Certified Mobile Pentester (CMPen) – Android

Certified Mobile Pentester (CMPen) – Android is an intermediate-level exam to test a candidate’s knowledge on the core concepts of mobile security (Android).

What is the Certified Mobile Pentester (CMPen) – Android exam?

Certified Mobile Pentester (CMPen) – Android is an intermediate-level exam to test a candidate’s knowledge on the core concepts of mobile security (Android). Candidates must be able to demonstrate practical knowledge to perform static and dynamic analysis of Android applications to pass this exam.

Who should take this exam?

CMPen – Android is intended to be taken by pentesters, security architects and any Mobile security enthusiast, who wants to evaluate and advance their knowledge in Android application security.

What is the format of the exam?

CMPen – Android is an intense 4 hour long practical exam. It requires candidates to solve a number of challenges, identify and exploit various vulnerabilities and obtain flags. The exam can be taken online, anytime (on-demand) and from anywhere. Candidates will need to download Android APK build and connect to the exam VPN server to set up for the exam.

What is the pass criteria for the exam?

The pass criteria are as follows:

  • Candidates scoring over 60% marks will be deemed to have successfully passed the exam.
  • Candidates scoring over 75% marks will be deemed to have passed with a merit.
What is the experience needed to take the exam?

This is an intermediate-level exam. Candidates should have prior knowledge and experience of Android application pentesting and familiarity with its common tactics, techniques and procedures. They should be able to demonstrate their practical knowledge on Mobile security topics by completing a series of tasks on identifying and exploiting vulnerabilities that have been created in the exam environment to mimic the real world scenarios.

Note: As this is an intermediate-level exam, a minimum of two years of professional pentesting/bug-bounty experience is recommended.

What will the candidates get?

On completing the exam, each candidate will receive:

  • A certificate with their pass/fail and merit status.
  • The certificate will contain a code/QR link, which can be used by anyone to validate the certificate.
What is the exam retake policy?

Candidates, who fail the exam, are allowed 1 free exam retake within the exam fees.

What are the benefits of this exam?

The exams will allow candidates to demonstrate their skills in Android application pentesting. This will help them to advance in their career.

How long is the certificate valid for?

The certificate does not have an expiration date. However, the passing certificate will mention the details of the exam such as the exam version and the date. As the exam is updated over time, candidates should retake the newer version as per their convenience.

Will you provide any training that can be taken prior to the exams?

Being an independent certifying authority, we (The SecOps Group) do not provide any training for the exam. Candidates should carefully go over each topic listed in the syllabus and make sure they have adequate understanding, required experience and practical knowledge of these topics. Further, the following independent resources can be utilised to prepare for the exams.

Company Free/Paid
Kontra Free
Payatu Free
Security Compass Paid
seedlabs Free
attackdefense.com Free
damnvulnerableiosapp Free
Macfee Free
revolutionelite.co.uk Free
mobilehackinglab Paid/Free
Hackthebox Paid/Free
dvba.apk Free
Security Compass Free
Exam Syllabus

The exam will cover the following topics

Android Security Architecture and Permission Model
Android Application Component
Understanding of Android Application Pentesting Environment
OWASP Mobile Top 10
Static and Dynamic Analysis
Reverse engineering Android applications
Understanding of Android Application Pentesting Tools, such as adb, drozer, jadx-gui, logcat, etc.
Traffic Analysis using Burp Suite and Wireshark
Frida, Objection, and MobSF
Root Detection & SSL Pinning Checks
Excessive/Insecure Logging and its Analysis
Hardcoding Issues
Obfuscation in the Code
Misconfigured Database Storage
Understanding and Exploitation of Insecure Activities and Content Providers
Exploitation of Logic flaws
Inspection of Certificate and Signing Schema
Common Security Misconfigurations and Android Security Best Practices
  • Insecure Permissions
  • Encryption and cryptography
  • Insecure Storage of Data
  • Use of Outdated and Vulnerable Technology Components
  • Insecure Coding Practice
Sample Question?
  • Consider a scenario where you receive an alert that indicates that your EC2 instance behind ELB Classic Load Balancer has been compromised. Which of the following options will you choose to limit the lateral movement and allow evidence gathering?
    1. Remove the instance from the load balancer and terminate it.
    2. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
    3. Reboot the instance and check for any Amazon CloudWatch alarms.
    4. Stop the instance and make a snapshot of the root EBS volume.
Host Operating System:

Windows/Linux/MacOS with minimum 8GB RAM to run virtual machines/emulated devices.

Physical Device with Minimum Supported Android Version:

Android 7.0 / SDK 24.

Emulator with Minimum Android Version Supported:

Android 7.0 / SDK 24.

The android application has been tested against the following list of devices and emulators (not an exhaustive list):
  • Android 7.0, 7.1, 8.0, 9.0, 10.0 and 11
  • Android 7-10 (x86 bit) and Android 11 (x64 bit)
Memu (Android 7.1.2)
Nox (Android 7.1.2)
Physical Devices (Most of the physical devices with Android 7.0 and above are supported, here are a few we have tested on):
  • Moto G9 Power (Android 11)
  • Redmi 9A (Android 11)
  • Pixel XL 2 (Android 11)
  • MI A2 (Android 10)
  • Poco X3 (Android 12)
  • Moto G40 Fusion (Android 12)

Note: Please make sure you have your Android pentesting environment ready before taking the exam (Android Emulator or Physical Device, Android Platform Tools, Burp Suite, or any similar proxy tool.)

Certified Mobile Pentester (CMPen) – Android

Certified Mobile Pentester (CMPen) - Android