How to use DEVICETrust™ with MobileBOT™ Defense Using AI

This Knowledge Base article describes how to use Appdome’s AI/ML in your CI/CD pipeline to continuously deliver plugins that Enforce DEVICETrust™ in Mobile apps.

What Is Appdome DeviceTrust?

DeviceTrust is a feature within Appdome’s MobileBOT Defense that enables customizable trust levels for mobile devices and applications before initiating any network connections. By analyzing device and app risk factors such as root access, Magisk, Frida toolkits, emulators, and simulators, DeviceTrust ensures that connections are only made from trusted devices. The system supports both Zero-Trust, which blocks connections until all checks are complete, and Runtime-Trust, which allows connections to proceed while checks are ongoing. This feature is essential in identifying and mitigating risks associated with compromised or modified devices, helping to safeguard sensitive data and transactions. DeviceTrust is critical in preventing unauthorized access from compromised or modified devices, aligning with compliance standards that emphasize device integrity for secure transactions.

How Appdome Protects Mobile Apps with DeviceTrust?

Appdome’s dynamic DeviceTrust plugin integrates with MobileBOT Defense to assess device and application risk factors before any connection is made. It checks for indicators such as root access, emulators, Magisk, Frida, and other common attack vectors. If these threats are detected, DeviceTrust reports the findings to the Web Application Firewall (WAF) for action. Appdome does not directly enforce connection decisions but ensures that the necessary information is relayed to the WAF, enabling informed security actions while maintaining flexibility in how these threats are handled. This multi-layered defense enhances app security and ensures safe user experiences.

Prerequisites for Using Appdome's DEVICETrust™ Plugins:

To use Appdome’s mobile app security build system to Enforce DEVICETrust™ , you’ll need:

• Appdome account (create a free Appdome account here)
• A license for DEVICETrust™
• Mobile App (.ipa for iOS, or .apk or .aab for Android)
• Signing Credentials (see Signing Secure Android apps and Signing Secure iOS apps)

How to Implement Enforce DEVICETrust™ in Mobile Apps Using Appdome

On Appdome, follow these 3 simple steps to create self-defending Mobile Apps that Enforce DEVICETrust™ without an SDK or gateway:

1. Designate the Mobile App to be protected.

   1. Upload an app via the Appdome Mobile Defense platform GUI or via Appdome’s DEV-API or CI/CD Plugins.

   2. Mobile App Formats: .ipa for iOS, or .apk or .aab for Android
   3. DEVICETrust™ is compatible with: Obj-C, Java, JS, C#, C++, Swift, Kotlin, Flutter, React Native, Unity, Xamarin, and more.

2. Select the defense: DEVICETrust™.

   1. Create and name the Fusion Set (security template) that will contain the DEVICETrust™ feature as shown below:
      

      Figure 1: Fusion Set that will contain the DEVICETrust™ feature
      

      1. Follow the steps in Sections 2.2-2.2.2 of this article to add the DEVICETrust™ feature to your Fusion Set via the Appdome Console.

      2. When you select the DEVICETrust™ you'll notice that the Fusion Set you created in step 2.1 now bears the icon of the protection category that contains DEVICETrust™.

         

         Figure 2: Fusion Set that displays the newly added DEVICETrust™ protection
         Note: Annotating the Fusion Set to identify the protection(s) selected is optional only (not mandatory).

      3. Open the Fusion Set Detail Summary by clicking the “...” symbol on the far-right corner of the Fusion Set. Copy the Fusion Set ID from the Fusion Set Detail Summary (as shown below):

         Figure 3: Fusion Set Detail Summary

      4. Follow the instructions below to use the Fusion Set ID inside any standard mobile DevOps or CI/CD toolkit like Bitrise, Jenkins, Travis, Team City, Circle CI or other system:

         1. Refer to the Appdome API Reference Guide for API building instructions.
         2. Look for sample APIs in Appdome’s GitHub Repository.

   2. Add the DEVICETrust™ feature to your security template.

      1. Navigate to Build > Anti Bot tab > MobileBOT™ Defense section in the Appdome Console.

         Like all other options in ONEShield™, DEVICETrust™ is turned on by default, as shown below:

         Figure 4: Selecting DEVICETrust™
         Note: The App Compromise Notification contains an easy to follow default remediation path for the mobile app end user. You can customize this message as required to achieve brand specific support, workflow or other messaging.

      Toggle On > DEVICETrust™.
      

      Figure 4: Selecting Enforce DEVICETrust™

   3. Initiate the build command either by clicking Build My App at the bottom of the Build Workflow (shown in Figure 4) or via your CI/CD as described in Section 2.1.4.

   Congratulations!  The DEVICETrust™ protection is now added to the mobile app

3. Certify the DEVICETrust™ feature in Mobile Apps

   After building DEVICETrust™, Appdome generates a Certified Secure™ certificate to guarantee that the DEVICETrust™ protection has been added and is protecting the app. To verify that the DEVICETrust™ protection has been added to the mobile app, locate the protection in the Certified Secure™ certificate as shown below:

   Figure 5: Certified Secure™ certificate

   Each Certified Secure™ certificate provides DevOps and DevSecOps organizations the entire workflow summary, audit trail of each build, and proof of protection that DEVICETrust™ has been added to each Mobile app. Certified Secure provides instant and in-line DevSecOps compliance certification that DEVICETrust™ and other mobile app security features are in each build of the mobile app.