CompTIA PenTest+ (PT0-002) — Question 139

A penetration tester is testing a new version of a mobile application in a sandbox environment. To intercept and decrypt the traffic between the application and the external API, the tester has created a private root CA and issued a certificate from it. Even though the tester installed the root CA into the trusted stone of the smartphone used for the tests, the application shows an error indicating a certificate mismatch and does not connect to the server. Which of the following is the
MOST likely reason for the error?

Answer options

• A. TCP port 443 is not open on the firewall
• B. The API server is using SSL instead of TLS
• C. The tester is using an outdated version of the application
• D. The application has the API certificate pinned.

Correct answer: D

Explanation

The most probable reason for the error is that the application has the API certificate pinned, which means it only accepts specific certificates and does not allow for interception. The other options are less likely to be the cause; for instance, if TCP port 443 were closed, the app wouldn't even attempt a connection, and the SSL vs. TLS distinction does not affect certificate trust issues.