Battle of the mobile security trainings

tl;dr; SEC575 offers more in depth knowledge and better course material, however, you can’t beat the pric￼e point of MASPTv2. The GMOB certification is quite well rounded, but only theoretical. In comparison, eMAPT is practical, but covers only a small part of the spectrum.

As a security consultant and student of the SANS 575 course (Mobile Device Security and Ethical Hacking) I am interested in learning more about testing the security of mobile applications and platforms. So I was pleased to receive a newsletter from eLearnSecurity about the new version of their own mobile course: MASPTv2 (Mobile Application Security and Penetration Testing). In the E-mail they state as headline:

EXCLUSIVE: Try the best course on Mobile Security for free today!

This claim got me talking to Jens Behnisch of eLearnSecurity. Subsequently, in the interest of full disclosure, I got the offer to do the course for free in exchange for a review where I compare MASPTv2 to SANS SEC575.

Pricing

The first obvious difference between the two courses is the price:

SEC575 MASPTv2 Course 5.910 USD 999-1199 USD Certification 689 USD Included

Note:

– SANS prices can vary per event/currency. Also, early-bird discounts are available. If you fail the certification, you have to pay for it again, however, two training examns are included. Also, a OnDemand version is available but I can not comment on this since I have no experience in this regard.

– eLearnSecurity also has a Barebone version that does not include labs or video training materials. The first retake of the exam is free.

So the SANS course is 5 to 6 times as expensive as the eLearnSecurity course. Is it worth it?

Course structure

MASPTv2

For anyone who has followed an eLearnSecurity course before, the structure is immediately clear. There is a section on Android and iOS and you have the possibility to view the associated slides either online or offline, depending on the course package that you bought.

Even if you can not download the training material, you have lifetime access to it. The training material is interspersed with Labs and a total of four hours of video’s that you can watch at your leisure whenever you want.

This makes the course nice and easy to combine with a job where you do not have the option to get a week off for training.

SEC575

The SANS courses are held at SANS venues around the world. Personally I attended SANS London in the fall of 2015.

The SEC575 course consists of a five-day training week and a CTF challenge on the 6th day. When you arrive at the room for the course, you can pick a seat and are presented with a slightly intimidating pile of course books, some SANS information, power and network access. You have to bring your own laptop.

SANS courses are commonly referred to as ‘drinking from the firehose’, and in order to succeed at the course you really have to apply yourself for the full five days of coursework and the associated labs. I also ended up cleaning up my notes in the hotel at night so I would have everything ready.

The course is given in a typical classroom structure with a slide deck and a instructor. Interaction is highly encouraged. Each day a number of labs are covered, and the instructor and a teaching assistant make sure that everyone can follow along.

Course Material

MASPTv2

The study materials for MASPTv2 consists of about 1400 slides, split up in 11 Android and 10 iOS sections.

Personally I find the choice of presenting course material in slide-form questionable, since there is no accompanying presentation. Text on slides flows less cleanly then in a normal form.

However, this is the eLearnSecurity standard, and it works well enough.

The material gives a good overview of the Android and iOS environment, and provides a clear path to follow when investigating applications. However, on most cases it stays slightly superficial and only takes a deep dive in a few instances. This felt like I was left hanging sometimes. For example, an excerpt from the last slide of a part about OEM apps:

“These apps are generally found in the /system/app directory

on a device. [..]Unfortunately, this has led to some of the most impactful app-related vulnerabilities in the Android world, because it is common for many of them to run with system (root level) permissions.”

Now I am interested what these “most impactful app-related vulnerabilities” are, but I am never told.

One last gripe is that the course is `up-to-date’ to Android 7.0 and uses labs for API 24, however, it does not cover the new `Network Security Configuration’ that was included in this Android version. This feature offers a new way for developers to implement things like certificate pinning (https://developer.android.com/training/articles/security-config.html). I have encountered this feature in the wild already and it is important to know about this when you want to investigate modern Android applications.

SEC575

The SANS course offers a few hundred slides less then the eLearnSecurity course. However, these slides are made to support a presentation. And more importantly, are annotated. These annotations are usually longer then the information on the slide, and this makes all the difference. The slides contain the general overview and important points to remember, and the annotations give the context, examples and in-depth information.

However, while the content is better, one disadvantage of the SANS material is that you get it in printed form. This prevents you from having a nice pile of reference material when you are for example working on premise for a customer.

Also, the 5th day of the course covers things like SQL injection and XSS. While defenitly usefull, it was covered on an very introductory level, and didn’t flow well with the rest of the course.

The main course material was slightly out-of-date since I followed the course just after a major Android update. However, we were provided with a small extra booklet that covered the new security related features in the newest iOS and Android versions, which was nice.

Labs

The labs are a core part of both courses and are generally pretty good. Both courses suffer from the fact that the labs are focused on Android because otherwise you would need a physical iOS device.

These labs cover a pretty broad spectrum of the vulnerabilities that are discussed during the course. The difference is that MASPTv2 focuses more on the Application security side, while SEC575 is less focused, but also has labs covering smartphone forensics and more in depth reverse-engineering.

Both courses have one negative in the labs as far as I am concerned:

MASPTv2 does not offer a full walk-through of all labs, this can make you feel stuck at some points. However, I have been told that a lab guide should be added at the start of January.

SEC575 includes some labs that only work when connected to a server. This server is not included in the lab files and means that you can’t use some of the labs at home.

Certification

While the eMAPT and GMOB certification are technically not part of the training. They are an integral part since the courses are designed to prepare you for the certifications.

MASPTv2

This course prepares you for the eMAPT exam. Since I recently did the eCPPT exam I had high hopes because that exam is practical, relevant and challenges you. Sadly, the eMAPT exam is less interesting.

In this exam you have 7 days to create a PoC application that attacks two target applications. It is 100% practical and you have to deliver a working APK and the source code it was build from.

This is fine by me, I like practical exams. However, for me there are three negative points:

It focuses on Android which I can understand for a practical exam, since you can run Android in an emulator. However, this also means that eMAPT only tests knowledge of one mobile OS.

You have to create a PoC Android application which is technically not covered in the course. Some of the (admittedly pretty simple) programming took longer then the actual exploit.

Without giving too much away, the used exploits for both applications are pretty similar. There are so many mobile attack vectors and common flaws that it is a shame not more of them are included. Also, there are enough attacks that are similar on iOS and Android to make it less Android specific.

SEC575

The GMOB exam is the opposite of eMAPT. It is purely theoretical. You have two hours at a proctored location to take the exam. You can bring as many books and notes as you can fit under your arm, however, you don’t have enough time to look up everything. So you have to know the material pretty well.

This exam covers Android, iOS, and a bit of Blackberry and Windows Phone.

To be fair it has to be said that while the GMOB exam is purely theoretical, the CTF on the 6th day of the training can be seen as the practical part. Over the course of a day you have to, as a team, solve increasingly challenging exercises. While this is not reflected in the certificate, the best team can win one of the coveted SANS coins.

Conclusion

You do get what you pay for. SEC 575 is better and more in depth, but also five to six times as expensive. Also, the SANS course is more in depth then the eLearnSecurity course.

However, if you are newer to the field, and you want to have a great starting point, or the budget is a bit more tight, then MASPTv2 is definitely a great course with relevant labs that gets you started.

If your goal is to do a course for the certification in order to get past HR when applying for a job, then currently that SANS is more well known. However, I think eLearnSecurity is working hard on improving this, as I have seen their certifications more regularly recently.