Discover the All Access Pass

eLearnSecurity

MASPT v2

Mobile Application Security and Penetration Testing

Curious about this course?

Enroll now and get access to all of our material and labs!

Extremely Hands-on

Practice Mobile Application Security and Penetration Testing against a number of real world mobile applications that you can download and play with at any time.

Discover Labs

Become Certified

Obtain the eMAPT certification and prove your practical skills with the only 100% practical certification on Mobile Application Security and Penetration Testing

Discover eMAPT

Course at a glance

  • Start from iOS and Android architectures basics
  • Exposes Android and iOS vulnerabilities in-depth
  • Covers mobile OSs security mechanisms and implementations
  • Covers Mobile applications reverse engineering
  • In depth mobile applications static and dynamic analysis
  • Practice on real world mobile applications
  • Build your own home lab on mobile application security
  • Provides you the skills necessary to peform Penetration tests of mobile applications
  • Covers: APKTool, Dex2Jar, GDB Debugger, Cycript and many others
  • After obtaining the eMAPT certification qualifies you for 40 CPE

Course material

  • 4 hours of video training material
  • 21 highly technical modules
  • 18 apps to practice with

Course delivery

  • Self-paced
  • Off-line access available
  • Access from PC, Tablet and Smartphone

Test drive this course for free

Syllabus

Section: Android

  • Module 1 : Android: Android Architectures

    Before we dive into Security and Penetration Testing, we will introduce you to the Android environment. There are few key concepts you should be familiar with before we get started.

  • Module 2 : Android: Setting up a Testing Environment

    Prior to diving into Android Application Security, we need to have a means to examine, build, debug and run applications. For these purposes, we’ll need to install the Android Studio IDE (Integrated Development Environment).

  • Module 3 : Android: Android Build Process

    Understanding how Android Studio compiles the code and resources into a working Android application will help you better understand how all the pieces fit together. This will also provide insight into the protection employed to guarantee the authenticity of applications and circumstances by which they can be rendered meaningless.

  • Module 4 : Android: Reversing APKs

    In this section, we’ll discuss the process of reversing Android applications. This is an important skill for anyone who wants to audit the security of third-party applications where the source code is unavailable.

  • Module 5 : Android: Device Rooting

    Rooting is a process by which one obtains “root” or system level access to an Android device. In this module you will learn why it can be important for our security tests but also which are the implications of rooting a device.

  • Module 6 : Android: Android Application Fundamentals

    In order to perform a thorough pentest on Android application you must know and master all its components. In this module you will study all the fundamental concepts and topics that you may encounter during your security test tasks

  • Module 7 : Android: Network Traffic

    Mobile devices are unique in how they use networks, being almost exclusively wireless and often bouncing between cellular and Wi-Fi networks. To lower cellular data traffic, some cellular carriers provide Wi-Fi hotspots for their customers. Bad guys know this and will often set up fake Wi-Fi networks, tricking the devices into connecting. In this module you will learn how to configure your environment in order to inspect and analyze network traffic.

  • Module 8 : Android: Device and Data Security

    How securely data is stored on mobile devices has become a hot topic lately. In fact, Insecure Data Storage is second most common vulnerability, according to the OWASP Mobile Top Ten.

  • Module 9 : Android: Tapjacking

    If you are familiar with Clickjacking in web applications, you’re already familiar with the basic concepts of Tapjacking. In a Tapjacking attack, a malicious application is launched and positions itself atop a victim application. In this module you will see some example of Tapjacking, but also how to properly develop an Application to solve this issue.

  • Module 10 : Android: Static Code Analysis

    Dynamic Code Analysis is the process by which code is reviewed for vulnerabilities by actually executing some or all of the code. This execution could occur in a normal environment, virtualized environment or a debugger. This type of inspection also allows you to directly observe network requests, interactions with other applications and the results of any error conditions encountered.

  • Module 11 : Android: Dynamic Code Analysis

    Static Code Analysis is a process for programmatically examining application code on disk, rather than while it is running. There are numerous scientifically rigorous approaches to the problems of validating that code is free of errors. In this module you will learn how to perform security tests on Android application by using different static code analysis.

Section: iOS

  • Module 1 : iOS: iOS Architecture

    To understand the iOS ecosystem, we need to realize that iOS operating system is based on Darwin OS, which was originally written by Apple in C, C++ and Objective-C. Darwin is also at the heart of OSX, and thus OS X and iOS share some common foundation.

  • Module 2 : iOS: Device Jailbreaking

    Jailbreaking is the process of actively circumventing/removing such restrictions and other security controls put in place by the operating system. This allows users to install unapproved apps (apps not signed by a certificate issued by Apple) and leverage more APIs, which are otherwise not accessible in normal scenarios.

  • Module 3 : iOS: Setting up a Testing Environment

    Before we proceed, it is important to understand a few fundamental concepts unique to apple ecosystem, and more precisely related to the iOS app development process. Apple provides simulators for different hardware and iOS versions.

  • Module 4 : iOS: iOS Build Process

    In this module you will learn how the iOS build process works and what are the differences between running an application on a device or the emulator.

  • Module 5 : iOS: Reversing iOS Apps

    There is an incentive for an attacker to examine and understand how the software works, so that they can then look for further weak spots or patch/manipulate those binaries to their advantage. In this module you will see which are the most used techniques and tools to successfully reverse iOS application.

  • Module 6 : iOS: iOS Application Fundamentals

    In order to perform a thorough pentest on iOS applications you must know and master all its components. In this module you will study how applications are composed and what each component is useful for.

  • Module 7 : iOS: iOS Testing Fundamentals

    In this module you will start running your security tests against iOS Applications. Depending on the target of your tests, you will learn different techniques and use multiple tools to reach your goal.

  • Module 8 : iOS: Network Traffic

    In this module you will learn how to configure your environment in order to inspect and analyze network traffic.

  • Module 9 : iOS: Device Administration

    iOS 6 and later versions, have a built in support for powerful device management capability with fine grain controls that allows an organization to control the corporate apple devices and data stored on it. In this module you will see which options organizations have to get clear visibility into all the active devices, ensure that the devices are in compliance, that the software running on these devices is up to date and much more.

  • Module 10 : iOS: Dynamic Analysis

    There is a certain class of applications, that has significant amount of client side logic built into it. Typical examples include word-processing software, image editors, games, utilities etc. In such cases, there is an incentive for attackers to be able to examine and understand how the software works, so that they can then look for further weak spots in the application or bypass restrictions that are applied locally.

Download PDF Syllabus

Pre-requisites

  • Basic knowledge of programming fundamentals.
  • Basic knowledge of programming languages such as Java and Objective-C/Swift.
  • OSX El Capitan and an iOS (version 8.3) device such as iPod, iPhone, iPad required for some of the iOS topics.
  • Basic security concepts such as : cryptography, reverse engineering, SQL injections and web tools such as Wireshark and OWASP ZAP (or Burp)

This training course is for...

  • Penetration testers
  • Forensers
  • Mobile App Developers
  • IT personnel

Labs

During the Mobile Application Security and Penetration Testing course you will have to deal with several guided labs and exercises that will help you to improve your mobile pentesting skills.

These labs are Android and iOS applications that you have to test in order to apply the techniques explained and reach the final goal. Depending on the lab you will be provided with the application installer or the source code of the application.

During your tests you will have to: Install, run and test each application, Find security issues, Develop a Proof-of-Concept (PoC) exploit for each issue found

Lab IDDescriptionCategory
Lab 1 StartingLab Android
Lab 2 Locating Secrets Android
Lab 3 Bypass Security Controls Android
Lab 4 Obfuscation Android
Lab 5 Outlook Android
Lab 6 UberCab Android
Lab 7 PinTester Android
Lab 8 Insecure External Storage Android
Lab 9 Tapjacking Android
Lab 10 FileBrowser and FileBrowserExploit Android
Lab 11 NoteList Android
Lab 12 Leack Result Android
Lab 13 Vulnerable Receiver Android
Lab 14 Silly Service Android
Lab 15 WeakWallet Android
Lab 16 Starting Lab iOS
Lab 17 LogMeIn iOS
Lab 18 LogMeIn2 iOS

Certification

Get eMAPT Certification

eLearnSecurity's eMAPT (eLearnSecurity Mobile Application Penetration Tester) certification is the only certification that proves that you know Mobile Application Security and Penetration Testing in practice.

Learn more

Instructors

  • Anthony Trummer
    Anthony Trummer

    Tony is the Director of Security Engineering in Tinder and has 20 years IT experience, including network engineering/security, systems administration, consulting and application security. He is recognized in the Android Security Acknowledgements and numerous responsible disclosure programs, such as Microsoft, Yahoo, WordPress and Uber. He is also the creator and core contributor to QARK. Speaker/Presenter: DefCon, Wall of Sheep, Black Hat London, Black Hat USA, BSides Las Vegas, DeepSec, Hack-in-The-Box, AppSec California and AppSec USA

  • Tushar Dalvi
    Tushar Dalvi

    Tushar is a security enthusiast, and currently works as a Senior Information Security Engineer at LinkedIn. He specializes in the area of application security, with a strong focus on vulnerability research and assessment of mobile applications. Previously, Tushar has worked as a security consultant at Foundstone Professional Services (McAfee) and as a Senior developer at ACI Worldwide.

  • Francesco Stillavato
    Francesco Stillavato

    Francesco Stillavato is Senior IT Security researcher and instructor at eLearnSecurity with 6 years of experience in different aspects of Information Security. His experience spans from web application secure coding to secure network design. He has contributed to the Joomla project as a Developer and has conducted a number of assessments as a freelance. Publications: Francesco is the author of the Penetration testing course Professional, Penetration Testing Student and author of Hera Lab scenarios. Education: Francesco Stillavato holds a Master's Degree in Information Security from Università di Pisa

Enroll now and get access to all of our material and labs!

Frequently Asked Questions

  • What software/hardware requirements are there?

    Any web browser (for IE version 8+ is required) is supported. If you run Kali Linux/Backtrack as a virtual machine you will need at least 2GB of RAM. Minimum internet speed of 512 Kbit/s recommended for video streaming. <strong>For some of the iOS related exercises you will need an iOS device (6+) and a MacOS X Maverick. No physical devices are required for Android section.

  • How do you provide support?

    As soon as you enroll in one of our courses you are provided with access to private forums (subject to the plan selecte) where you will find instructors and community managers available to help you 24/7. Support for billing, technical and exam-related questions is also provided by email.

  • How can I pay for the training course fees?

    All major credit cards, Paypal and bank transfer are supported. Installment plans available.

  • What happens when there's a new update to the contents?

    Minor updates such as bug fixes or additional labs are provided for free. Major releases (e.g. upgrade from 2.0 to 3.0) require an upgrade fee. We reserve the right to issue minor or major updates when we see the need.

  • Can I request a refund if contents are too difficult for me?

    We only process refunds/chargebacks for fraudulent transactions.

  • What is the difference between installment and one-off payment plans?

    Subscriptions let you split the enrollment fees in 3 or 4 months. You will receive new contents upon every billing cycle. If we don't receive the payment within 14 days from the due date the account will be frozen until payment is cleared.

  • Can I cancel an installment plan?

    You can cancel your subscription at any time, however you will lose access to the material you purchased in the meantime.

  • Are there any hidden fees?

    There are no hidden fees. If you are from a country where VAT is required (most EU countries), you have to add VAT to our ticket price. We are legally obligated to collect VAT on your purchases.

Go to top of page