App Integrity & Injection Quiz

SECURITY › Security

Where must a Play Integrity token be decrypted and verified to provide real security?

Answer: On your trusted backend server, via Google Play's verification

The token is encrypted and must be verified server-side; a tampered or rooted client could forge or bypass any in-app check, so only your backend can enforce the verdict.

Which device integrity verdict indicates the strongest assurance, including hardware-backed proof and recent security updates?

Answer: MEETS_STRONG_INTEGRITY

MEETS_STRONG_INTEGRITY adds hardware-backed security and up-to-date patches on top of device integrity, while BASIC is the weakest and VIRTUAL denotes a Play-backed emulator.

Which query is safe from SQL injection?

Answer: db.rawQuery("SELECT * FROM users WHERE email = ?", arrayOf(email))

Only the parameterised form binds the value separately as data through a ? placeholder; the others concatenate untrusted input directly into SQL and are injectable.

How does Room help prevent SQL injection?

Answer: It binds @Query parameters and checks SQL at compile time

Room binds parameters like :email as bound arguments instead of string concatenation and validates queries at compile time; it does not sanitize by stripping characters or encrypt by default.

Which statement best describes root/tamper detection on Android?

Answer: It raises attacker cost, though a controlled device can still bypass it

Because the attacker controls the device, any on-device check can be patched or spoofed; detection raises cost but cannot guarantee safety and never replaces server-side trust.

What is the correct characterisation of code obfuscation (e.g. R8) as a security measure?

Answer: Defence-in-depth that slows reverse engineering but isn't security alone

Obfuscation renames and shrinks code to raise reverse-engineering cost, but it does not encrypt logic or safely hide secrets; embedded keys remain extractable, so it is one layer among many.

Which WebView practice is the most dangerous if the loaded content is not fully trusted?

Answer: Using addJavascriptInterface to expose native methods to JS

addJavascriptInterface bridges JavaScript to native code, so untrusted page content can invoke exposed methods; the other options are safe or actively protective hardening steps.

In a standard Play Integrity request, what is the purpose of supplying a request hash?

Answer: It ties the verdict to the request so a captured token can't be replayed elsewhere

The request hash ties the returned verdict to the exact request being protected, so an attacker cannot reuse a valid token for an unrelated or replayed action; the token is still decrypted and verified server-side.

In the decrypted Play Integrity payload, what does an appRecognitionVerdict of PLAY_RECOGNIZED indicate?

Answer: The running binary and signing certificate match what Play distributed

PLAY_RECOGNIZED means the app is the unmodified binary and certificate combination recognised by Google Play; licensing or entitlement is reported separately in the account details, not in the app recognition verdict.

Which older API did the Play Integrity API replace for attesting app and device genuineness?

Answer: SafetyNet Attestation API for app and device attestation checks

Play Integrity is the successor to the now-deprecated SafetyNet Attestation API; the other options serve account, management, and configuration roles unrelated to attestation.

What does the MEETS_VIRTUAL_INTEGRITY device verdict label signify?

Answer: The app is running on a genuine Google-backed Android emulator

MEETS_VIRTUAL_INTEGRITY identifies a legitimate Google-backed emulator environment, distinct from MEETS_DEVICE_INTEGRITY for physical certified devices; it is neither a failure verdict nor a statement about hardware key storage.

Why is server-side input validation still required even when the Android client already validates input before sending it?

Answer: A modified client can skip on-device checks and send requests straight to your API

The client is fully under the user's control, so on-device validation is only a UX convenience; an attacker can hit your endpoints directly, making the server the only place validation can be trusted.

What does R8, the default Android build-time optimizer, actually do?

Answer: It shrinks, optimizes, and obfuscates code, replacing ProGuard by default

R8 tree-shakes unused code, applies optimizations, and renames symbols, replacing ProGuard as the default toolchain; it does not encrypt bytecode, sign the artifact, or provide runtime tamper detection.

For a method on an object passed to addJavascriptInterface to be callable from JavaScript on modern Android, what is required?

Answer: The method must be public and annotated with @JavascriptInterface

Since API 17, only public methods explicitly annotated with @JavascriptInterface are reachable from the page, which closed the earlier reflection-based remote-code-execution hole; the bridge obviously requires JavaScript to be enabled.

Back to App Integrity & Injection