper), Malware
Analysis, and Reporting (CVSS, PoC)
Domain 1: Mobile Application Security Foundations (12 questions)
Question 1
Which mobile operating system architectural approach enforces process
isolation through the use of unique Linux UIDs for each application, and
what security mechanism relies on this design?
A) iOS’s XNU kernel uses mandatory access control (MAC) to isolate
apps.
B) Android uses a multi‑user Linux system where each app runs as a
distinct user, and the permission model is enforced by the kernel.
C) Both Android and iOS use a virtual machine sandbox for process
isolation.
D) Neither platform isolates apps at the OS level; they rely solely on code
signing.
, Page 2 of 53
Correct Answer: B
Rationale: Android assigns a unique Linux User ID (UID) to each
application. This user‑based sandboxing, combined with the permission
system enforced by the Linux kernel, isolates each application‘s
resources from others.
Question 2
During a black‑box penetration test of an Android application, you
observe that the app stores a session token in SharedPreferences with
the MODE_WORLD_READABLE flag. The application targets Android API
level 27. What is the primary security implication of this configuration?
A) The token is automatically encrypted and fully protected.
B) Any other application on the device can read the session token,
potentially allowing session hijacking.
C) The token is only accessible through the device’s USB debugging
interface.
D) The token cannot be extracted without rooting the device.
Correct Answer: B
Rationale: In Android versions prior to API level 24,
MODE_WORLD_READABLE allowed any other app to read the file. In API
level 24 and above, this constant is deprecated. The use of this flag
represents a classic insecure direct object reference (IDOR) vulnerability
that violates the principle of least privilege.
Question 3
, Page 3 of 53
A client asks you to explain the security difference between the Android
Application Sandbox and the iOS App Sandbox. What is a key
architectural distinction that affects how malware might spread?
A) Android apps run in a single shared sandbox, while iOS uses per‑app
containers.
B) iOS uses a mandatory access control (MAC) layer called the Apple
Mobile File Integrity (AMFI) and Seatbelt sandbox, whereas Android relies
on Linux‑based discretionary access control (DAC) per user.
C) Both platforms use the exact same sandbox implementation.
D) iOS only uses code signing for security, with no file system sandbox.
Correct Answer: B
Rationale: iOS implements a more restrictive mandatory access control
(MAC) sandbox (the Seatbelt profile) that is further hardened by AMFI.
Android’s sandbox is largely based on the Linux user‑based DAC model.
Question 4
A security analyst is reviewing AndroidManifest.xml and finds an activity
that is exported with no custom permission. What is the most likely
attack vector an adversary could use to exploit this?
A) The activity can be called by the system only when the device boots.
B) Any application that knows the activity’s name can launch or interact
with it, leading to potential activity hijacking or denial of service.
C) The activity is automatically protected by Android’s SELinux policies.
D) The activity cannot be accessed unless it is declared as a launcher
activity.
Correct Answer: B
, Page 4 of 53
Rationale: An exported component (activity, service, receiver, or
provider) can be invoked by other applications. If no custom permission
is enforced, any app can interact with it, exposing sensitive functionality.
Question 5
Which statement accurately describes the SecEnclave and Keychain on
iOS regarding the storage of cryptographic keys?
A) Keys are stored in plain text within the application bundle.
B) Keys stored in the hardware‑backed Secure Enclave never leave the
device and are managed by the Keychain, providing a high level of
protection.
C) Keys stored in Keychain are accessible to any application on the
device.
D) The iOS Keychain does not support asymmetric key pairs.
Correct Answer: B
Rationale: The iOS Keychain uses the Secure Enclave for hardware‑grade
security. Keys are never exposed outside the device and cryptographic
operations can be performed entirely within the Secure Enclave.
Question 6
Which of the following entries in the AndroidManifest.xml would allow an
attacker to launch the activity without permission, assuming the activity
code accepts externally supplied data?
A) <activity android:name=”.VulnerableActivity”
android:exported=”false” />
B) <activity android:name=”.VulnerableActivity” android:exported=”true”
/>
