CompTIA PenTest+ (PT0-001) — Question 184

A company requested a penetration tester review the security of an in-house developed Android application. The penetration tester received an APK file to support the assessment. The penetration tester wants to run SAST on the APK file. Which of the following preparatory steps must the penetration tester do FIRST? (Select
TWO).

Answer options

• A. Convert to JAR.
• B. Decompile.
• C. Cross-compile the application.
• D. Convert JAR files to DEX.
• E. Re-sign the APK.
• F. Attach to ADB.

Correct answer: A, B

Explanation

The penetration tester must first convert the APK file to a JAR format to facilitate static analysis, and then decompile the JAR to access the source code for SAST. The other options either do not apply or are not initial steps required for SAST.