(My) Beginner's Guide to Mobile Security
Jun 24, 2024
I have been asked countless times, especially by undergraduate students, how they can start learning mobile security, aka mobile application security, aka mobile penetration testing, android security, and iOS security. In this article, I will contribute to the most contributed to title, “Beginner’s Guide…”
The first time I knew that mobisec is a domain and a niche that I could explore was after my first CTF competition back in September 2022. I saw Chalie use Frida, and for a moment, I couldn’t understand wth was happening. Later that year, I began learning about android hacking from this TryHackMe room.
As I continue to broaden my knowledge and skills in various cybersecurity domains such as forensics, malware analysis, and network & web application security, I find myself drawn to mobile security. It’s a field that I’m particularly passionate about, and I believe it holds immense potential for those interested in cybersecurity.
Getting Started
Mobile security is unique and not so different from other domains. The underlying ecosystem, the operating systems (Android and iOS), makes it unique. A full immersion into mobisec means understanding the internals and architecture of these operating systems before getting to the highest level, the applications.
And like other domains, security is always ‘secondary’ to the underlying technology. For instance, the web gives a place for web security, computer networks for network security, malware development for malware analysis, and mobile development for mobisec e.t.c e.t.c
Courses & Skills
The following are courses I have used and that I recommend for any beginner (one with little or no experience). Some are paid, some are not. I always recommend that we begin with free courses and with increased interest we can pay for pay-worthy content. I know most free courses do not have certificates – something beginners crave for recognition, but that should be the least of your worries if you have confidence in your skills.
SKILLS
Reverse Engineering
APIs
Networking
Android & iOS Development
Frida
jadx
BurpSuite
Web Security
Android & iOS Internals
FREE COURSES
Android Hacking 101 | TryHackMe
A very quick guide into getting started. A practical lab and questions the tryhackme way.
Mobile Hacking | Hacker 101
This learning track is dedicated to learning the most popular mobile vulnerabilities in both Android and iOS applications. The Android hacking content was created by Daeken and recorded by NahamSec and the iOS module was done by Dawn Isabel, Mobile Security Research Engineer at NowSecure!
Mobisec | Reyammer
It is my all-time favourite place to learn mobile hacking. His approach is academic and has very good but hacky challenges to complement his classes. It includes (and this is the best part) development, exploitation, & reverse challenges. All distinct areas of mobile hacking are well structured to make one an all-round mobile hacker.
Mobile Hacking Lab
Full Free Android Application Security to become an Certified Android Penetration Tester. Created by engineers with years of realworld mobisec experience.
Fairly new, and is well structured from the architecture to application. Best thing, they have very good hacking labs
NowSecure Academy
As one of the leading Mobile Security powerhouses, NowSecure has an academy offering free courses that cover structured topics from development, operations, and security related to mobile apps. NowSecure supports OWASP MAS, making their courses more relevant as they address real-world mobile risks.
CERTIFICATIONS
Unlike software engineering jobs, where applicants do codility (coding) tests, cyber security, and more especially entry-level jobs, require one to have a recognized certification as proof of their skillset to pass the screening stage for a prospective interview.
Here are some practical certifications that are recognized and reasonably affordable for anyone looking for an entry/junior level certification.
CAPT | Mobile Hacking Lab
This serves as your gateway to demonstrate the skills and knowledge you have acquired throughout the course.A comprehensive assessment designed to challenge your understanding of Android Application security.
PJMT | TCM Security
The Practical Junior Mobile Tester™ (PJMT) certification is a beginner-level mobile application penetration testing exam experience. This exam will assess a student’s ability to perform a mobile application penetration test at an associate level. Students will have two (2) full days to complete the assessment and an additional two (2) days to write a professional report.
eMAPT | iNE Security
INE Security’s eMAPT is a hands-on challenge. Students will receive a real-world scenario of two Android applications to analyze and pentest. The final deliverable is a working and reproducible proof of concept that is reviewed by INE’s course instructors.
BLOGS
https://executiveoffense.beehiiv.com/
https://8ksec.io/blog/
https://blog.oversecured.com/
https://www.mobilehackinglab.com/blog/
People to Follow
What next …
Bug Bounty, Contibuting to Open Source Security Projects, Apply for Jobs and anything in between