Mobile Application Penetration Tester

eMAPT Certification

eMAPT is a hands-on, professional certification that proves your ability to assess, exploit, and report vulnerabilities in real-world mobile applications across both Android and iOS platforms.

Start Learning Buy My Voucher

The Exam

The eMAPT certification demonstrates your professional expertise in conducting thorough security assessments of mobile applications, with hands-on evaluation of vulnerabilities across both major mobile platforms. The certification exam tests your ability to perform comprehensive mobile security assessments, requiring candidates to identify and exploit vulnerabilities in authentic Android and iOS applications.

About the Certification Exam

This certification exam is designed for cybersecurity professionals with intermediate experience in mobile application security, and individuals aiming to specialize in mobile application security and advance their skills.

Reconnaissance and Static Analysis

Threat Modeling

Mobile Malware Analysis

Dynamic Testing

This exam is the next Red Team milestone for cybersecurity professionals that have already completed the eJPT and eCPPT and want to continue their training and certification journey.

Domains + Objectives

The eMAPT exam evaluates a candidate’s ability to assess and exploit mobile applications across a variety of security domains. The exam is structured around the following domains:

eMAPT

Exam Domains

Reconnaissance and Static Analysis (20%)

Dynamic Testing and Runtime Manipulation (20%)

API and Backend Security Testing (15%)

Mobile Application Security Foundations (10%)

Threat Modeling and Attacker Mindset (10%)

Reverse Engineering & Code Deobfuscation (10%)

Mobile Malware Analysis (10%)

Reporting and Communication (5%)

Reconnaissance and Static Analysis (20%)

Apply static analysis techniques to Android and iOS applications using tools to extract and interpret app components, manifest/plist files, and permission declarations.
Decompile and inspect APKs/IPAs, including obfuscated code, to identify hardcoded secrets, logic flaws, and misconfigurations.

Dynamic Testing and Runtime Manipulation (20%)

Perform dynamic testing to observe runtime behaviors and analyze system interactions, including WebViews, IPC, and logs.
Bypass runtime protections such as SSL pinning, root/jailbreak detection, and anti-debugging mechanisms.
Hook and manipulate application logic at runtime using tools like Frida, Objection, and Xposed to uncover functional weaknesses.

API and Backend Security Testing (15%)

Analyze application code and runtime behavior to identify undocumented API endpoints and test for vulnerabilities such as BOLA, BFLA, token manipulation, and insecure data handling.
Perform MITM testing and bypass certificate pinning to evaluate authentication, session management, and encrypted traffic security.

Mobile Application Security Foundations (10%)

Explain mobile application security principles and how architectural differences between Android and iOS impact threat exposure.
Identify and describe common mobile app vulnerabilities using threat modeling techniques and real-world examples.

Threat Modeling and Attacker Mindset (10%)

Construct mobile-specific threat models and identify threat actors using methodologies such as PTES and OWASP MSTG.
Assess mobile applications from an attacker’s perspective and plan security assessments accordingly.

Reverse Engineering & Code Deobfuscation (10%)

Reverse engineer Android and iOS binaries (DEX, OAT, Mach-O) to extract code and defeat obfuscation techniques.

Mobile Malware Analysis (10%)

Analyze mobile malware behavior, including anti-analysis and evasion techniques, through static and dynamic methods.
Evaluate real-world mobile APT campaigns to understand mobile malware goals and tactics.

Reporting and Communication (5%)

Document and communicate technical vulnerabilities for technical and non-technical audiences, using frameworks like OWASP MASVS, MTTG, and PTES.

Who It’s For

The eMAPT is ideal for professionals with a working understanding of cybersecurity who are ready to deepen their expertise in mobile application security testing.

Get eMAPT Certified

To take the eMAPT exam, you’ll need both an INE subscription and an exam voucher.

New to INE? Get started with one of these options:

Get Voucher for 50% off

INE Premium Subscription

The INE Premium subscription offers the updated Mobile Application Penetration Testing Professional (NEW!) Learning Path, built for professional-level Red Teamers with intermediate-level experience in Mobile App Pentesting. It prepares you to take the eMAPT exam through a blend of expert-led courses and practical lab time. When you’ve completed the learning path, you’re ready for the exam!

Get Started

eMAPT Voucher Included

eMAPT + Prep Bundle

3 months of access to all INE training to prepare you for the eMAPT and more.

Buy My Voucher

Already a subscriber?

The Mobile Application Penetration Tester Certification Exam Voucher can only be purchased with an INE Premium Subscription. If you already have a subscription, you can buy your voucher now! We encourage everyone to complete the Mobile Application Penetration Testing Professional (New!) Learning Path before attempting the certification exam.

The Process

Whether you are attempting the eMAPT certification exam on your own or after having completed our approved learning path, you will need to follow these steps to get a certificate:

Shop Certification Vouchers

To earn the eMAPT Certification, follow these steps:

Purchase a certification exam voucher

Purchase an exam voucher to start the certification process. Login to the certification area to manage the exam and any other materials related to the certification process.

Begin the certification process

Before the certification voucher expires (180 days from purchase), complete the initial exam attempt and if desired, the complimentary re-take that is provided with the voucher’s purchase. Both attempts must be submitted before the certification voucher expires. The expiration date will always be available in the certification area, and reminder emails are sent to ensure the voucher is taken advantage of.

Take your exam

Follow the certification instructions and complete the exam within the allotted time. If technical issues are encountered at any time during the exam, please email support@ine.com for assistance.

Receive your results

Results are on an auto-graded system. This means results will be delivered within a few hours after completing the exam. The eMAPT score report will show performance metrics in each section of the exam, allowing reflection on mastery of each exam objective. All passing score credentials will be valid for three years from the date they were awarded.

The eMAPT certification is valid for three years from the date it is awarded. Stay current with your skills and maintain your credential through flexible renewal options designed to fit your schedule.

Have a eMAPT Voucher Purchased Before: May 28, 2025?

The previous version of the exam is being retired.

Still have a voucher?

You can use your existing eMAPT exam voucher through December 2025.

Take the previous exam now

Want to switch to the new exam?

You may be eligible to exchange your old voucher for a new exam voucher.

Check voucher exchange options