Automated SDK Protection - Appdome SDKProtect™

Last updated July 16, 2024 by Appdome

Introduction

This guide offers a practical walkthrough on how to utilize Appdome’s SDK Protect to enhance the security of your mobile SDKs. Follow these step-by-step instructions to ensure your SDKs are robustly secured and maintain functionality and reliability across client applications.

Prerequisites

Before you start, ensure you have the following:

An Appdome account (Create a free account here)
A license for SDKProtect™
A valid .aar file or iOS framework (Check that your SDK is in one of these formats)

Uploading Your SDK to Appdome

To begin protecting your SDK with Appdome, first, upload your SDK’s source files to the platform.

Note: We have chosen to use the feature Obfuscate SDK Logic as an example for this article.

- 1. Log in to your Appdome account.
  2. Navigate to the + Start button.
  3. Click on ‘Upload SDK‘ and select the SDK files from your machine. Make sure the files are in the correct format specified by Appdome for seamless integration.
  4. Upload Method: Choose between Appdome Console or DEV-API
  5. SDK Formats: An .aar or xcframework.zip file

Handling Error Messages During Upload

If any issues arise during the upload, Appdome will display an error message detailing the problem. This could be due to the file being incomplete, improperly packaged, or not a valid ZIP archive. Address these errors promptly to proceed with securing your SDK.
Upload Error

Understanding Fusion Sets

Fusion Sets are security templates that allow you to select specific security functionalities to integrate with your SDK. Fusion Sets can include options like “Obfuscate SDK Logic,” “Encrypt SDK Strings,” and “Protect SDK Resources,” among others. By selecting appropriate fusion sets, you customize the security features to meet your SDK’s specific needs, ensuring optimal protection.

For more details on Fusion Sets, see How to Manage Fusion Set Security Templates iOS/Android.

Shielding Your SDK on Appdome

Building Obfuscate SDK Logic using Appdome’s DEV-API:

1. Create and name the Fusion Set (security template) that will contain the Obfuscate SDK Logic feature as shown below:
  
  Figure 1: Fusion Set that will contain the SDK Threat-Shielding feature
  Note: Naming the Fusion Set to correspond to the protection(s) selected is for illustration purposes only (not required).
2. To add the Obfuscate SDK Logic feature to this Fusion Set, follow the steps in the section Building the Obfuscate SDK Logic feature via Appdome Console.
3. Open the Fusion Set Detail Summary by clicking the “…” symbol on the far-right corner of the Fusion Set, as shown in Figure 3 below, and get the Fusion Set ID from the Fusion Set Detail Summary (as shown below):
  
  Figure 1: Fusion Set Detail Summary
  Note: Annotating the Fusion Set to identify the protection(s) selected is optional only (not mandatory).
4. Follow the instructions below to use the Fusion Set ID inside any standard mobile DevOps or CI/CD toolkit like Bitrise, App Center, Jenkins, Travis, Team City, Circle CI, or other systems:
  - Build an API for the SDK – for instructions, see the tasks under Appdome API Reference Guide
  - Look for sample APIs in Appdome’s GitHub Repository

Building the Obfuscate SDK Logic feature via Appdome Console

To build the Obfuscate App Logic protection using Appdome Console, follow the instructions below.

- 1. 1. Where: Inside the Appdome Console, go to Build SDKProtect™ > SDK Threat-Shielding section.
    2. How: Check whether SDK Threat-Shielding is toggled On (enabled); otherwise, enable it. The feature Obfuscate SDK Logic is enabled by default, as shown below.
      
      Figure 3: SDK Threat-Shielding option
    3. When you select SDK Threat-Shielding, you’ll notice that the Fusion Set you created now bears the icon of the protection category that contains SDK Threat-Shielding.
      
      Figure 4: Fusion Set that displays the newly added Obfuscate SDK Logic protection
      
      Click Build My SDK at the bottom of the Build Workflow (shown in Figure 4).

Congratulations! The SDK Threat-Shielding protection has now been added to the mobile SDK.

Downloading Your Secured SDK

- 1. Go to the ‘Download‘ tab on the Appdome platform
  2. Find your recent build and click on ‘Download My Built SDK‘.
    This downloaded SDK is now enhanced with robust security features and is ready for integration into your client apps.

Certified Secure

This certificate verifies that Appdome has secured your SDK (com.android.sdk.id) with specific security features, as identified in the certification details. Issued to your secured SDK, this certificate details the implementation of Appdome’s SDK Threat Shielding and SDK Threat Intelligence features that you have chosen to build into your SDK.

Certificate Obfuscate Sdk Logic

Conclusion

Appdome offers a robust, user-friendly platform for SDK vendors to enhance the security of their mobile SDKs. By following the steps outlined above—from meeting the prerequisites to downloading the secured version—you ensure that your SDK is not only more secure but also maintains functionality and reliability in client applications.

How Do I Learn More?

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.