Android Enterprise Security & Privacy Final Exam Answers 2021

Before you get to the answers below here are some key insights to the exam.

Name of Exam – Android Enterprise Security & Privacy Final Exam.

Total Questions and Time Limit of Exam – 35 Questions and there is no time limit to finish the exam.

Exam URL

Android Enterprise Security & Privacy Final Exam Answers (Updated)

Q.1 – The Acme Wizard Phone using Android 8.0 was stolen by an attacker and even though the device was encrypted, the attacker was able to read the names of the encrypted files. Why?

(A) They can see the file names because metadata encryption, which would prevent this, was introduced in Android 9.0 and above.

(B) The user disabled encryption on their device.

(C) The OEM did not implement encryption on this version of their device.

(D) They can see the file names because the device had the TEE encryption turned off

Q.2 – You are deploying Android devices into your retail stores to be shared amongst employees. You want to make sure no user data is on the devices when the users turn in their devices at the end of the day. How can you accomplish this?

(A) Simply ask the users to do a factory reset at the end of the day.

(B) Use an automated script at midnight to send a device wipe and then to begin an automated enrollment so users will have fresh devices in the morning.

(C) You will have to purchase additional devices and assign each employee their own device.

(D) Deploy the devices as dedicated devices to ensure each session and associated user’s data is deleted when the user logs out.

Q.3 – What are some of the advantages of TLS 1.3 over previous versions? (Select 2)

(A) Prevents certificates signed with SHA1 hashes.

(B) It allows users to change their devices DNS settings.

(C) It prevents a user from browsing known bad websites.

(D) It’s up to 40% faster.

Q.4 – You have been in conversations with a U.S. Federal agency around Android device security. The agency’s security team has just started to refer to a document called the STIG. What document are they referring to?

(A) Security Technical Implementation Guide that provides guidance on how to deploy a mobile device.

(B) Simple Technical Instruction Guide that provides guidance on how to deploy devices.

(C) Standard Template of Information Guidance for agencies to use for deploying only Android devices.

(D) It’s the Sample Template Instruction Guide used to deploy Android and iOS devices for government agencies.

Q.5 – An Admin wants to set up a policy to check devices for known PHAs during the enrollment process to prevent enrollment of devices with malware. What Google Security Service would the Admin use to accomplish this?

(A) Clean Cache Detection.

(B) Verified Boot.

(C) Chrome Safe Browsing.

(D) Verify Apps.

Q.6 – What encryption algorithm is required by Google for all modern Android devices?

(A) SHA 256.

(B) AES 128.

(C) AES 256.


Q.7 – A customer has a requirement to enroll Android tablets with no carrier connectivity. Additionally, they do not want use an open WiFi with a simple pre-shared password for the enrollment. Is there a solution to help the customer?

(A) Tell the customer to use a QR code based provisioning method that can pass WIFI EAP credentials including Certificates.

(B) Tell the customer to upload their WiFi certificates to the Zero-Touch portal for automatic delivery during enrollment.

(C) Provide SD card’s with the certificate.

(D) Tell the customer that they must set up an open WiFi due to restrictions on how enrollment works.

Q.8 – After an internal review of a potentially compromised BYOD device, it’s determined that the user side-loaded a malicious app on the personal profile that harvested their contacts. Why was none of the data in the work profile accessible?

(A) Work profile sandboxing and app isolution prevented any access to the work data.

(B) The user detected unusual activity before the app had time to infect the work profile and turned off the phone.

(C) The IT admin noticed unusual activity in the personal profile and asked the user to bring IT the phone in for review.

(D) The device had a weak 4 digit device passcode policy so the app was able to access all information.

Q.9 – Excerpt from Helpdesk / User chat: User: I was searching for information about a project and a weird error in Chrome came up ‘Your device has Malware’ Helpdesk: You see this error on a webpage in Chrome? User: Yes Helpdesk: Did you get see a RED warning page in Chrome that it was not safe to continue? User: Yes, I thought it was ok since it gave me the option to proceed anyway. What Chrome policy can the admin set that would prevent this issue from occuring in the future? (Select 2)

(A) Disable Chrome in the work profle.

(B) Create a Terms of Service banner that tells users not to open suspicious websites.

(C) Set a managed configuration on Chrome to prevent users from disabling Safe Browsing.

(D) Set a managed configuration on Chrome to prevent users from disabling incognito mode.

Q.10 – Which of the following are NOT processes that the TEE performs? (Select 2)

(A) Lock screen passcode verification.

(B) Biometric template matching.

(C) DRM – Dedicated RAM Monitoring.

(D) Data loss protection.

Q.11 – A very popular public app on Google Play is perfect for your inventory use case. You want to use the camera function to read bar codes, but do not want the users to annotate via the voice function in the app. Is there a way to turn off the voice feature?

(A) Yes, you can use a Terms of Service notice to inform users not to use the feature.

(B) Yes, you can disallow the mic permission on the app via a policy from the EMM.

(C) Yes, deploy the app into the work profile where it’s safe.

(D) No, the admin will need to accept the risk or find another suitable application.

Q.12 – Android devices used in the US Federal Gov’t and many other Gov’ts around the world must go through the NIAP validation process. What security assurances does this provide? (Select 2)

(A) There is a publicly available document issued by NIAP as proof of passing a strict testing process by a lab.

(B) NIAP supplies assurances for only special purpose devices that are not available commercially off the shelf.

(C) The NIAP process does not provide assurances, it only assumes that OEM’s have used the best practices set forth by standards.

(D) Instructions are provided on how to configure the device so that it is consistent with the evaluated configuration as a reference.

Q.13 – Which statement most accurately describes the CDD?

(A) The CDD provides guidance on how to add Google Apps to an Android device and defines an easy path for application management.

(B) The CDD is an optional guide that contains best practices around building a device with Android.

(C) The CDD represents the ‘policy’ aspect of Android compatibility set by Google. It outlines the requirements a device must meet to be considered compatible.

(D) The CDD was developed by Google when Android was originally released and gets updated every 4 years.

Q.14 – Sales Ltd is trying to enroll brand new devices using Android Enterprise and none of the devices will enroll. Helen, the IT manager suspects the devices that were procured by a seperate department might not have the right API’s. What are the right set of API’s Helen needs to confirm?

(A) Treble hardware abstraction layer (HAL).



(D) Google Apps.

Q.15 – A customer has 5000 Android 10 devices in warehouses that are not connected to the internet. How can the customer get an OTA update to the device if they are only on a closed network?

(A) Since the devices are off the internet and safer, you do not need to keep the devices updated.

(B) Send the devices to the OEM for updating.

(C) Use only devices that are flashed with AOSP versions of Android so that you can get updates directly from the OEM.

(D) Use the manual update process combined with your EMM to push updates from a local server on the network.

Q.16 – What are two benefits from the list that you would highlight for a customer looking to deploy applications via managed Google Play?

(A) Prevents admins from setting permissions to ensure app safety.

(B) Allows admins to create allow and block lists for public apps.

(C) Safeguards devices by preventing private app deployment.

(D) Removes the need for app wrapping.

Q.17 – What kernel protection mechanism helps prevent hijacking functions and pieces of code from apps and using those apps and their permissions to perform malicious actions?

(A) CFI – Control Flow Integrity.

(B) PIE – Position Independent Execution.

(C) Secure Computing or SECComp.

(D) ASLR – Address Space Layout Randomization.

Q.18 – Verified Boot has been on Android devices since version 4.4. An attacker, Mark, installs a custom bootloader on a stolen device with Android version 8. When it boots up, Mark sees an error on the screen that the device cannot boot. What is preventing the device from booting up?

(A) The root of trust stored in hardware does not match the newly installed bootloader.

(B) Mark simply needs to restart the bootloader one more time after installing.

(C) Mark needs to boot the device from safeboot by using hardware buttons at boot time.

(D) Rate limiting has prevented Mark from being able to enter in a passcode

Q.19 – Mike, Head of Mobility Security at Bank Ltd, wants to disable all fingerprint authentication from devices. He believes that an image of the biometric data is extracted from the devices and stored in Google Cloud. Which of the following facts would you use to easy Mike’s concern? (Select 2)

(A) The device does not take an image of the print but a biometric model that then uses an algorithm to create a mathematical template.

(B) Fingerprint images are stored in a database on the users filesystem. That makes them inaccessible to Google.

(C) A biometric template cannot be copied to another device because it is signed with a device specific key when stored in the TEE.

(D) You assure Mike that it’s a common practice for all cloud companies to store biometric data for compliance.

Q.20 – The public health department of Google Town wants to use managed Google Play to deploy critical city applications that store public health records. Nina, the head of security, has asked you to validate managed Google Play as a secure solution. What are some of the certifications the Managed Play store has received that you could promote to reassure Nina? (Select 3)

(A) ISO 27001.

(B) FedRAMP Moderate.

(C) SOC 2.

(D) SOC 3.

Q.21 – Google supplies security updates for Android every _____ days.

(A) 30 days.

(B) 90 days.

(C) When an OEM needs Google to build one.

(D) 45 days.

Q.22 – A malicious application developer has decided to target Android users by creating a small puzzle app filled with malware. The goal is to get it on as many Android devices as possible using the Google Play Store. What are some of the reasons this developer will not be successful? (Select 2)

(A) All apps uploaded to Google Play are scanned for malware.

(B) Google Play Protect would scan the app and detect the malware.

(C) All apps are reviewed by a Google security analyst.

(D) The attacker will use known spyware to infect the devices.

Q.23 – Gomer has found a vulnerability in an application and has written an exploit to attack the app. What Android platform hardening technology helps prevent Gomer’s attack from working?

(A) Address Space Layout Randomization (ASLR).

(B) Android Enterprise copy/paste prevention APIs.

(C) Once the exploit gets onto the phone, Gomer would be able to execute his attack with ease.

(D) Fortify Source.

Q.24 – Phone Ltd. is building a new device with Android 11. Which of the following accurately describes the steps needed for them to obtain a GMS license from Google?

(A) Download the source code from, adhere to CDD, pass CTS, apply for GMS license.

(B) Download source code from, adhere to AER requirements, pass CTS, apply for GMS license.

(C) Download source code from, adhere to AER requirements, pass GMS test, Deploy GMS apps.

(D) Download source code from, adhere to CDD, pass CTS, sideload GMS servers into the system.

Q.25 – Jake has configured SCEP to deploy certificates during enrollment of all Android devices. He wants to use a public app called, SalesEng. How can he check to see if the app supports managed configurations?

(A) Search to see if the app supports managed configurations.

(B) Search to see if the app supports managed configurations.

(C) Public apps do not support managed configurations, so Jake will have to develop a private app.

(D) Call Google support to see if the app supports managed Configurations.

Q.26 – The mobility admin is nervous about DNS queries allowing enumeration of host systems on his network. What feature does Android have that can help the admin?

(A) Chrome safe browsing.

(B) DNS over TLS.

(C) Certificate Pinning.

(D) Direct Boot.

Q.27 – Which is NOT an Android Enterprise Recommended program core requirement?

(A) It validates advanced features across multiple management sets.

(B) It demonstrates technical leadership.

(C) Ensures enterprise level support.

(D) It ensures support for Device Admin support remains in tact for customers.

Q.28 – Mary leaves her Android phone in a cab. John, the cab driver, is a nefarious character and tries to break into the phone. He tries to install a custom version of Android onto the device to gain access to Mary’s data. What security principle would prevent this from happening?

(A) Rollback protection.

(B) Using Android Protected Confirmation.

(C) A work profile passcode (work challenge).

(D) Factory Reset Protection.

Q.29 – You deployed an app that transmits sensitive data and you require the app to use a VPN. In testing, you see that the app tries to connect without a VPN. How could you fix this?

(A) Educate the users to not use the app if they do not see the VPN is running.

(B) Do not allow the user to connect to public WiFi.

(C) Ask the developer to hard code a clear text token connection string in the app to use for authentication.

(D) You must configure the VPN policy to deny app access to the network if the VPN is unavailable.

Q.30 – Android uses Security Enhanced Linux (SELinux). What component of the SELinux kernel confines and reduces the impact of an exploited vulnerability to a single area?

(A) Security Domains.

(B) Secure memory blocks (SMB).

(C) The Hardware Abstraction Layer (HAL).

(D) System on a Chip (SoC).

Q.31 – Which two statements below are correct regarding the Compatibility Test Suite (CTS)?

(A) The Compatibility Test Suite is a free, commercial-grade test suite that is used during device development and is designed to evaluate and reveal incompatibilities with the CDD.

(B) A valid CTS result must be maintained in order for a device to move to the next level, obtaining a Google Mobile Service (GMS) Certification and license.

(C) The CTS is only valid for modern Android devices and was designed to help ensure all devices were able to use Android Enterprise APIs.

(D) The Compability Test Suite is for application developers building financial apps to ensure they use approved SSL modules for connecting to servers.

Q.32 – A new vulnerability has been reported and the IT admin of a company checks with his mobile operator to see if there is a Security Update. The mobile operator says they do not have one ready yet but it will be available soon. What other update mechanism can the Admin check?

(A) Check for updates via Google Play System Updates.

(B) Search for an open source update on the web.

(C) Download the patch right from the security bulletin on Google’s Website.

Deploy new devices that are not affected.

Q.33 – Jana, the IT manager for Bank Corp, informs during sales conversation that they will not allow any Google identities on the their devices because they are concerned about Google collecting user information from the devices. They would rather side-load all required applications manually. How do you proceed in this conversation?

(A) Inform Jana that a work-profile challenge can prevent this from happening and walk them through the benefits of work profile.

(B) Advise Jana that they can simply disable Google Play services with an EMM policy to keep information on the device.

(C) Inform Jana that managed Google Play accounts are obfuscated so Google is unaware of the user’s identity.

(D) Inform Jana that they simply do not have to use the BYOD model.

Q.34 – What type of keystore implementation would prevent complicated forensic data extractions and analysis of lost or stolen devices for example, leaking information via power, timing, electromagnetic radiation, and thermal radiation examination?

(A) StrongBox.

(B) HeavyChip.

(C) StongBuilt.

(D) SQLite SB.

Q.35 – Which of the enrollment methods below are not considered secure when deploying Android Enterprise devices?

(A) Zero Touch.

(B) QR Code.

(C) NFC bump.

(D) SMS Enrollment Code.

Q.36 – What process provides strong proof that a certificate being presented to a server for authentication from an Android device was stored in hardware and has not been compromised or spoofed?

(A) Key Attestation.

(B) Verify Apps.

(C) Certificate Capacitive Filtering.

(D) Network Access Control services.

Q.37 – Choose two security services that come standard as part of GMS:

(A) SafetyNet.

(B) Google Play Protect.

(C) Google One Active Enterprise (GOAT) protection.

(D) Google Play secure keyboard.

Q.38 – Anthony is approaching Customs in a foreign country and and he is immediately asked for his Android phone. What can Anthony do very quickly to help secure his phone?

(A) Enable Lockdown Mode.

(B) Hide his phone.

(C) Perform a factory reset.

(D) Smash the phone on the floor.

Q.39 – What is AOSP?

(A) AOSP is an open source software stack owned by Google and supplied to the ecosystem for a wide array of devices with different form factors.

(B) AOSP is an open source OS that Google does not own.

(C) AOSP is the Android Often Supported Platform that is used by many OEMs to build devices.

(D) AOSP ensures Android Enterprise APIs are present in all OEM Android implementations.

Q.40 – To ensure a secure app deployment strategy, what features in managed Google Play ensure users can only install apps you approve? (Select 2)

(A) Use only allow lists in managed Google Play.

(B) Allow unknown sources so admins can install security monitoring tools.

(C) Use strict verify apps to ensure users cannot install apps from an SD card or Web download.

(D) Use only the package installer API and avoid managed Google Play.

Q.41 – It’s September 1st, start of the holiday season, and a customer wants to prevent an OTA update from being installed and potentially causing issues. Is there any help for the customer?

(A) Set up a policy to delay the update until March of the next year.

(B) Set up the policy that will allow the OS updates to be postponed until Dec. 1 of the same year.

(C) Implement firewall rules on your network to prevent connections to the carrier.

(D) Instruct the user to not install the update on devices if they see a notification.

Q.42 – Acme Printing developed an app for their custom printers. A new developer joined the company to maintain the app. He made an update to the original APK and created a new app signing key for the update. What is the reason the APK will fail to be updated in the Google Play Console?

(A) APK must be signed with the same key as the original APK.

(B) The APK file size exceeds 1.0 GB.

(C) The APK gets flagged for impersonation since it’s uploaded by a new developer at the company.

(D) The Developer needs to delete the APK from Google Play and redeploy.

Q.43 – A forensics analyst has successfully rooted an Android 10 device and is trying to extract keys from the keystore with sophisticated tools. Why is she unable to extract the keys?

(A) Android 7+ devices with mandated hardware-backed keystores prevent key extraction on rooted devices.

(B) She needs to put the device into airplane mode.

(C) Her computer does not have the latest Android SDK tools to access the device over ADB.

(D) The key was revoked.

Q.44 – Phone Ltd. wants to make sure their device offers the best in class security right out of the box. Which services do they need to make sure are built right into the device?

(A) Google Mobile Services (GMS).

(B) Chrome Browser.

(C) Google Play Store.

(D) Default OEM Phone app.

Q.45 – Android devices with an implementation of the Keymaster HAL that resides in a hardware security module use true random number generators (TRNG). What is one of the advantages TRNG has over pseudo-random number generators (PRNG)?

(A) TRNGs uses strong mathematical functions to secure key generation.

(B) TRNGs are better because they use external sources of information for entropy, such as electrical circuit noise.

(C) Pseudo-random number generators are actually the best, but too expensive to put in mobile devices.

(D) TRNGs are more efficient and use less battery power. This can help extend battery life considerably.

Q.46 – Google mandates that Android 10 devices and higher to use File-Based encryption versus Full-Disk encryption. Why did Google set this requirement? (Select 2)

(A) A work profile can has its own encryption key.

(B) File-Based Encryption integrates with managed Google Play.

(C) Allows the Encryption keys to be stored with Google for safety.

(D) Supports Direct Boot aware apps.

Q.47 – You have just completed a security presentation with Games Inc. The CIO appreciates your time but is asking for 3rd party validations that Android is in fact as secure as you are promoting it to be. What are some 3rd party validations and initiatives you can share with the Games Inc team to further boost their confidence around Android security? (Select 3)

(A) Share the Gartner Device Security Report that compare security features between Android and other mobile platforms.

(B) Instruct the customer to read the 2020 Omdia survey on how Android comes out on top for mobile security.

(C) Share information about the vulnerability rewards programs and the metrics. Google has the confidence to offer payments that surpass other platforms alluding to the fact they are hard to find.

(D) Have the customer search the internet for Android Malware to see there are not many articles on the topic.

Q.48 – Glenn, the CIO of Bank Ltd, is convinced that Google Play is full of malware and he chooses not to deploy Android for that reason. What are some talking points you can use to educate Glenn on Google Play security? (Select 3)

(A) Educate Glenn on the App Defense Alliance and that getting malware from Google Play is unlikely.

(B) Explain the benefits of managed devices and how managed Google Play mitigates this risk.

(C) Review the app scanning technology that Google uses and show him the Android Security Transparency Report website.

(D) Ask the CIO to prove why he feels this way.

Q.49 – Which of the following is NOT a category of a PHA?

(A) Backdoor.

(B) Denial of Service.

(C) Hostile downloader.

(D) Jailbreaking.

What is the Android Enterprise Security & Privacy Course and Exam?

This course teaches different topics relating to Android Security and Privacy. It starts with the introduction to Android Enterprise and talks about the two most important security services the managed Google Play Store and Google Play Protect.

This course contains a total of 10 lessons with a Pre Survey, Post Survey, and the main Post Exam.

The Android Enterprise Security & Privacy Final Exam is designed to test your knowledge of what you have just learned in the previous classes. There will be 35 questions, and you will need a pass mark of 80%. There is no timer on the exam. If you fail the exam then you can retake the exam after 30 days.

Course Lessons

There are a total of 10 lessons in this course.

(1) Introduction to Android Security and Privacy.

(2) Mandating consistent security standards.

(3) Hardware security.

(4) OS Security module.

(5) Application security.

(6) Network security.

(7) Data protection.

(8) Device, Profile and Application Management.

(9) Industry standards and validation.

(10) Wrap up.


This article provides all the answers with a detailed explanation so that you don’t just get the correct answers but you actually understand the reason behind the answers. You can get the answers to other Android Enterprise exams in our Expert Badge Android 11 Answers page, Android Mobile Certification Answers page, Android Enterprise Architecture and Implementation Answers page, Android Enterprise Professional Pre-Assessment Answers page, Android Enterprise Professional Post-Assessment Answers page, Android Enterprise Professional Answers page, Android Enterprise Associate Pre-Assessment Answers page, Android Enterprise Associate Post-Assessment Answers page, Android Enterprise Associate Answers page, Zero-Touch Assessment, and Android Enterprise Expert Certification Exam Answers page.

Leave a Comment

Share via
Copy link
Powered by Social Snap