eLearnSecurity Mobile Application Penetration Testing (eMAPT) Review
GhostPain
Registered Users Posts: 3 ■□□□□□□□□□
The following review is a summary about my experience with the eLearnSecurity Mobile Application Penetration Testing course and certificate. This is my opinion based on my experience and not the company’s standpoint that I worked at when I did the course. Also I am not paid by eLearnSecurity. The time I did this course, it was the v1 version. After about half month I finished the exam, the v2 version come out. It was nice that I got the updated version, because I already did the first version. Again, I wanted a course with hands on exam and learn at least the basics. There were 3-4 courses back than that I knew about: SANS, eLearnSecurity, PentesterAcademy and probably MDSEC trainings on conferences, but only eLearnSecurity and SANS gave certification.
I had no mobile penetration testing experience, but I have learnt Java, C# at college and Objective-C, C by myself. It helped me during and after the course to understand how the apps work. After the exam I finished reading the famous and awesome Objective-C Programming: The Big Nerd Ranch Guide book. This will help to understand more things for IOS and also now there is a Swift version.
I have parallel read the web application hackers handbook, watched the PentesterAcademy IOS and Android course videos and did this course. Unfortunately, I missed a lot of tools that was not mentioned or presented in the course: enjarify, MobSF, Frida, Androguard, keychain-dumper, QARK, Androbugs, genymotion, drozer, needle (that came out way after the course), Snoop-it, Android-SSL-TrustKiller, SSL Kill Switch, AXMLPrinter or aapt. Also I think that there was no mentioning about BinaryCookieReader/cookies.binarycookie, keychain and binary AndroidManifest.xml in the course, but I could be wrong.
I think it is very good how the Intents, Activity Manager, Content Providers and Broadcast Receiver topics were explained. The same quality and depth just like in the web application penetration testing course. I really liked and enjoyed this chapter.
It was nice that the cert pinning is showed and explained, but there was no mentioning about Android-SSL-TrustKiller and SSL Kill Switch for automating it. Those tools saved a lot of times during real life app testing.
I don’t understand why the backdooring the apk with meterpreter and the webview exploit are not mentioned any of the chapters. I did later a little demo with them, it was fun.
I liked the lab, you can actually try and apply what you learnt. Maybe mentioning the DIVA and DVA would be good. You can never exercise enough, right?
The v2 version now writes about or mention the following: QARK, drozer, Android-SSL-TrustKiller.
The exam was a little bit hard-ish, because of the programming part (I learnt java, but didn’t developed continuously). I did the exam in about 12 hours. It was a little bit confusing whether I wrote my code well or not, but after an email, it turned out I did well.
I did the Full version and I don’t know exactly how much time I put into it, but because of the 180 days of exam restriction, I can say that I did everything in 3 months while I was working.
One of my eyes laugh, the other cried. I had a lot of knowledge and had a certification, but it wasn’t only from this course. With all the three (eLearnSecurity eMAPT, PentesterAcademy IOS+Android, the mobile app hacker’s handbook) sources, I felt that I have a good basic/medium knowledge.
I would recommend to everybody if it was more updated (the missing tools, plus were based on Swift and new Android version) or it would be cheaper by 30%, so I would say wait a little bit and pressure the company to update the course.
After a year I gave upon the mobile app testing, because I had too wide field of testing area and I wanted to focus on exploiting and reverse engineering.
I had no mobile penetration testing experience, but I have learnt Java, C# at college and Objective-C, C by myself. It helped me during and after the course to understand how the apps work. After the exam I finished reading the famous and awesome Objective-C Programming: The Big Nerd Ranch Guide book. This will help to understand more things for IOS and also now there is a Swift version.
I have parallel read the web application hackers handbook, watched the PentesterAcademy IOS and Android course videos and did this course. Unfortunately, I missed a lot of tools that was not mentioned or presented in the course: enjarify, MobSF, Frida, Androguard, keychain-dumper, QARK, Androbugs, genymotion, drozer, needle (that came out way after the course), Snoop-it, Android-SSL-TrustKiller, SSL Kill Switch, AXMLPrinter or aapt. Also I think that there was no mentioning about BinaryCookieReader/cookies.binarycookie, keychain and binary AndroidManifest.xml in the course, but I could be wrong.
I think it is very good how the Intents, Activity Manager, Content Providers and Broadcast Receiver topics were explained. The same quality and depth just like in the web application penetration testing course. I really liked and enjoyed this chapter.
It was nice that the cert pinning is showed and explained, but there was no mentioning about Android-SSL-TrustKiller and SSL Kill Switch for automating it. Those tools saved a lot of times during real life app testing.
I don’t understand why the backdooring the apk with meterpreter and the webview exploit are not mentioned any of the chapters. I did later a little demo with them, it was fun.
I liked the lab, you can actually try and apply what you learnt. Maybe mentioning the DIVA and DVA would be good. You can never exercise enough, right?
The v2 version now writes about or mention the following: QARK, drozer, Android-SSL-TrustKiller.
The exam was a little bit hard-ish, because of the programming part (I learnt java, but didn’t developed continuously). I did the exam in about 12 hours. It was a little bit confusing whether I wrote my code well or not, but after an email, it turned out I did well.
I did the Full version and I don’t know exactly how much time I put into it, but because of the 180 days of exam restriction, I can say that I did everything in 3 months while I was working.
One of my eyes laugh, the other cried. I had a lot of knowledge and had a certification, but it wasn’t only from this course. With all the three (eLearnSecurity eMAPT, PentesterAcademy IOS+Android, the mobile app hacker’s handbook) sources, I felt that I have a good basic/medium knowledge.
I would recommend to everybody if it was more updated (the missing tools, plus were based on Swift and new Android version) or it would be cheaper by 30%, so I would say wait a little bit and pressure the company to update the course.
After a year I gave upon the mobile app testing, because I had too wide field of testing area and I wanted to focus on exploiting and reverse engineering.
Comments
-
ottucsak
Member Posts: 146 ■■■■□□□□□□
How long did it take them to assess your exam? I have been waiting for 10 days now for mine and still no pass/fail email. -
the_Grinch
Member Posts: 4,165 ■■■■■■■■■■
Thanks for the review! I bought this course when they launched Version 2 and haven't had the time to touch it. Going to run through PTS and then jump into this as for work it would be very relevant.WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff