Mobile Application Penetration Tester
eMAPT Certification
eMAPT is a hands-on, professional certification that proves your ability to assess, exploit, and report vulnerabilities in real-world mobile applications across both Android and iOS platforms.
The Exam
The eMAPT certification demonstrates your professional expertise in conducting thorough security assessments of mobile applications, with hands-on evaluation of vulnerabilities across both major mobile platforms. The certification exam tests your ability to perform comprehensive mobile security assessments, requiring candidates to identify and exploit vulnerabilities in authentic Android and iOS applications.
About the Certification Exam
This certification exam is designed for cybersecurity professionals with intermediate experience in mobile application security, and individuals aiming to specialize in mobile application security and advance their skills.
This exam is the next Red Team milestone for cybersecurity professionals that have already completed the eJPT and eCPPT and want to continue their training and certification journey.
Domains + Objectives
The eMAPT exam evaluates a candidate’s ability to assess and exploit mobile applications across a variety of security domains. The exam is structured around the following domains:
eMAPT
Exam Domains
Reconnaissance and Static Analysis (20%)
Dynamic Testing and Runtime Manipulation (20%)
API and Backend Security Testing (15%)
Mobile Application Security Foundations (10%)
Threat Modeling and Attacker Mindset (10%)
Reverse Engineering & Code Deobfuscation (10%)
Mobile Malware Analysis (10%)
Reporting and Communication (5%)
Reconnaissance and Static Analysis (20%)
- Apply static analysis techniques to Android and iOS applications using tools to extract and interpret app components, manifest/plist files, and permission declarations.
- Decompile and inspect APKs/IPAs, including obfuscated code, to identify hardcoded secrets, logic flaws, and misconfigurations.
Dynamic Testing and Runtime Manipulation (20%)
- Perform dynamic testing to observe runtime behaviors and analyze system interactions, including WebViews, IPC, and logs.
- Bypass runtime protections such as SSL pinning, root/jailbreak detection, and anti-debugging mechanisms.
- Hook and manipulate application logic at runtime using tools like Frida, Objection, and Xposed to uncover functional weaknesses.
API and Backend Security Testing (15%)
- Analyze application code and runtime behavior to identify undocumented API endpoints and test for vulnerabilities such as BOLA, BFLA, token manipulation, and insecure data handling.
- Perform MITM testing and bypass certificate pinning to evaluate authentication, session management, and encrypted traffic security.
Mobile Application Security Foundations (10%)
- Explain mobile application security principles and how architectural differences between Android and iOS impact threat exposure.
- Identify and describe common mobile app vulnerabilities using threat modeling techniques and real-world examples.
Threat Modeling and Attacker Mindset (10%)
- Construct mobile-specific threat models and identify threat actors using methodologies such as PTES and OWASP MSTG.
- Assess mobile applications from an attacker’s perspective and plan security assessments accordingly.
Reverse Engineering & Code Deobfuscation (10%)
- Reverse engineer Android and iOS binaries (DEX, OAT, Mach-O) to extract code and defeat obfuscation techniques.
Mobile Malware Analysis (10%)
- Analyze mobile malware behavior, including anti-analysis and evasion techniques, through static and dynamic methods.
- Evaluate real-world mobile APT campaigns to understand mobile malware goals and tactics.
Reporting and Communication (5%)
- Document and communicate technical vulnerabilities for technical and non-technical audiences, using frameworks like OWASP MASVS, MTTG, and PTES.
Who It’s For
The eMAPT is ideal for professionals with a working understanding of cybersecurity who are ready to deepen their expertise in mobile application security testing.
Get eMAPT Certified
To take the eMAPT exam, you’ll need both an INE subscription and an exam voucher.
The Process
Whether you are attempting the eMAPT certification exam on your own or after having completed our approved learning path, you will need to follow these steps to get a certificate:
The eMAPT certification is valid for three years from the date it is awarded. Stay current with your skills and maintain your credential through flexible renewal options designed to fit your schedule.
Have a eMAPT Voucher Purchased Before: May 28, 2025?
The previous version of the exam is being retired.