All Practice Exams
100+ Free PMPA Practice Questions
TCM Practical Mobile Pentest Associate (PMPA) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
What is tapjacking in Android, and which manifest attribute mitigates it?
A
B
C
D
to track
Same family resources
Explore More TCM Security Practical Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: PMPA Exam
Practical
Exam Format
TCM Security
2 days
Assessment Period
TCM Security
Android
Exam Focus Platform
TCM Security
No Flags
Exam Style
TCM Security
Report Required
Deliverable
TCM Security
Associate
Certification Level
TCM Security
The PMPA from TCM Security is an Android-focused practical mobile application penetration testing certification. Candidates have 2 days to assess a mobile app environment and additional days to submit a professional report — no flags, no MCQs. The exam tests real-world skills: APK decompilation, AndroidManifest.xml analysis, MobSF scanning, Frida/Objection SSL pinning bypass, Burp Suite proxy interception, insecure storage enumeration, and exported component exploitation. Preparation is through TCM Security's Mobile Application Penetration Testing (MAPT) course. This practice test covers the theoretical knowledge — the real exam requires hands-on assessment.
Sample PMPA Practice Questions
Try these sample questions to test your PMPA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1What is the file extension of an Android application package that you download and install on a device?
A..ipa
B..aab
C..apk
D..dex
Explanation: An APK (Android Package Kit) is the file format used to distribute and install Android applications. It is a ZIP archive containing the app's compiled code, resources, and manifest. IPA is the iOS equivalent, AAB is Android App Bundle (for Google Play distribution), and DEX is the compiled Dalvik bytecode inside an APK.
2Which file inside an APK declares the app's components, permissions, and minimum SDK version?
A.classes.dex
B.resources.arsc
C.AndroidManifest.xml
D.META-INF/MANIFEST.MF
Explanation: AndroidManifest.xml is the blueprint of every Android application. It declares all components (activities, services, broadcast receivers, content providers), the permissions the app requests, the minimum and target SDK versions, and intent filters. It is the first file a mobile pentester analyzes for attack surface.
3When decompiling an APK with apktool, which command correctly decodes the APK named 'target.apk' into a folder called 'output'?
A.apktool d target.apk -o output
B.apktool b target.apk -o output
C.apktool decode target.apk --output output
D.apktool extract target.apk output
Explanation: The apktool 'd' (decode) subcommand decompiles an APK: `apktool d target.apk -o output`. This extracts AndroidManifest.xml, smali bytecode, and resource files into the specified output directory. The 'b' (build) subcommand re-assembles a decoded APK — it is the reverse operation.
4Which tool decompiles Android APKs into readable Java source code and provides a GUI for browsing classes, methods, and strings?
A.apktool
B.dex2jar
C.jadx-gui
D.Ghidra
Explanation: jadx-gui (JADX Graphical User Interface) decompiles DEX bytecode directly into readable Java source code and provides a graphical browser for navigating classes, methods, fields, and strings. This makes it the preferred static analysis tool in the TCM mobile pentest course. apktool produces smali (assembly-like) code rather than Java.
5In AndroidManifest.xml, which attribute on a component makes it accessible to other apps and the system outside the declaring application?
A.android:exported="true"
B.android:permission
C.android:enabled="true"
D.android:allowBackup="true"
Explanation: Setting `android:exported="true"` on a component (Activity, Service, BroadcastReceiver, or ContentProvider) makes it accessible by other applications and the Android system via Intents. Exported components are a major attack surface: any app can interact with them without declared permissions unless `android:permission` is also set.
6A pentester runs `adb shell am start -n com.example.app/.AdminActivity` successfully without authentication. What vulnerability does this demonstrate?
A.SQL injection via content provider
B.Insecure direct object reference
C.Exported activity without access control
D.Tapjacking
Explanation: When an Activity is exported (android:exported="true") without a protecting permission, any app or ADB command can launch it directly with `am start`. This allows bypassing login screens and accessing administrative or privileged Activities without credentials — a classic exported Activity vulnerability found in the OWASP Mobile Top 10.
7MobSF (Mobile Security Framework) is used in mobile pentesting primarily for which purpose?
A.Automated static and dynamic analysis of mobile applications
B.Rooting Android devices over USB
C.Injecting Frida scripts into running processes
D.Generating malicious APKs for phishing
Explanation: MobSF (Mobile Security Framework) is an open-source, all-in-one automated framework for static and dynamic security analysis of Android, iOS, and Windows Mobile applications. It decompiles APKs, analyzes the manifest, scans for hardcoded secrets, checks for insecure API usage, and provides a detailed security report — making it a core tool in the TCM PMPA curriculum.
8When pulling an APK from a running Android emulator via ADB, which command saves the installed APK of the package 'com.example.app' to the local machine?
A.adb install com.example.app
B.adb dump com.example.app > app.apk
C.adb get-apk com.example.app
D.adb pull $(adb shell pm path com.example.app | cut -d: -f2)
Explanation: The two-step method is: first use `adb shell pm path com.example.app` to get the on-device APK path (e.g. `/data/app/com.example.app-.../base.apk`), then `adb pull <path>` to copy it to your local machine. The one-liner combines both steps using shell command substitution.
9Hardcoded strings in an Android app's resources can be found in which file?
A.res/layout/activity_main.xml
B.assets/config.yaml
C.res/values/strings.xml
D.lib/arm64-v8a/libnative.so
Explanation: The `res/values/strings.xml` file is the standard Android location for string resources, including API keys, URLs, and other string values. Developers sometimes hardcode sensitive values (Firebase URLs, API keys, backend endpoints) here instead of in server-side configuration, making it a key target during static analysis.
10During static analysis, you discover a Firebase URL in strings.xml: `https://myapp-default-rtdb.firebaseio.com`. What is the simplest method to check if the database is publicly readable?
A.Append /.json to the URL and send a GET request in a browser
B.Run sqlmap against the Firebase URL
C.Use Frida to hook the Firebase SDK at runtime
D.Decompile the Firebase SDK with jadx to find the auth token
Explanation: Firebase Realtime Database exposes a REST API. Appending `/.json` to the database URL (e.g., `https://myapp-default-rtdb.firebaseio.com/.json`) and making a GET request will return all data if the database rules allow public read access. A response with JSON data confirms misconfigured security rules — a critical finding documented in the TCM mobile pentest course.
About the PMPA Practice Questions
Verified exam format metadata for TCM Practical Mobile Pentest Associate (PMPA) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.