How to Use Appdome SDKProtect to Secure Mobile iOS SDKs

Introduction to Appdome SDKProtect for iOS

Appdome SDKProtect™ enables mobile SDK developers to quickly and easily create protected and threat-aware versions of their mobile SDKs, reducing fraud and ensuring compliance. SDKProtect™ is precisely engineered to secure mobile SDKs against a wide variety of threats. This article provides a step-by-step guide for SDK mobile developers and SDK vendors on how to use SDKProtect™ to secure their iOS SDKs, focusing on the xcframework.zip format.

Prerequisites

Before starting the process of securing your SDK with Appdome, ensure you have the following:

• An Appdome account (create a free Appdome account here)
• A license for SDKProtect™
• A valid iOS xcframework.zip file
• Add input threat event permissions to your xcframework. For more details, see: How to use SDK Input Threat Events for iOS XCFrameworks 

Key Features of SDKProtect

SDK Threat Shielding encrypts, obfuscates, and safeguards SDK components, fortifying them against cyber threats for enhanced security.

1. Verify SDK Integrity: Ensures that the SDK assets and libraries have not been tampered with or altered.
2. Obfuscate SDKProtect™: Obfuscates the SDK logic to make it harder for attackers to reverse-engineer the SDK.
3. Encrypt SDK DBs: Protects the data created by the SDK on the device by establishing a secure data container. This prevents the application from accessing the SDK’s encrypted data.
4. Encrypt SDK Preferences: Encrypts the SDK preferences/settings to prevent unauthorized access.
5. SDK MiTM Defense: Protects the data created by the SDK on the device by establishing a secure data container. This prevents the application from accessing the SDK’s encrypted data.
6. Secure Certificate Pinning: Secure Certificate Pinning securely stores the certificate(s) of known trusted servers in the SDK and validates the authenticity of the certificate before the connection is established.

SDK Threat Intelligence

Threat Intelligence combines the power of Threat-Shielding and Mobile Risk Evaluation with the following visibility and control options.

• • Threat-Monitoring –Identifies and reports any risk anomalies found in the SDK and transmits the data to ThreatScope™ for enhanced security oversight.
  • Threat-Streaming – Provides regular updates on the SDK’s health status during runtime and alerts to any possible threats to ensure operational safety.

1. Jailbreak Detection: Detects users attempting to run your application on a jailbroken device.
2. Simulator Detection: Detects if the SDK is running on a simulator.
3. Detect Debugging: Identifies if the SDK is being debugged.
4. Detect App is Debuggable: Detect when a debugger is attached to the SDK or the SDK is marked as Debuggable.
5. Detect Hooking Frameworks: Identifies if any hooking frameworks are being used to manipulate the SDK.
6. Detect FaceID Bypass: Detects when an attacker tries to bypass FaceID or facial recognition using deep fake methods.

Workflow for Securing iOS SDKs with SDKProtect

1. Upload an SDK file
   • Drag and drop a xcframework.zip file or browse to upload the SDK.
     
2. Create and name the Fusion Set (security template) that will contain the SDK Threat-Shielding feature as shown below:
   
3. Building the SDK Threat-Shielding & SDK Threat Intelligence feature via Appdome Console
   To build the SDK Threat-Shielding & SDK Threat Intelligence protection using Appdome Console, follow the instructions below.
   • How: Toggle (turn ON) SDK Threat-Shielding, as shown below
   • How: Toggle (turn ON) SDK MiTM Defense, as shown below
   • How: Toggle (turn ON) Threat Monitoring and Threat Streaming, as shown below
   • Select which features you want to turn on, such as Jailbreak Detection, Simulator Detection, Detect Debugging, Detect Hooking Frameworks, and Detect FaceID Bypass.
   • Click on Build My SDK to initiate the build process.
     
4. Sign
   • On Appdome (Recommended)
   • P12 File: Mandatory for signing.
   • Password: Mandatory for signing.
   • Click Sign My SDK
     
5. Private Signing
   • Select the option Private Signing from the drop-down menu.
     For more details on how to privately sign your SDK, see How to Sign an xcframework.zip iOS SDK on Appdome.
6. Download SDK
   • After building and signing, click on “Download” to retrieve the signed SDK.
     

Certified Secure

This certificate verifies that Appdome has secured your SDK (com.iOS.sdk.id) with specific security features, as identified in the certification details. Issued to your secured SDK, this certificate details the implementation of Appdome’s SDK Threat Shielding, and SDK Threat Intelligence features that you have chosen to build into your SDK.

Appdome offers a powerful, user-friendly platform for SDK vendors to enhance the security of their mobile SDKs. By following the steps outlined above—from meeting the prerequisites to downloading the secured version—you ensure that your SDK is not only more secure but also maintains functionality and reliability in client applications.

Related Articles:

• How to Obfuscate SDK Logic using Appdome SDKProtect™
• Automated SDK Protection – Appdome SDKProtect™
• How to Use Appdome SDKProtect to Secure Mobile SDKs
• How to use SDK Input Threat Events for iOS XCFrameworks

How Do I Learn More?

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.