InterviewStack.io LogoInterviewStack.io

Mobile App Security and Authentication Questions

Platform specific security practices for mobile applications and clients. Topics include secure storage of credentials and tokens, protecting secrets on device, certificate pinning and secure transport, secure use of OAuth and token refresh flows on mobile, defending against reverse engineering and tampering, permission models and least privilege for mobile apps, privacy and compliance considerations, secure API usage patterns from mobile clients, and strategies for mitigating mobile specific attack vectors.

MediumTechnical
135 practiced
Describe methods to detect app tampering and integrity breaches at runtime on Android and iOS. Include techniques like signature verification, binary checksums, anti-debugging, ptrace detection, packer/unpacker checks, using native code for sensitive logic, and integrating platform attestation services. Explain common evasion techniques attackers use and limitations of client-side tamper detection.
MediumTechnical
94 practiced
Propose server-side detection strategies to identify potentially compromised mobile clients calling your APIs. Include signals like abnormal request patterns, device attestation failures or low integrity scores, token replay detection, geolocation anomalies, fingerprinting inconsistencies, and rate-limiting. Also discuss how to combine signals to reduce false positives and suggested automated responses.
MediumTechnical
77 practiced
Compare the security properties, scalability, and UX trade-offs of storing refresh tokens on-device versus keeping refresh tokens server-side (for example, via an authorization code exchange and a server-held refresh token with an ephemeral device token). Provide recommendations for high-risk apps such as finance and health.
MediumTechnical
69 practiced
Design a secure and user-friendly logout and token revocation strategy for a mobile app. Cover client-side removal of credentials, server-side revocation of refresh tokens, handling multiple devices, push-based or polling-based notification to other devices, and techniques to ensure tokens are not usable after logout even if an attacker extracted them earlier.
EasyTechnical
90 practiced
Describe device attestation services available for mobile platforms, including Android SafetyNet and Play Integrity, and Apple DeviceCheck and App Attest. Explain what attestation asserts about the device and app, how attestation responses should be validated by the server, and known limitations or attacks against attestation.

Unlock Full Question Bank

Get access to hundreds of Mobile App Security and Authentication interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.