SANS SEC575, titled “iOS and Android Application Security Analysis and Penetration Testing,” is a course that focuses on mobile device security analysis and penetration testing for both iOS and Android platforms. Here’s a summary of the key points:
- Duration: 6 days (available in-person or online)
- CPEs: 36
- Target Audience: Individuals interested in mobile device security, mobile app security, and penetration testing
- GIAC Mobile Device Security Analyst (GMOB) Certification: The course leads to the GMOB certification, which focuses on mobile device and application security.
What You Will Learn:
- Understand the security strengths and weaknesses of Apple iOS and Android devices, including the latest versions.
- Evaluate the security of built-in and third-party mobile applications.
- Learn to bypass platform encryption and manipulate apps to circumvent client-side security techniques.
- Use automated and manual mobile application analysis tools to identify vulnerabilities in mobile app network traffic, file system storage, and inter-app communication channels.
- Work with mobile malware samples to assess data exposure and access threats for both Android and iOS devices.
- Learn to bypass locked screens to exploit lost or stolen devices.
- Leverage Corellium for Android and iOS emulation to perform hands-on penetration testing in a realistic environment.
- Effectively communicate threats and vulnerabilities to key stakeholders.
- Utilize industry standards like the OWASP Mobile Application Security Verification Standard (MASVS) for assessing mobile applications.
The Importance of Mobile Device Security:
- Mobile devices are a significant attack surface in most organizations, and their security is crucial.
- These devices store sensitive and critical data, are frequently on the move, and have various wireless technologies, making them susceptible to attacks.
- Organizations often lack the skills needed to assess and secure their mobile devices effectively.
The Corellium Platform:
- Corellium is used for Android and iOS penetration testing in a realistic environment.
- It allows students to create virtualized iOS and Android devices with full root access, even on the latest versions.
- Students can test their skills in their browser while having full SSH/ADB access and access to powerful tools.
- The course covers iOS and Android, as well as static and dynamic application analysis, penetration testing, and includes a hands-on Capture-the-Flag event.
GIAC Mobile Device Security Analyst (GMOB) Certification:
- The GMOB certification focuses on assessing and managing mobile device and application security, mitigating mobile malware, and addressing issues related to stolen devices.
- Experience with programming in any language is recommended.
- Basic understanding of programming concepts such as conditional statements, variables, loops, and functions.
- Familiarity with Linux and terminal commands.
- Basic knowledge of penetration testing concepts (such as those taught in SANS SEC504: Hacker Tools, Techniques, and Incident Handling) is helpful.
In summary, SEC575 equips individuals with the knowledge and skills needed to assess and secure mobile devices and mobile applications on both iOS and Android platforms. The course culminates in the GIAC Mobile Device Security Analyst (GMOB) certification, demonstrating expertise in mobile device security.
Difficulty: 3 out of 5.
GMOB is a difficult certification to review. This was my last certification in the SANS Penetration Testing and Ethical Hacking graduate certificate and something I had taken a class or two in during undergrad. I generally knew what I was doing for any type of standard penetration test and already knew how to make Android apps. As a result, I didn't get a ton out of this course. I think someone with a less technical background would get a lot more. Using Bettercap wasn't anything new. Burpsuite and Metasploit were old friends. About half of the class was using tools I'd already used just targeted at mobile apps.
Where the class shines is in the Android reverse engineering. I hadn't done a lot of that before and this was a great opportunity to get more familiar with that.
All of that said, I don't feel this class is enough to make you an expert in Android penetration testing to lead a mobile app pentest if you don't already have this background.
I keep mentioning Android pentesting because the iOS section is pretty much "step 1 is to jailbreak the phone" which cuts out most of the useful attack vectors. I don't think I would take this one again but it wasn't a poorly made class or anything. Just not super relevant to what most of us are doing and it doesn't really get you close enough to do Android pentesting if that's what you're after.