Mobile Application Penetration Tester (eMAPT) Review (Old Version)

I completed the training and exam for the older version of the eMAPT. Since then, it has been updated with new, more current materials and a revised exam structure.

This post reflects only my experience with the version I studied and tested on. If you are looking for insights on the updated eMAPT, this won't cover it.

As this version is no longer available, I will not be providing exam tips or guidance.

What is eMAPT?

eMAPT (INE) evaluates advanced Android pentesting skills through a hands-on exam involving two Android applications. The exam emphasizes identification of vulnerabilities within these two applications and creating your own exploit application designed to exploit vulnerabilities in both targets automatically upon execution. It's a true test of deep technical knowledge, creative problem-solving, and the ability to deliver practical, working exploits.

eMAPT Exam Overview (At the time I passed)

Learning Materials

The materials are well structured but heavily outdated. While the exam is completely practical, I was kind of surprised that they focused this heavily on theory.

Note: The materials are in both video and text format.

The course covers Android architecture where they covered a ton about how Android phones work in general. After that they move to the Android build process where they explain how Java code becomes an Android application. Then they moved to reversing APKs, and this is the first time I felt that materials were outdated because they didn't show any modern tools that from professional experience I know are used.

The chapter that I liked the most was Android Application Fundamentals because they really went deep with this one. I gotta say, I studied Android development at my university where I pursue a computer science degree, and the funny thing is that this chapter from eMAPT could be compared to what I've studied at the university. But still, this part was also heavily outdated because they were teaching you stuff like sticky intents that were deprecated nearly 11 years ago in Android 5.0.

Yes, 11 years ago. That means we are basically talking about Android phones like the Samsung Galaxy S4. Also another fun fact is that the newest Android version is Android 16, while in the materials they covered sticky intents which were deprecated as I said in Android 5.0.

Other chapters were alright, but another thing that I didn't like was the fact that in the Android Dynamic Analysis module, Burp Suite wasn't mentioned at all. Not just Burp Suite, but any proxy tools at all.

As much as the materials are outdated, I gotta say that I appreciated the theoretical foundation it provided, from how Android works under the hood, to its architecture, components, and security model.

The materials also include iOS penetration testing. I did not consume those since they are not part of the exam, so I cannot comment on the quality.

Labs are also old. They cannot be compiled with a recent Android Studio version. Some of the examples only work with API version 17, which was released in 2012.

The biggest turndown for me was that no actual Android development was taught within these materials, while the actual exam wants you to develop your own application. These days that is not a problem at all because of ChatGPT and all the other AI models, but imagine if you were a penetration tester in the past trying to acquire eMAPT and these things didn't exist… Yeah, it would be a problem because you would need to study Android development too.

Exam Format

The exam consists of identifying vulnerabilities within two applications and creating your own exploit application designed to exploit vulnerabilities in both targets automatically upon execution. Basically you are supposed to find vulnerabilities that will enable you to extract data from these two applications and to show that data within your own exploit application.

You can't hardcode things within your application because while reviewing your application they will also test it on a different set of data. So same two applications with same vulnerabilities, but with a different set of data. So your exploit application is supposed to use these vulnerabilities to extract the data.

You have 7 days to complete everything and submit the application.

The exam is not proctored, so you are free to use your notes or other resources. Everything is done on your own local machine.

Exam Experience

When you start the exam you receive a cover letter that explains everything that you need to know. The cover letter explained everything really well.

It was pretty straightforward, you download the provided applications and start testing them.

The exam itself was not hard at all. I remember that I actually found the vulnerabilities that were needed to be found in order to extract all the data within the first day of the exam, but I had problems with my terminal. Every time that my line would go to another row in the terminal while typing, for some weird reason it would also add either a whitespace character or a new line character.

So that's why most of the commands would result in an error. And I couldn't figure that out at all for solid 2 or 3 days. I was literally trying everything that was taught in the materials but I couldn't do anything. I thought that I would fail since I tried everything but nothing resulted in anything.

After I figured out that my terminal was the problem, I was able to fix it. After that I finished the whole application and everything within 1 day.

So for everything I needed around 4 or 5 days, I don't remember. But once again, if I found out that my terminal was the problem earlier, I would have finished the exam within a day or two at max.

Another thing that I had problems with was the file size of the application. After you finish everything, you are supposed to zip the application and upload it via one of the INE's platforms. Maximum file size was 10 MB while my zip was literally around 200 MB. After some searching on Google I was able to reduce it to around 7 MB by deleting build files and compressing everything.

Final Thoughts

I kinda have a love-hate relationship for this certification.

The course expects you to learn how to write an Android application, but doesn't teach you how to do that. So it wasn't useful at all.

It's not realistic, no mobile app pentester writes their own malicious apps to prove a point. You prove a point by writing a professional and detailed report that explains everything, which wasn't done here.

Also while the materials were really well structured, they were really outdated at the same time. Anyway I was still able to learn a lot, especially about components of Android, and also everything was taught really nicely without too much overcomplicating stuff while still going down deep.

But at the end, the exam itself was super enjoyable actually. I don't know why but I just found it enjoyable, maybe it's because it was my first time developing an application that has malicious intentions. I remember that I felt really happy and proud when I made my own exploit application.

Yeah, that would be it. Once again, everything said in this blog post is related to the older version of the eMAPT.