Another eLearnSecurity course down, so here comes my eMAPT review!
eMAPT Review - Introduction
Note that this review will be Android only, as that is all I had completed by the time I took the exam. The exam is now Android only, but I plan on finishing up the iOS sections in the future. I may or may not write a review for that, depending on how it goes and if anyone wants one.
I will do my best to describe the Android half of the course as best I can. That said, of all of my eLS reviews, this will have the most negative feedback/constructive criticism. Keep in mind my other reviews, and the high regard I hold them in when reading this though.
Course Material - Ground Work
- Android Architecture - this was a slightly heavy introduction (for me), but a great chapter. This chapter covered a ton about how the Android universe worked in general, as well as the similarities and differences to a standard Linux OS.
- Setting up a testing environment - this was a shorter chapter, but it helped me get my environment ready for the rest of the course.
- Android build process - this chapter was fairly self-explanatory. That said, this chapter helped me to understand how Java code became an android application, what an APK was, and where all the files lived.
Course Material - Fundamentals
- Reversing APKs - this chapter was where the theories started to become actions. The Reversing APKs chapter introduced most of the tools that would be used throughout the course.
I had used a few of these tools before, but his laid them all out in a concise and understandable order.
- Device Rooting - the rooting chapter was a bit of a disappointment after reading the title. This chapter covered how a device root usually occurs, and how you maintain persistence afterwards. Unfortunately, I would have loved to see a real example of a simpler root exploit and the breakdown. I understand that some of these might be overly complicated, or hard to find versions for, but that would have made this chapter awesome.
- Android Application Fundamentals - this chapter was rough. Not in a bad sense, but this chapter was incredibly in-depth and technical. The application fundamentals covered almost everything about how applications interact with each other, the system, browsers, etc. That said, I got a ton of security ideas from this chapter, and more than I expected stuck with me. If someone could only read one chapter of this course, I'd actually probably recommend this one.
Course Material - Vulnerabilities and Exploits
- Network Traffic - the network traffic section helped explain certificate pinning, and the different issues that can occur in the mobile SSL environment. Getting mobile apps to proxy through Burp can occasionally be a hassle, and this is the main reason. There were also a few interesting attack vectors brought up here (stealing the private keys), and an interesting lab that I'll cover below.
- Device and Data Security - this helps solidify where files lived and what sort of security features protected them. This was also the chapter that mentioned the dangers of rooting,
which are important to keep in mind for personal devices. Other than that, there were a few key vulnerabilities to check for, especially in older devices.
- Tapjacking - tapjacking is very similar to clickjacking, only on a mobile device. That said, while it is easy to fix in theory, the real solution has proven problematic.
Course Material - Code Analysis
- Static Code Analysis - the static analysis section was great, and finally started to bring in some automation into the material. From what I could tell, there were a lot of things that could be discovered through static analysis. These didn't only include vulnerabilities, but mis-configurations as well as possible attack vectors for manual testing/fuzzing. I've heard mixed reviews about QARK, but it was pretty neat to automatically generate a PoC binary.
- Dynamic Code Analysis
eMAPT Review - Labs
While the eMAPT has definitely improved since version 1, there are definitely still some problems (account required).
- Reversing APKs - the first lab, and this definitely got me into the course. It's fairly easy and straightforward, but it was great exploiting my first real vulnerability on a mobile device.
- Network Traffic - this lab was pretty interesting to show cert pinning and how to defeat it. That said, I still don't understand why it isn't/wasn't possible to just overwrite the pin value with my malicious version instead of removing it entirely.
- Device and Data Security - I wasn't actually able to get these APKs to work properly, even with API 16.
- Tapjacking - it was kind of neat to use QARK to automatically generate an exploit, but that's about all I can say about this lab.
- Static Code Analysis - this was the first lab section that I really enjoyed. Sending a fake text to myself from a fake number (see below) was pretty neat. Using web vulnerabilities like directory traversal against a mobile application was super neat, as was learning how to do it over adb. My only real problem with this section was the huge disconnect between what it was calling SQL Injection (basically just running queries against a database) and what web courses call it (injecting malicious code into the middle of queries).
- Dynamic Code Analysis - this section was pretty neat, and had a lot of good labs. There are examples of code injection similar to a web application, log sniffing to grab poor debugging statements (a real application had passwords being sent to a log...), and a few other ways of hitting intents.
eMAPT Review - Exam
The eMAPT exam was different from any other eLearnSecurity course that I've taken.
You do not submit a penetration testing report for this course, like you do with the others.
For the eMAPT exam, you are given a vulnerable Android application. From there you are to discover all the vulnerabilities and write a PoC Android application that exploits them.
Finding the vulnerabilities themselves took about 3-4 minutes, which felt great. That said, as a whole, the exam felt more at home in a Java class that I would have taken in the past. I spent most of the 3-4 hours that the exam took reading the Java API and remembering syntax.
In the end, my application was pretty neat (and worked), but I didn't feel like a penetration tester of the application. From what I've seen in the industry, testers perform mobile tests similarly to web application engagements. You get the application, look for all vulnerabilities, and write-up a report. I've never had a colleague just write a PoC Android application and send that to a client in lieu of a report. Other than that, while the course suggests that one learn Java to better understand the applications, the material should clearly state that they will be programming.
eMAPT Review - Conclusion
Since I already got my feedback, I'm just waiting on the physical cert to arrive!
While I did have a few negative things to say about the course, I still really enjoyed it.
This was an interesting course, and my first real foray into the world of mobile exploitation. I may pick up the MAHH in the future to brush up and learn even more.
In the end though, I'm not terribly motivated to continue with mobile exploitation or research at this time. I think the lack of interest is because of my interaction and feelings towards the discipline, but the course also didn't get me as excited as some of the earlier ones have.
All in all, this was a good course, but reminiscent of the eCPPT in its early days. Once it goes through one more iteration or so, it will be able to stand toe to toe with the rest of eLearnSecurity's offerings. Until then, unless you compare it to some of their other courses, it is a great class in its own regard.
Up next for me is the eCRE once I finish my GXPN course and exam!