Mobile Hacking Exams in 2025#
First, let’s go over some public information about the exam (and others like it) and why you might want to take it.
When choosing to take a mobile hacking exam, you basically get three choices: INE, TCM, or SANS. Here is what I have gathered about each of them from friends, colleagues, and other members of the community:
- SANS: The course material is a solid introduction, but lacks a lot of the thorough skills a mobile pentester needs. It mostly covers issues with SSL pinning, root detection, and other vulnerabilities that you can report without much effort. The exam itself is also not a practical exam, just questions and answers - so most of the value you gain from taking that course and getting the cert is the expensive SANS sticker it comes with.
- INE: I haven’t taken or seen the course material for this, I only took the exam. From what is public it covers both iOS and Android, but the material is nearly a decade old at this point and that is reflected in the Android version you are required to target when taking the exam - so don’t expect any super interesting vulnerabilities in web views, intents, deep links, and so on.
- TCM: I haven’t taken this exam but was given access by a colleague to examine the materials supplied with the exam. I like that they call out a few real bugs that were discovered in android and iOS apps. The issue that I have is that it is very similar to the above courses mostly being centered around dynamic analysis and static analysis - which are useful but they are the base you should build your skills up from and not what you should advertise as a professional-level cert. I have no information on the exam for TCM’s course other than knowing it covers similar domains to the eMAPT and that it requires a written report, offering a more realistic experience. (Honestly, I would have taken this exam if the poor quality of the PNPT had not left such a sour taste in my mouth.)
I chose to go with the INE eMAPT exam because I got a good price on it around Black Friday and was learning Android hacking at the time. I only learned after purchasing it that the exam has remained the same for the last nine years and is dated in content. However, online opinions seem to point to this one being the intersection of difficulty and recognition - there are some other lesser-known certifications that may be worth the time but it is hard to say at this point in time.
How I Prepared#
I prepared by following along the hextree.io Android course map. I can confidently say that this course is the highest quality, most comprehensive Android hacking course you can take - AND it is completely FREE (as of March 2025).
I am not sure what the eMAPT course covers as I haven’t taken it, but the resources at hextree.io made this exam a cake walk - partly because of the focus on exploits that are best performed by a malicious app. On other reviews and forums I heard that people who took other courses were only vaguely familiar with developing malicious apps and had trouble with that aspect of the exam.
It would be helpful to be familiar with certain encryption algorithms, but a visit to CyberChef was enough to jog my memory and get me up to speed while taking the exam.
What to Expect#
This exam provides you with two android applications to exploit. You have 7 days to submit an exploit application and you do not need to require a report. You should be able to know what you need to do within the first hour or two of looking at the de-compiled application code, then the only time-consuming part is actually writing the exploit app. I tried to plan ahead for any unique edge cases but I was able to finish in something under 5 total hours working on my exploit code in the evenings after work. A good understanding of content and file providers should be sufficient to pass this exam.
Other Details#
I submitted my exploit code on 2/20 in the evening and got an email outlining the 30 business day review window. I was notified that I passed my exam the afternoon of 03/06:
Also, the letter of engagement and parts of the apps themselves have grammatical and spelling errors that make understanding the full scope of your objective somewhat vague. I can’t be specific for obvious reasons, but it centers around overuse of plural case where it should not be used - which can lead you (like it led me) to believe that an additional vulnerability may be present when it really is not.
This critique is very specific and I found no other record of it online, feel free to reach out to me and ask about it and I can try and clarify.
Would I Recommend It?#
Honestly, not really. If you are trying to get in to mobile pentesting you would be best off trying to pursue the coursework on Hextree.io and MobileHackingLab. You will certainly learn a lot more and the information is actually up to date, which is crucial in general for anything security related.
However, if you just want some certification to prove to someone that you know a thing or two about mobile application hacking - the eMAPT will prove that you know some stuff about 9+ year old vulnerabilities.