Using Certified Secure™ Android & iOS Apps Build Certification in DevOps CI/CD

Learn how to use Appdome’s automated mobile app security certification service, Certified Secure™. It includes how it works and how to access and download the Certified Secure certificate as part of DevSecOps and Android and iOS release processes.

What is Appdome Certified Secure™?

Certified Secure™ is Appdome’s automated mobile app security certification service designed to help organizations build security and fraud detection features into mobile apps as part of the SDLC (Software Development Life Cycle), CI/CD, and DevSecOps processes. Certified Secure generates an instantly available, easily accessible, and understandable certification covering all security features built into Android and iOS apps by Appdome, either via the Appdome product, via Appdome’s DEV APIs, or as part of a customer’s SDLC, CI/CD and build process. Certified Secure allows organizations to validate and audit exactly which security and fraud detection features were implemented in Android and iOS applications, trace which app(s) have been secured, determine which user created the secured build, and more. Specifically, Certified Secure is designed to allow customers to:

• Internally validate security, fraud detection, and internal and industry compliance objectives, build by build.
• Speed release processes by using the Certified Secure™ certificate in the app release processes (i.e., verify security in apps before publication to public app stores as part of ‘go/no-go’ app release meetings.).
• Verify that Android and iOS apps, app product lines, and app builds include universal standards of security and fraud detection, release by release.
• Reduce or eliminate release blockers discovered by app scanning, code scanning, pen testing, and other services.

What’s in the Certified Secure™ Mobile App Security Certification?

Each Certified Secure certificate is designed to provide documented evidence of each secured build created on Appdome. The sections below illustrate each component of the Certified Secure Certificate and provide details of what’s included in each certificate.

1. Quick View Protection Summary
2. App-Specific Security Attestation-Certification
3. Complete Build History
4. Security Template in Use
5. Android & iOS Security Details
6. Advanced Enforcement Options
7. Context/App-specific Configuration
8. App-Signing Details

Certified Secure certificates are generated each time an Appdome user creates a secure version of an Android or iOS mobile app on Appdome. The certificate can be accessed directly from the user’s account on the Appdome platform or via the confirmation email sent to the user after each secure build is created on Appdome. Each certificate is specific to the app, version, build, and user.

Certified Secure™ Android and iOS App Details

Each Certified Secure™ certification includes a description of the mobile application secured on Appdome, including:

• App Icon
• App Name
• App Version
• App Dev Build No
• App Bundle ID
• OS

Quick View Protection Summary

Each Certified Secure™ certification includes a description of the Appdome Mobile App Security and Anti-Fraud features added to the Android and iOS app via Appdome, as follows:

• ONEShield™
• TOTALCode™ Obfuscation
• TOTALData™ Encryption
• OS Integrity
• Mobile Privacy
• Secure Communication
• Mobile Malware Prevention
• Mobile Privacy Prevention
• Mobile Fraud Detection

This provides app-release and security teams quick verification that the target application meets the mobile app security and anti-fraud objectives before each release.

App-Specific Security Certification

Each Certified Secure™ certification includes an attestation and certification that the mobile app is protected by the Mobile App Security and Anti-Fraud features added to the Android and iOS app via Appdome, as follows:

• App and App Version
• Build Number
• OS
• Team Name – if relevant
• Date of build
• Who performed the build
• Build ID
• Appdome Version, including whether Freeze Fusion Set is enabled

This provides Appdome’s guarantee that the target build meets the mobile app security and anti-fraud objectives as of the date of the certification.

Complete Build History

Each Certified Secure™ certification includes the complete build history of the protected Android and iOS app on Appdome, as follows:

• Who uploaded the app
• Date and Time
• Team ID (if applicable)
• App ID
• Bundle ID
• Version Number
• Dev Build Number
• Team License type
• Original App Size

Compliance and certification teams can instantly verify who built the security and ensure segregation of duties.

Security Template in Use

Each Certified Secure™ certification includes the specific mobile app security and anti-fraud feature template, called a Fusion Set™, used to protect the Android and iOS app, as follows:

• Appdome API or GUI
• Name of Fusion Set
• Fusion Set ID
• Last modified by
• OS Platform (Appdome OS support policy)
• Security Size Impact (increase in App size from security features implemented in the app)

Dev and release teams can manage security templates by release, by app(s), or by platform and trace security for apps back to specific templates placed in use at any point in the lifecycle of the app.

Android & iOS Security Plugin/Parameter Details

Each Certified Secure™ certification includes a complete list of security plugins and parameters chosen by the Appdome user and built into the application by the Appdome platform.

Plugins and parameters are the specific code sets that Appdome has added to implement the security features selected by Appdome customers.

Context Data

Each Certified Secure™ certification includes details and descriptions of any branding and other configurations added to secured Android and iOS apps via Appdome, as follows:

• Who added Context
• With which Fusion Set
• Date and Time Context was added
• Parameters
• App icon
• Favicon
• App name
• Version
• Bundle ID

App-Signing Information

Each Certified Secure™ certification includes details and descriptions of any branding and other configurations added to secured Android and iOS apps via Appdome, as follows:

• Sign Type (how the app was signed)
• Who Signed the app
• Fusion Set
• Date and Time the app was signed
• General data about the signature
• Certificate SHA-256 Checksum
• Final App SHA-256 Checksum

Advanced Enforcement Options

• Details of Appdome Threat-Events that are in use
• Threat Event Scoring Value

How to Download the Certified Secure Certificate For Any Mobile App on Appdome