I subscribed to eLearnSecurity's eMAPT v2 certification almost a year ago, but I just had enough time this month to complete the course. If you are not familiar with eMAPT, it's a mobile penetration testing course/certification that contains both Android and iOS related information. Unlike other courses on the market, eMAPT has been updated recently (this is actually version 2.5) and offers pretty much up-to-date information on mobile application security. This means that while other courses target old versions like Jellybean, eMAPT already has Nougat in mind.

The course is available in 3 different packages and I would recommend going for the most expensive as that's the only one that contains HTML5 and PDF. If you go with the more expensive packs, you also get exam voucher (with free retake), hands-on lab exercises with walkthroughs and several hours of training videos.

My approach was to go through the slides first from beginning to the end. These contained really deep technical knowledge about the security aspect of mobile applications, so they give you a very strong foundation for security testing. After that I watched all the videos, which were helpful, but basically contained roughly the same information that's in the slides.

By this time I had enough theoretical knowledge to start the labs. Instead of a single vulnerable mobile application like sieve or DIVA, you get several smaller applications and instructions on how to find vulnerabilities or exploit them. I preferred this approach as I had to do more legwork, than with a single app and gave me more opportunity to practice. Unfortunately, the labs don't cover the actual hardcore part of mobile application security (deobfuscation, mobile application hooking) and sometimes uses simple tools to do tasks that can be done more efficiently, but overall it's a good start for a beginner who wants to learn more about mobile security. To make sure that I can take everything they throw at me, I also trained on some vulnerable apps like sieve or DIVA.

For the exam, you have 7 days to craft a PoC that exploits the vulnerabilities found in the exam applications. The exam is only for Android, so you don't need to own an OSX or an iOS device. If you are well-prepared for the exam, you can tackle it in a few hours. For me it took less than two hours to find the exploit chain and another 3-4 hours to learn how to make an Android application that exploits the vulnerabilities. Overall, I enjoyed the exam, but I didn't break a sweat, I was expecting more red herrings and exploit routes that take you nowhere, so if you already know how to hack mobile applications, it might be a walk in the park for you.

Overall, I would recommend this course to people who want to start learning about hacking mobile apps and developers who want to write/design secure mobile applications. It gives you a strong foundation in mobile application security, but doesn't go too deep into the hacking part, so you might need to do more research depending on your interests.

Pro:
  • The only up-to-date mobile security course
  • Gives a great overview on mobile app security
  • Useful for both developers and penetration testers
  • 26 hands-on labs
Cons:
  • The exam is not really challenging
  • The videos don't add much more value
  • The cheaper packages only contain the Adobe Flash version of the course
tl;dr: Good foundation course/certification for beginner penetration testers or developers. 4/5