Just finished taking the 7-day challenge exam for the eLearn Security Mobile Application Security and Penetration Testing Course (
https://www.elearnsecurity.com/course/mobile_application_security_and_penetration_testing/). Overall, I was extremely happy with this course. Here are an overview of my thoughts (both positive and negative) for both the course and exam:
Some of the course is a bit out-dated -
- Targets iOS 6 (currently on iOS 8.1) and Android 4.1.2 Jellybean (currently on Android 5.0.1 Lollipop).
- I personally don't see this as a huge concern, as this seems to be pretty common in the industry. It's pretty typical to take traditional PenTest courses that start you off attacking Windows XP with MS08-067. Along the same lines, this seems to be an effective way to introduce the fundamentals with some additional attack surface for practicing.
- The Android test environment setup uses Eclipse IDE and Android SDK. These solutions are deprecated and have since been replaced with Android Studio. Android Studio is very similar in functionality, but has a completely different GUI. So you are definitely going to have to figure some things out when getting started. Knowing the old setup is sufficient to do some searches and figure out what you need to do. Also, feedback from the admins in the forums indicates that the course should be updated soon. But as the course currently stands, its a bit frustrating.
Course content was fantastic -
- Overall, once you get past the test environment setup, the course is REALLY good. The test apps are a lot of fun, and the content is well presented.
- The course was definitely more focused on Android than iOS (which was a plus for me, since I was already pretty comfortable with iOS testing, and not so much with Android...but this may be a negative for some).
The Challenge Exam -
- Similar to the course, the exam is only on the Android side (no iOS component). Once again, this was fine by me.
- Just like the eWPT exam, this one was VERY well engineered to be highly challenging and to require you to be able to string together multiple exploits to successfully complete the challenge.
- The concept of the exam was awesome. Rather than the traditional "do a pentest and deliver a report" routine that I've encountered with both OSCP and eWPT, this was much more creative. Rather than doing a report, you actually have to write your own malicious Android app. You are provided two related target applications, and you have to write your own app that will exploit multiple flaws on each of those to extract sensitive data. The malicious app (source code and installation package) is your only deliverable.
- You have to be proficient at both run-time exploits, reverse-engineering and writing your own Android app to be able to pass the exam.
- Although it was challenging, 7 days is definitely more than enough for the exam. I managed to complete it in 3 days, with a total of probably about 18 hours of testing.
Overall, I'm very happy with the course and feel like I got a lot out of it.
