Mobile Application Security and Penetration Testing (MASPT) course + eLearnSecurity Mobile Application Penetration Tester (eMAPT) certificate review
There are a lot of tutorials about testing mobile apps available on the Internet, however they are often either outdated or present limited testing scenarios. I was looking for some comprehensive course, which would systematise my knowledge in the field of mobile app security. Additionally, I prefer online course, which can be done after work and the vendor should be commonly recognised among security community. Quick research appointed 2 candidates: the GIAC Mobile Device Security Analyst (GMOB) and Mobile Application Security and Penetration Testing (MASPT) from eLearnSecurity.
Since passing an OSCP exam I’ve appreciated learning power of practical laboratories and exams. First of all, once you go through ordeal of setting up a testing environment and exploit a vulnerability you may say that you understand an issue and know how to find it in other apps. Secondly, the knowledge gained through hands-on labs is more sustainable in comparison to passively read and watch videos. Finally, I don’t have much respect to multiple-choice exams, because of so many available exam dumps. These arguments bring me to one conclusion — let’s checkout the MASPT training!
Prices of MASPT course starts from 899$, but you have to pay 1099$ if you want to gain eMAPT certificate, video materials and lab access. The quality of course materials are pretty good. The course with videos comprehensively cover all fields of security from offensive perspective (it’s a course rather for penetration testers than for developers). There are 21 modules divided into 2 sections: Android and iOS. The MASPT course is visibly more focused on Android security — there are more materials, more labs (20 Android lab apps and just 6 for iOS part) and a final exam is ONLY based on Android app.
Each lab is an app with some vulnerability, which you have to find and exploit. For each app you receive also a manual guide with objectives and walkthrough how to finish a lab. Unfortunately the provided solutions are usually limited to few adb or drozer commands. I think it would be beneficial to provide also a code of exploit application. If you’ve never written any mobile app you may find difficulties on the exam.
The final exam is about writing a malicious app which exploits 2 vulnerabilities and extracts some sensitive data. It is not very challenging as you have 7 days to accomplish this goal. However, as I said before — if you have never written any app, this task may not be so easy. Once your app is ready and your exploits work, you should upload the source code and binary app and… that’s all! There is no need for any report, what actually I’m missing. A report is a main output of pentester’s work, so I believe it would be beneficial to teach people good practices in writing a report. I think it would be beneficial (for sure for beginners) if the MASPT course would contain also some high quality report template.
After uploading your app, you will receive a result in 30 business days (17 business days in my case) and you got your new, shiny certificate:
Sad thing is that this certificate shows a bad link to verify certificate owner… this is the correct one: https://www.elearnsecurity.com/certification/emapt/verify.
To sum it up I think it’s worth taking the MASPT course, because:
- the quality of training materials, videos and labs are very good,
- it covers Android and iOS security in a comprehensive way,
- support on forums from admins and other students,
- it has a practical exam, so the eMAPT certificate really determines practical skills.
The drawbacks I found are the following:
- mainly focused on Android,
- in some fields it is outdated (e.g. vulnerabilities working only on iOS<7, or API<12),
- doesn’t touch reporting phase.
Personally I recommend this course (especially for beginners in mobile security field) as I learnt some new things and had a great time playing in the labs.