Mobile Security, anti-tampering & Cryptography: 15 Core Questions

Securing mobile applications requires securing memory layers, validating device integrity, encrypting databases, and preventing dynamic binary instrumentation. This guide reviews 15 advanced security and anti-tampering questions.

Questions Quick Links

• Q1. Android KeyStore vs. iOS Keychain
• Q2. App Sandboxing & Scoped Storage
• Q3. SSL/TLS Certificate Pinning
• Q4. SQLCipher Database Encryption
• Q5. Code Obfuscation & R8 compiler
• Q6. Root & Jailbreak Heuristics
• Q7. Secure Biometric Auth tokens
• Q8. Anti-Debugging and Frida hooks
• Q9. App Attest & Play Integrity APIs
• Q10. Man-in-the-Middle (MitM) inspection
• Q11. HMAC Request signatures
• Q12. Log leakage & Console privacy
• Q13. App Switcher screen overlays
• Q14. Secure In-App Keyboards
• Q15. Secure Inter-Process communication

Q1. Compare Android KeyStore and iOS Keychain. How does hardware-backed security protect keys?

Answer:

Both store cryptographic keys and credentials securely. On iOS, keys are protected by the **Secure Enclave** processor. On Android, keys are protected by a **Trusted Execution Environment (TEE)** or StrongBox hardware. The raw private keys never enter the main application memory; the OS requests the hardware processor to sign or decrypt payloads directly, preventing key extraction.

Q2. Explain App Sandboxing on iOS and Android.

Answer:

Sandboxing allocates unique user IDs to each app process, isolating file system directories. By default, no app can read or modify databases, preferences, or cached files belonging to other applications, preventing cross-app data leaks.

Q3. What is SSL Pinning vs. Public Key Pinning? How do they prevent MitM attacks?

Answer:

Normally, the OS trusts any Certificate Authority (CA) root certificate installed on the device. Attackers can install custom user root certificates to intercept traffic. **SSL Pinning** forces the app to trust only the specific certificate or public key hash of your backend servers, rejecting connection handshakes where certs mismatch.

Q4. How do you secure database data using SQLCipher?

Answer:

SQLite databases are stored as plain text files on disk. **SQLCipher** encrypts every data block using AES-256 encryption. The encryption key is generated at runtime and securely stored inside iOS Keychain or Android KeyStore, decrypting database sectors on-the-fly.

Q5. How do ProGuard/R8 (Android) and symbol stripping (iOS) improve security?

Answer:

They obfuscate compiled binaries:

• Renaming classes, fields, and method names to random characters (e.g. `a`, `b`).
• Stripping debug metadata symbols, making decompilation and code analysis difficult.

Q6. What heuristics does an app use to check for Root or Jailbreak?

Answer:

Root/Jailbreak detection heuristics include:

• Checking for suspicious file paths (e.g. `/bin/su`, `/Applications/Cydia.app`).
• Checking directory permissions by attempting to write to system folders.
• Checking system path structures and reading test-keys signatures.

Q7. How do you implement Biometric Authentication securely?

Answer:

Do not rely on a boolean verification check (`if (authenticated)`), which is easily bypassed by runtime injection tools like Frida. Instead, generate a cryptographic key in KeyStore/Keychain that requires user biometric authentication to unlock, and use this key to decrypt your API session tokens.

Q8. What is Frida? How do apps implement anti-debugging checks?

Answer:

Frida is a dynamic instrumentation tool that lets attackers inject custom JavaScript code into running app processes. Implement anti-debugging checks by monitoring thread structures via `ptrace` system calls, checking process memory maps for dynamic library names containing "frida", and verifying core method signatures for tampering.

Q9. Compare iOS App Attest and Android Play Integrity APIs.

Answer:

Both are server-side hardware attestation systems. They generate cryptographic proofs from hardware security enclaves, verifying to your backend servers that the client app is authentic, untampered, and running on a certified device.

Q10. How do you protect network traffic against Man-in-the-Middle (MitM) sniffing?

Answer:

Disable user-installed root certificates in your network configuration (`network_security_config.xml` on Android), enforce TLS 1.3 protocol versions, and verify SSL pinning hash keys.

Q11. How do HMAC request signatures prevent API tampering?

Answer:

Generate a unique hash (using SHA-256) of your request body combined with a timestamp and a client secret key. Send this signature in headers. The server verifies this hash, rejecting requests that have been tampered with or replayed.

Q12. What is Sensitive Log Leakage? How do you prevent it?

Answer:

Android Logcat and iOS Console print strings that can be collected by tools. Enforce compiler checks to disable logging entirely in release builds, or wrap logs in custom log wrappers that filter out sensitive information.

Q13. How do you prevent screen captures and overlay leaks in banking apps?

Answer:

On Android, set `WindowManager.LayoutParams.FLAG_SECURE` in your Activity. On iOS, intercept the background state event `sceneWillResignActive` and display an overlay screen (like a blur view) over your layout.

Q14. Why do secure apps implement custom secure in-app keyboards?

Answer:

System-wide keyboards log key presses to build user dictionaries, which can leak sensitive passwords or credentials to local storage. Custom in-app keyboards draw keys directly on a canvas, bypassing OS logging.

Q15. How do you secure Inter-Process Communication (IPC) from hijacking?

Answer:

• Android: Restrict exported BroadcastReceivers and Services in the manifest using permission bounds.
• iOS: Use Universal Links instead of Custom URL Schemes, verifying domain ownership to prevent URL hijacking.