# Course Material
The course covers very basic fundamentals like:
1. mobile app pentesting process
2. basic android architecture
3. user permissions
4. android application runtime
all explained in easy-peasy-way. It then moves into practical
content that requires direct testing, including the APK signing
process, setting up an Android lab with tools like jadx, adb,
apktool, and an emulator, as well as conducting static analysis like
pulling APK files from mobile device, reviewing Manifest.XML files,
extracting hardcoded strings and secrets, enumerating cloude storage
and analyzing MobSF automation results. The dynamic analysis section
covers SSL pinning, MobSF dynamic testing, Burp Suite interception,
patching with Objection, and using Frida Codeshare. Additional,
course material includes injecting payloads using Metasploit and
Ghost Framework. Notably, all Android dynamic analysis topics also
have equivalent material available for iOS.
# What do I think is 'bad' in the TCM PMPA Course?
1. Very-very minimal (and compact ??? IDK)
Every TCM PMPA course materials
already exist on YouTube and various blogs, often in versions
that are more detailed and comprehensive both theoretically and
practically. In fact, for several topics such as Android Application
Signing, Frida Codeshare, and APK Patching,
I had to study external YouTube videos and blog articles in
way to fully understand them beyond what the course provides.
2. Not up to date.
The course only explains basic analysis that cannot realistically be
used for pentest assessments on complex applications. The first
stage of Mobile Application Pentesting focuses heavily on the output
of modules, plugins, and scripts—such as root modules (Magisk,
KernelSU), their related plugins, and essential hooking scripts for
bypassing defense mechanisms in applications that implement root
detection, SSL pinning, or device defense measures like MDM. Once
HTTP (or other protocols) can be logged and intercepted, the rest
depends on the pentester's ability to assess REST APIs, gRPC, or
other protocols, which ultimately returns to the OWASP WSTG
checklist and the natural instincts of each pentester.
3. Course material that is incomplete.
The course does not cover OWASP MASTG thoroughly. You can compare
the OWASP MASTG Best Practices for Mobile (https://mas.owasp.org/MASTG/best-practices/#) with the course contents. Notably, this course does not include
topics such as DeepLink, Frida hooking, or WebView exploitation.
However, even the basic material provided is still highly
incomplete.
4. Very minimal hands-on practice.
The course includes only one vulnerable APK, injured.apk (a
vulnerable app similar to DVWA or OWASP Juice Shop), and even that
is not covered thoroughly within the lessons.
# Recommendation
In simple way, I would (love to) recommend working on vulnerable
APKs such as:
1. Injured APK — https://github.com/B3nac/InjuredAndroid/releases
2. CrackMe APK —
https://github.com/OWASP/mastg/tree/master/Crackmes/Android
3. AllSafe APK — https://github.com/t0thkr1s/allsafe-android
instead of purchasing the TCM PMPA course material. All fundamental
topics such as Android security, architecture, and runtime are
already available on YouTube and in official documentation. My
suggestion is that if you need a Mobile App Security certification,
consider either INE eMAPT or Android Hacking Lab.
# About Exam
In the TCM PMPA exam, you will be given a VM accessible (Ubuntu 22
LTS) through a web browser, and you will not be able to access the
internet, upload binary tools, or transfer files into the VM.
Everything you need like Targets, Goals or Objectives, Rules of
Engagement, tools, and the Virtual Device is already provided inside
VM. By reviewing the entire ROE, you will immediately understand all
the limitations. The difficulty level is extremely easy; if you
already have a basic understanding of web pentesting (essentially
REST API pentesting), I am confident you can achieve the required
objective within an hour. Aside from achieving the objective, you
must also document all security findings discovered during the
pentest process.
For exam-style, respect for TCM (compared to INE eJPT or TryHackMe
PT1) because there are no multiple-choice questions or annoying INE
EXAM essay-style. In the TCM exam, you are required to write a
professional pentest report, meaning the objective or goal
must appear in one of your evidence sections. In my report, I used a
complete Security Finding structure including:
1. CVSS 4.0 Score, Vector and Level (Informational - High)
2. Description
3. Risk and Security Impact
4. Attack Vector and Chaining
5. Recommendation for remediation
6. Evidence/Screenshots with short descriptions.
In total, I spent around 4 hours and 30 minutes (while taking it
slowly) to write and submit the report as a PDF, 25 minutes after
submit, I recieved an email that I passed the Exam. You can use the
reference report template provided by TCM, but I personally chose to
recreate using Microsoft Word because it looks cleaner in terms of
formating, margins, fonts, and spacing.
# Conclusion
1. Do not purchase TCM PMPA. It is far better to learn by working on
the AllSafe APK and CrackMe APK CTFs, then writing your own detailed
write-ups, as the value is significantly higher (and harder than THE
EXAM, NOCAP!!).
2. If you need a Mobile App Security certification, you better
choose either INE eMAPT or Android Hacking Lab.