Mobile apps are everywhere, with more than 100 billion downloads a year and over a billion new smartphones shipped annually (source, source). But while the ecosystem and its security threats are evolving quickly, the learning resources for mobile security haven't kept up.

“Security professionals rely on vulnerable apps to train and teach real-world pentesting and mitigation skills,” said Aleksandra Andreeva, Product Marketing Manager at 8kSec. “But the same old ones keep showing up in trainings, blogs, and talks, and they no longer reflect today’s threat landscape.”

That’s why 8kSec, a cybersecurity company focused on mobile security, is launching a new collection of free, hands-on mobile security labs covering iOS, Android, and ARM exploitation. Inspired by the functionality of real-world applications like games, VPNs, and password managers, these labs provide a legal and safe environment to move beyond theory and gain practical skills.

“A lack of modern, practical labs is one of the most common frustrations we hear from those new to mobile security,” Aleksandra added. “Our team has spent thousands of hours on research, and we’re excited to make that knowledge accessible through labs that explore mobile security from multiple angles.” She continued, "Imagine building a real-world exploit to take over a target application, or compromising it with just a single link. That is the exact, practical experience we want to offer."

The new labs are broken down into three categories:

10 Android Application Exploitation Challenges
The Android challenges feature the “Uncrackable” Android Apps. These are real-world applications with hidden logic vulnerabilities you can actually exploit using seemingly innocuous links or applications running on the device. Learners will gain hands-on experience with techniques like bypassing client-side security controls, exploiting deep links, and creating malicious applications to extract data from a target app.

11 iOS Application Exploitation Challenges
Learners can tackle the famously tough iOS ecosystem with a range of “secure” apps designed to challenge their knowledge. Participants will develop custom scripts and work with essential tools like Frida, Objection, and Hopper to tackle tasks ranging from bypassing biometric authentication and SSL pinning to hunting for “Golden Nuggets” hidden within the app.

9 ARM Exploitation Challenges
These challenges allow learners to master the backbone of mobile and IoT devices. Using target ARM64 binaries, participants get hands-on practice with reverse engineering and dynamic analysis, learning to bypass security controls as they tackle vulnerabilities ranging from classic heap overflows to subtle use-after-free bugs, using tools like pwndbg, radare2, and Ghidra to build a true attacker's mindset.

After completing the challenges, players can submit their solutions for review and earn an official Certificate of Completion to prove their expertise.

The 8kSec Mobile Security Labs are available now, for free, at 8ksec.io/battle.