How to Test Secured Android Apps on Browserstack, Mobile DevSecOps Best Practices

Last updated May 2, 2023 by Appdome

Learn how to test Appdome-secured Android Apps by using Browserstack’s mobile testing suite. Appdome is 100% compatible with all leading mobile application test automation solutions used by DevSecOps teams. Automated testing of secured Android and iOS app helps developers and others rapidly deploy comprehensive mobile app security and fraud prevention with DevSecOps speed and agility.

This knowledge base article covers the steps needed to test Appdome secured Android mobile apps by using BrowserStack mobile test automation suite.

Appdome works with all leading mobile automation testing solutions to help customers achieve comprehensive mobile app security at DevSecOps speed and agility, all within the app’s existing application lifecycle.

Testing on Android Apps

Browserstack allows testing apps by using its Live and Automation testing suits. Both can be used for testing Appdome secured mobile apps.

When using Browserstack to run Live App or App Automate testing on an Appdome protected app, certain security protections may be triggered due to the nature of Browserstack’s test environment. The following table describes which Appdome protection features may be triggered, the reason why and how to avoid it (during the app building stage on Appdome):

Appdome Feature	Reason	How to Prevent Such Identification
Root Prevention	Some of Browserstack devices are rooted	Enable Threat Events for Root Prevention with In-App Detection mode – Appdome will detect the rooted devices, but will not close the app.
Detect Developer Options	Required to interact with the device – therefore, turned on in Browserstack’s devices	Enable Threat Events for Detect Developer Options with In-App Detection mode – Appdome will detect that the setting Developer options is enabled, but will not close the app. Developer options is an Android setting that allows developers to configure system behaviors for administrative and troubleshooting purposes.
Block Android Debug Bridge (ADB)	Required to interact with the device	Enable Threat Events for Block Android Debug Bridge (ADB) with In-App Detection mode – Appdome will detect ADB is enabled, but will not close the app. ADB is a very powerful and versatile command-line tool that allows communicating with Android devices or Android apps either remotely or via a USB interface to perform a wide range of actions by running and executing an extensive list of commands installing and debugging apps, and it provides access to the Android shell. While ADB is intended for use by legitimate developers in building, debugging, and troubleshooting Android apps, it can also be used by cybercriminals, fraudsters, and hackers for other purposes.
Android MiTM Prevention	Browserstack uses a MiTM proxy	Enable Threat Events for Android MiTM Prevention with In-App Detection mode – Appdome will detect MiTM (Man in The Middle) proxy, but will not close the app. Malicious proxies are often used in mobile MiTM attacks. Hackers target insecure networks and wifi connections and hijack the connection between a mobile app and the server that it’s trying to connect to. They then redirect the session to malicious proxies so they can harvest data, steal credentials, deposit malware, etc.
Block Magisk	Magisk is installed on some of the rooted devices	Enable Threat Events for Block Magisk with In-App Detection mode – Appdome will detect Magisk on the device, but will not close the app. Magisk is a “systemless” Rooting tool that is used to elevate privileges to gain system-level access (root access) to the Android OS and underlying file system. Magisk does not make changes to the Android bootloader or require flashing custom ROM. Instead, it stores modifications in the boot partition instead of modifying the real system files.

Threat-event Modes

In-App Detection – Appdome detects the attack or threat and passes the event in a standard format to the app for processing, namely: the choice how and when to enforce is made based on your app’s settings.
In-App Defense – When a security event is detected by Appdome, Appdome will pass the event from the Appdome layer to the app.
Appdome’s security engine will handle the event, the default behavior is for the app to exit after displaying a compromise notification to the end user (compromise notifications are customizable).

Preventing Protections from being Triggered for Root Prevention

To prevent security protections from being triggered for Root Prevention:

Go to Build > Security.
Go to the OS Integrity section.
Enable (toggle On) Root Prevention.
Select the check box Threat Events.
From the list of threat event type, select In-App Detection.

Preventing Protections from being Triggered for Detect Developer Options

To prevent security protections from being triggered for Detect Developer Options:

Go to Build > Security.
Go to the OS Integrity section.
Enable (toggle On) Detect Developer Options.
Select the check box Threat Events.
From the list of threat event type, select In-App Detection.

Preventing Protections from being Triggered for Block Android Debug Bridge (ADB)

To prevent security protections from being triggered for Block Android Debug Bridge (ADB):

Go to Build > Anti Fraud.
Go to the Mobile Fraud Prevention section.
Enable (toggle On) Block Android Debug Bridge (ADB).
Select the check box Threat Events.
From the list of threat event type, select In-App Detection.

Preventing Protections from being Triggered for MiTM Prevention

To prevent security protections from being triggered for Android MiTM Prevention:

Go to Build > Security.
Go to the Secure Communication section.
Enable (toggle On) Android MiTM Prevention.
Select the check box Threat Events.
From the list of threat event type, select In-App Detection.

Preventing Protections from being Triggered for Block Magisk

To prevent security protections from being triggered for Block Magisk:

Go to Build > Anti Fraud.
Go to the Mobile Malware Prevention section.
Enable (toggle On) Block Magisk.
Select the check box Threat Events.
From the list of threat event type, select In-App Detection.

Testing .aab Apps

Unlike .apk apps, .aab apps must be re-signed before installation.

To avoid triggering Appdome’s Anti Tampering protection as a result of the re-signing process, you can use either of the following options:

Convert the test .aab app into Universal.apk, by using the same key that was used for signing the .aab app, and use the Universal.apk file to test with Browserstack.
Go to ONEShield™ by Appdome in any of the tabs, enable Threat Events for the Anti-Tampering feature and select the In-App-Detection mode.

Live App testing – Android

To initiate App Live test of your test app in Browserstack:

Log in to your BrowswerStack account. Alternatively, if you do not yet have an account, Create an account.
Click the Let’s Go button in BrowserStack’s account page.
The website now displays a page with a list of iOS and Android devices you can test the app with.
Click App Live on the top of the page.
Click Upload to upload your signed app build.
After the app upload completes, select the device to be used for testing the app.
To do that, click the device type (in the example shown below, Google) and then the device model. The app will be automatically installed on the selected device and then launched.

Note:
In case of any issues with the app, you need to send the device logs to Appdome Support by following these steps:
1. Go to Build > Security on on Appdome.
2. Enable(toggle On) the option Diagnostic Logs.
  For details, see Knowledge Base article Appdome Diagnostic Logs for Troubleshooting Secured Apps.
3. Go back to BrowserStack and re-run the steps used for uploading the app with the selected device.
4. Click the Kill/Uninstall button on the running app.
5. Select the options All Device Logs and Verbose.
6. Clear the log under DEVTOOLS.
7. On the device, open the app once more, getting to the point where the issue occurred (and take note of the time).
8. Click Download at the top right-hand corner under DEVTOOLS.
9. Set a name for the downloaded log, including the time the issue occurred.
10. Sent the log by email to support@appdome.com, complete with details on the issue, device model, and OS version used in testing.

Automating App Testing on Android

BrowserStack has several Appium capabilities, namely: a series of key-value pairs that allow you to configure your tests on BrowserStack. For further details, see the Capabilities Builder – Appium webpage.

The network Log Appium capability can trigger Appdome protection features, as specified below.

BrowserStack-Specific Appium Capability	Reason	How to prevent such identification
networkLog	By default, BrowserStack re-signs the app to enable capturing network log.	Enable Threat Events for Anti-Tampering with In-App Detection mode – Appdome will detect app re-signing, but will not close the app.

To prevent the triggering of Appdome protection features when networkLog is used:

Go to ONEShield™ by Appdome in any of the Appdome tabs.
Enable Threat Events for the Anti-Tampering feature.
Select the In-App-Detection mode.

Note:

For additional measures to take during app build on Appdome, see the above sections Testing on Android Apps and Testing .aab Apps.

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.