eMAPT certification for Mobile security enthusiasts

Ajmal Moochingal
3 min readApr 15, 2024

--

Random aesthetic cover — from Notion

Hello 👋. In this post, I’m sharing my insights on preparing for the eMAPT certification by INE, also known as eLearnSecurity. I’ve outlined the resources that proved invaluable to me during the preparation.

Leveraging my previous Android development experience, I chose to purchase only the certification exam, opting to independently master the material through self-study and practice.

I practiced AppSec-focused free labs on MobileHackingLab just in time, which was instrumental in my exam preparation.

The exam, without doubt, necessitates good practice and a foundational exposure to building Android apps. As outlined in the exam expectations, we are presented with two Android apps ready to be exploited !

eLearnSecurity’s eMAPT is a hands-on challenge. Students will receive a real-world scenario of two Android applications to analyze and pentest. The final deliverable is a working and reproducible proof of concept that is reviewed by INE’s course instructors

Here I’m noting down few points to keep in mind while preparing for the certification:

  • The final practical exam consists of only exploitation of Android apps and not iOS. iOS app exploitation is not there in the examination.
  • Preparation : knowledge of reverse engineering Android Java code is required. Not required to reversing native libraries — this is also not covered anywhere in the training syllabus. Knowing to read and understand Java code would be a plus along with experience building very basic Android apps.
  • Good understanding of building blocks of Android apps — Activities, Content Providers, Receivers, Intents, etc. While Android penetration testing knowledge would come handy here, though that would not be sufficient. Apart from that, it’s better to have good clarity on how to interact with them like an Android app developer would do using Java/Kotlin code.
  • Understanding vulnerability classes in Android/Mobile in general which has severity ranging from medium to high, is a logical step to take, since the exam is heavily focused on exploitation, low severity bugs would contribute less to it as one could predict from the description.

While preparing for the certification, I came across Oversecured.com — very resourceful for learning mobile security vulnerabilities. They’ve compiled a good comprehensive list of bug classes in Android & iOS over here — https://oversecured.com/vulnerabilities — They also have blogs written on many of these bug classes. It’s an amazing resource.

If you’re are looking for good practice, outside the training content provided by INE, I would recommend to practice on popular vulnerable apps like Damn Vulnerable Bank or, recently launched — Bugbazaar by Payatu. As I mentioned earlier, MobileHackingLab is great for practice.

I Passed! Yay 😅

Awesome! Go ahead with your prep. It will teach you lot for sure. But be aware that it scratches only the surface. The world of Mobile Appsec is vast. That being said, eMAPT serves as an excellent starting point and I wholeheartedly recommend it to anyone eager to get started in Mobile security.

--

--