CompTIA PenTest+ (PT0-002) — Question 290

While performing a mobile application penetration test, a security consultant notices that the user password is being locally encrypted before it is sent to the back end for authentication. Which of the following techniques would be best for the consultant to use to find the encryption algorithm and the encryption key?

Answer options

• A. Sandbox analysis
• B. Information leakage
• C. Reverse engineering
• D. Brute-force attack

Correct answer: C

Explanation

Reverse engineering is the most effective technique for uncovering the encryption algorithm and key, as it allows the consultant to analyze the app's binary and code. Sandbox analysis may provide some insights but does not focus specifically on encryption details. Information leakage could potentially reveal sensitive data but is not a direct method for discovering encryption specifics. A brute-force attack would be impractical without knowing the algorithm or key length.