https://www.sans.org/cyber-security-courses/mobile-device-security-ethical-hacking/
https://www.giac.org/certifications/mobile-device-security-analyst-gmob/
Late on in 2022, my boss messaged me and asked if I would like to do a SANS course. This one was around mobile security. Having previously done a few mobile tests and done this course on Udemy AND having never done a SANS course before but heard how good they were, how could I refuse?
I got access to the course on February 9th 2023. I chose to do it remotely as the times it was available in-person sadly didn’t work out for me. There were 25 hours of videos by a very experienced mobile malware analyst, 5 books with copies of his slides and notes (and PDFs of the same) as well as lab exercises and a Capture The Flag task at the end.
It’s a well structured course, first going through how iOS works and is secured, then the same with Android. I learnt a lot about how rooting/jailbreaking the devices ACTUALLY works on a low level, with my previous knowledge basically being step by step on how to do it and not what was actually going on “under the hood”, so to speak.
The third and fourth sections are static analysis and dynamic analysis respectively, with the fifth section being mobile penetration testing. These three are more what I need to know for my job. There were a few tools I didn’t know here, and a couple of techniques I hadn’t tried, as well as (as before) going into more depth on HOW these things work which is always good for troubleshooting or potentially in the future coming up with your own tools and techniques.
I obviously can’t disclose the actual course content, but again, whilst I knew a reasonable amount of what was in there, the depth of knowledge it gives was more than I had.
Each of these sections has lab exercises that are split between the Slingshot VM they provide, and the Corellium instances of Android and iOS devices you create at the beginning of the course.
Having access to Corellium is great as you don’t need to purchase any devices and it talks you through setting up both of these virtual devices step by step. It also explains how Corellium are able to “emulate an iOS device”, which is quite interesting.
The CTF is a fun exercise and a good way to try out any newly found skills you’ve gained going through the course material.
Okay, onto the exam.
Once you’ve been through the course material, or while you’re going through the course material, start making an index. Here’s what I did wrong.
I created a OneNote file and was making notes on each of the videos/slides. Due to the exam being open book and OneNote being searchable I thought this was a great idea. I got to the end of the course material feeling like I could probably take the exam tomorrow. So I went to register for the exam and saw that while it is open book, access to digital resources is strictly prohibited. I hadn’t seen this mentioned before, and assumed open book meant the ability to use anything.
After a 5-minute meltdown, I realised that it wasn’t all wasted time. I could search the OneNote file to find instances of things I wanted to add to the index (SSL Pinning, Frida etc) and then find all of those pages in the course books and create an index based on that. A small section of my index looks a little something like this, but with an additional column to the left headed “Topic”.
Different ways of indexing may work for different people, but (spoiler alert) this worked quite well for me.
With the course you get two practice exams, which are great. The exam is 75 multiple choice questions and you get two hours to complete it, needing 71% or around 54 questions correct to pass. The practice exams are the exact same (though probably not the same questions).
I did the first practice exam blind. No index, no books, no resources at all. I got 53%, which I wasn’t unhappy with. It tells you immediately after answering a question if you got it wrong, and what the right answer is with a bit of an explanation, which is really helpful. I made notes on which topics I needed to focus on and added some of them to my existing index.
A couple of days later I tried the second practice exam, this time using the index and my course books and taking it a little slower than the first one which I blitzed through. I got 80%. I was feeling pretty ready for the exam by this point. I added a few more things to the index and had the exam booked for two days later, Friday 17th March 2023.
When booking the exam in the UK, you have two options for proctoring. You can either go to a Pearson Vue exam centre, or you can use ProctorU through your own device and do it at home. My advice is, if you can, go to a Pearson Vue centre. I had numerous issues with getting my device to be suitable to their standards to complete the exam. One of my devices is a Macbook with Windows installed through Bootcamp. After about 50 minutes of back and forth in time I was supposed to be doing the exam, it turned out this was not allowed.
I then had to get all of the requirements for the exam set up on my personal PC, reconnect to a proctor and go through the steps I’d already been through again. I was supposed to start at 10am and it was almost 11.30 by the time I actually started. It was all added stress on top of an already stressful situation so if I were to do the exam again that’s all I would do differently: go to a Pearson Vue centre.
That aside, once I actually started answering the questions I settled in and felt okay. I used my index and course books only, and came out with 77%, breathing a huge sigh of relief. Oh, as another note, it doesn’t tell you immediately if you’ve got a question wrong in the actual exam, so don’t go through thinking you’re getting 100% because, well, you might not be.
The course was really good and the tutor was very experienced, though sometimes he leant more towards a mobile malware perspective as this seems to be his forte, but it’s a SANS course so it’s not cheap. Details of the syllabus are in the link at the top of the page so you can decide whether or not it’s useful to you. If you’re unsure, I would recommend going back and checking out that Udemy course which is much cheaper and then, if you want to go a bit deeper and get a cert based on your mobile knowledge, look at this one. I definitely found it helpful to go more in depth and get details of more tools and techniques to add to my arsenal.
Tales from the Encrypt 