Practical Mobile Pentest Associate (PMPA) Review

What is PMPA?

The Practical Mobile Pentest Associate (PMPA, formerly PJMT) is a certification that tests your ability to find security vulnerabilities in Android applications and document them in a professional penetration testing report. It focuses entirely on practical, hands-on skills you can apply in real-world Android app assessments.

PMPA Exam Overview

Learning Materials

As I mentioned in one of my LinkedIn posts, I highly recommend this course to anyone looking to get into mobile pentesting, especially those with no prior experience, just like I didn't have before taking it. Do not expect anything mind blowing or revolutionary, but if you want to break into mobile penetration testing, this certification is a great starting point.

The materials are well structured, they cover everything you need to get started and make learning mobile security much more approachable. Most importantly you get practical experience.

Note: The materials are in video format, with a person going through them and explaining them. I do not remember if you have an option to download the materials in text format.

The course covers the Mobile Application Penetration Testing process and explains each step, what it is, and why it is important. After that it goes into Android architecture and key Android components that matter during static analysis. It also covers Android security and the signing process, and then both static and dynamic analysis in depth.

What I really appreciated is the practical knowledge you gain. As someone who now performs Android pentests professionally, I can say the skills are 100% applicable to real world testing.

Part of the material also touches on the bug bounty process, with the instructor showing the full MAPT flow in one go and putting everything together so you can see how it is done in practice.

There is a bonus section called Android red teaming where they talk about some interesting things. I am not going to go deep into that since it is not part of the actual exam.

The materials also include iOS penetration testing. I did not watch those since they are not part of the exam, so I cannot comment on the quality.

Exam Format

The exam consists of testing one Android application and writing a detailed penetration testing report. You have two days for the Android penetration test and two days to write the report. In order to pass you need to gain administrative access to the API panel. No matter how many vulnerabilities you find, without that access you will not pass.

Can you pass the exam just by finding administrative access to the API panel? I am not sure, so I will not say anything about that. The exam cover letter explains this well, and I talk about that letter in the following sections, so keep reading.

The exam is not proctored, so you are free to use your notes or other resources. You do not need to complete all the learning materials before starting the exam. Everything is done in TCM's online exam platform through their virtual machine.

Exam Experience

When you start the exam you receive a cover letter that explains everything you need to know. Basically, that letter answers every single question you have. I remember having a ton of questions in my head, and after reading that letter, none of them were left.

My advice is to read that cover letter carefully because it contains important information that can help you if you get stuck during the exam. It can also help you avoid wasting time on unnecessary things.

If you are wondering whether you will get the report template, yes, you will get that too.

The environment where the exam was done was pretty solid. I had a small issue where the screen was zoomed in too much, so I needed to type a few commands to change the screen size. I do not know whether the problem was my PC or their environment. It is not something you will fail to fix. I found the solution on Stack Overflow on the first Google search.

Some people say that you need actual web pentesting knowledge to perform this exam, but I do not agree with that at all. You just need to think and use your curiosity. If you have a piece of information, can you use that information to gain another piece of information?

Please, if you are stuck in the exam, do not search random topics on the internet that were not covered in the materials. The materials cover everything you need to pass the exam.

Personal Advice and Final Thoughts

If you are looking to get into Android penetration testing, then this certification is for you.

If you bought it and plan to take the exam, my advice is to go through all of the provided Android penetration testing materials, write notes, and try to do the things you learned on your own.

If you know how to do things on your own, can explain why you are doing them, and actually understand the reason behind them, not just doing them because someone told you to, then you are ready to take the exam.

Make sure that you take screenshots of what you find constantly, even if you already took 100 screenshots. It does not matter. Once the penetration test period finishes you will not be able to access the application again, so you may end up without needed screenshots.

Be careful with how you write the report. I am not saying that TCM is super strict about this, but you definitely need to write a good, clear, and understandable report.

If you are already working as a penetration tester, that is great. Look at how your company writes reports and apply that style to your report. If not, and if you never had a chance to write a report, find some pentest reports online and base your writing on that.

I do not know if it is required or not, but I wrote my findings as a chain of vulnerabilities in logical order.

For me the exam was really easy. I finished both the penetration testing and the report in one sitting. It was a long sitting, but I finished everything in about seven hours.

I submitted the report at around three in the morning on Saturday and got the results the next Wednesday. You will receive an email when they review your report.