Assess your understanding of key mobile app security architecture concepts, focusing on secure authentication and robust authorization techniques. This quiz covers best practices, common vulnerabilities, and core principles to help ensure safe access control in mobile applications.
Which of the following is the most secure method for user authentication in a mobile app, when used correctly?
Explanation: Multi-factor authentication increases security by requiring more than one verification method, making unauthorized access more difficult. A simple numeric PIN can be easily guessed or shoulder-surfed. Default passwords are insecure as they are widely known. Username alone does not prove user identity and offers no real authentication.
Where should sensitive access tokens ideally be stored in a mobile app for maximum security?
Explanation: Storing sensitive tokens in the device's secure system keychain or a dedicated secure storage area limits potential exposure to attackers. Keeping tokens within the app code or in plain text files can lead to easy retrieval if the app is reverse engineered. Clipboard memory is not designed for secure storage and can be accessed by other apps.
Which authorization technique allows different users to access only certain features based on their assigned roles?
Explanation: Role-based access control (RBAC) ensures users have access only to features relevant to their roles, improving security and usability. Single sign-on deals with authentication across multiple systems, not user permissions. Password rotation is about changing credentials, not controlling feature access. Biometric authentication proves identity, but does not address access levels.
Why is it important to implement session expirations in mobile apps after a period of inactivity?
Explanation: Session expiration after inactivity helps reduce the risk of unauthorized access when a device is lost or unattended. Increasing app speed or saving battery life is not directly achieved by session expiry. Displaying more notifications is unrelated; the key objective is controlling authentication duration.
What is a recommended way to store user passwords securely on the server side?
Explanation: Storing passwords by hashing and salting them protects against unauthorized disclosure even if the database is compromised. Plain text storage is risky as anyone accessing the database can see user credentials. Base64 encoding is not a secure method; it is easily reversible. Weak encryption does little to deter attackers.
If a mobile app lets any user access admin-only screens by modifying URLs, what security flaw is this an example of?
Explanation: Allowing users to access screens meant for admins due to poor checks is known as broken authorization, a common vulnerability. Strong authentication prevents unauthorized logins, but does not address improper access to resources after login. Efficient networking and token refreshing have no relevance to this access flaw.
Why should developers avoid hardcoding API keys or passwords directly into the mobile app’s source code?
Explanation: Hardcoding credentials makes them easily retrievable if someone decompiles or reverse engineers the app. This does not have any connection to app aesthetics, download speeds, or battery performance. Security of sensitive data is the primary concern.
What does the principle of least privilege mean in the context of mobile app authorization?
Explanation: The principle of least privilege restricts users’ actions to only what they need, minimizing security risks. Allowing users to do anything they want may lead to security breaches. Sharing permissions or requesting all permissions by default increases attack surfaces and goes against best practices.
When transmitting authentication data from a mobile app to a backend, which protocol ensures data is securely encrypted in transit?
Explanation: Using HTTPS encrypts communication, protecting authentication data from interception during transit. HTTP transmits data in plain text, making it vulnerable to interception. FTP and SMTP are used for file transfer and email respectively but do not guarantee secure encrypted transmission by default.
Where should authorization checks always be enforced to prevent bypass in a mobile app architecture?
Explanation: Placing authorization checks on the backend ensures they cannot be bypassed by tampering with the app. Interface-level checks can be manipulated by attackers. Device log files are not suitable for enforcing security checks, and training users cannot replace technical safeguards.