nerdexam
ExamsCAS-001Questions#502
CompTIA

CAS-001 · Question #502

CAS-001 Question #502: Real Exam Question with Answer & Explanation

The correct answer is C: Local storage of the authenticated token on the mobile application is secured.. For SSO to be secure on a mobile application, the authenticated session token stored locally must be protected, because compromise of that token allows full session hijacking across all federated services.

Question

An organization has just released a new mobile application for its customers. The application has an inbuilt browser and native application to render content from existing websites and the organization's new web services gateway. All rendering of the content is performed on the mobile application. The application requires SSO between the application, the web services gateway and legacy UI. Which of the following controls MUST be implemented to securely enable SSO?

Options

  • AA registration process is implemented to have a random number stored on the client.
  • BThe identity is passed between the applications as a HTTP header over REST.
  • CLocal storage of the authenticated token on the mobile application is secured.
  • DAttestation of the XACML payload to ensure that the client is authorized.

Explanation

For SSO to be secure on a mobile application, the authenticated session token stored locally must be protected, because compromise of that token allows full session hijacking across all federated services.

Common mistakes.

  • A. Storing a random number on the client is a nonce or anti-replay mechanism, not a control that secures the SSO token itself or prevents session theft.
  • B. Passing identity as a plain HTTP header over REST is inherently insecure because headers are easily intercepted or spoofed, and this approach lacks integrity protection for the identity assertion.
  • D. XACML (eXtensible Access Control Markup Language) is an authorization policy standard, not an authentication mechanism, and attestation of an XACML payload does not establish or protect the SSO session.

Concept tested. Secure token storage for mobile SSO

Reference. https://owasp.org/www-project-mobile-top-10/

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-001 Practice