How to Use DevSecOps Build System to Secure Mobile Apps at Scale

Last updated April 23, 2023 by Appdome

 

Organizations use Appdome to automate the integration of 3rd-party services to mobile apps. Mobile DevOps teams use Appdome-DEV™ to better integrate Appdome in their Continuous Integration (CI) and Continuous Delivery (CD) processes and achieve an accelerated mobile app lifecycle. So what is Appdome-DEV and how to use Appdome-DEV to secure mobile apps at scale?

This Knowledge Base article answers the What is Appdome-DEV question and describes the role it plays in CI/CD processes and how it offers DevOps an accelerated mobile app lifecycle workflow.

Appdome-DEV empowers mobile developers to customize, enhance, and deploy their apps to public and private app stores and offers:

  • All Appdome-GO Features PLUS
  • CI/CD integration + Automated Integration Life Cycle
  • Advanced Team Controls and App Approvals
  • Flex-Release™ – shared templates and Fused-Apps
  • Advanced Security Controls Threat-Events
  • Mobile Threat Control with a Mobile Threat subscription
  • Encryption Control with a TOTALData Encryption subscription
  • Session Control with a Secure Communication subscription
  • Custom MFA Control with an MFA subscription
  • Auto-Dev Private Signing
  • Auto Deploy to public and private App-stores

We hope you find this knowledge base useful and enjoy using Appdome!

Prerequisites for using Appdome-DEV™

  • Appdome account – IDEAL + Appdome-DEV.
  • Mobile App (.ipa for iOS, or .apk or .aab for Android) Have the app file available for Fusion on your computer.
  • Signing Credentials (e.g., signing certificates and provisioning profile)
  • A CI/CD System for integration.

The Challenge of CI/CD in Mobile Apps

Mobile development and DevOps teams know that Continuous Integration (CI) and Continuous Delivery (CD) accelerate release cycles and improve mobile app delivery. Unfortunately, most CI/CD processes don’t account for the work needed to implement third-party SDKs, APIs, and services such as mobile security, enterprise authentication, mobility management, and more. These services are typically outside the control of mobile developers and DevOps teams. If external services cause breaks as new versions of a mobile app are released, CI/CD stops. Even more likely, a new release of an API/SDK, or mobile operating system requires the integration to start from scratch, causing delays and disruption to CI/CD workflows.

Remove Mobile Integration From the Build

Appdome provides mobile developers and DevOps a no-code, mobile security and development platform to quickly add mobile services, SDKs, and APIs into any Android and iOS mobile app in seconds – post-build. There is no code or coding required. This enables anyone, including DevOps to integrate third-party services into mobile apps and complete projects themselves – with no dependencies on what’s coded inside the app.

Typically, mobile developers must work hard to add and maintain mobile SDK/API and third-party service in apps. Creating continuous integration and continuous delivery is the way to improve mobile app delivery speed and quality. With Appdome, the line-by-line, manual development work required to add SDK/APIs and other services to apps is gone. This also includes any required mobile standard, framework, method, and workflow needed inside the mobile app. Bottom line, developers can simply build great apps, focusing their attention on the use case and user experience needed in the app. After building the app, anyone can use Appdome to automatically add third-party services as a final step in CI/CD processes.

Align Appdome With Existing Mobile Development Workflows

Development organizations invest heavily in CI/CD tools and creating unique CI/CD development cycles that meet their mobile app development needs. Appdome integrates with CI/CD tools including Jenkins, GitLab CI, TeamCity, Travis CI, Bamboo, CircleCI, Codeship, Codefresh, Azure DevOps, and others. Organizationally, project managers and DevOps teams assign specific steps and responsibilities in the CI/CD workflow to specific experts. Ensuring that the right people are doing the right job accelerates the development cycle. Appdome is designed to integrate directly into existing CI/CD workflows at a platform and organizational level. Organizations can connect Appdome directly to build systems and assign integration responsibilities to different team-mates as needed.

Appdome-DEV Offers an Accelerated Mobile App Lifecycle Workflow

Appdome offers a CI/CD integration called Appdome-DEVTM. Appdome-DEV expands on Appdome’s no-code mobile integration capabilities to provide mobile development teams with all the tools needed to accelerate mobile integration lifecycles. Inside Appdome-DEV, developers will find mobile integration templates, teams, integration with build systems, automatic publishing and more. Appdome-DEV allows organizations to complete hundreds of simultaneous integrations, making Appdome the perfect complement to other CI/CD processes, systems and tools which enterprises already have deployed.

Key Benefits of Appdome-DEV

Below is a list of specific Appdome-DEV features which enable mobile development and DevSecOps teams to fully automate mobile integration and delivery projects and workflows:

Mobile Release Teams

Appdome Teams & Workspaces provide roles, segregation of duties, and collaboration across the organization and speed mobile app security releases. Appdome Teams and Workspaces allows owners of a specific organizational responsibilities to come together to complete mobile security projects. For example, team members can include experts on development, security, IAM, delivery and other areas related to the mobile app lifecycle. Appdome supports two models of Teams: Organization (internal users only) and Open (internal and external users). For example, using the Open Team Model, an organization that builds mobile apps for customers, can invite the customer to become a member of the team so that they can add the right network configurations to the Fused app and sign it with their enterprise developer certificates. Appdome Teams are unique separate entities that exist in a secure, private, multi-tenant environment.

Refer to this knowledge base article to learn how you can collaborate using Appdome Teams.

Release Team Management

Appdome supports two entitlement models for Release Teams: Collaborate and Manage.

  • Collaborate allows release team members to claim and assign responsibilities in an open flexible system of entitlements. This collaborative workflow empowers diverse functional areas to perform the work needed to release an app.
  • Manage allows a team leader to assign entitlements to different release team members, according to their expertise for the different steps in the mobile integration workflow.

For example, app-signing entitlements can be given to team members who are not part of the development organization. Manage also allows approvals of mobile integration and publication. Organizations can use different models for testing and production to improve mobile app delivery.

Refer to this knowledge base article to learn how you can use Entitlements to collaborate on mobile integration projects.

Security and Integration Templates

Mobile developers and DevOps teams can create re-usable mobile security templates, called Fusion Sets™ on Appdome. Fusion Sets allow organizations to specify the security features needed in each Android and iOS app, using these Fusion Sets to consistently meet mobile app security objectives, meet compliance objectives and more. Fusion Set can include any combination of Appdome and third-party features, SDKs or APIs available on Appdome. Using Feature-Freeze™, an individual user or authorized Appdome team member can lock a Fusion Set for production use, guaranteeing that the approved Fusion Set will not be changed. Organizations can subscribe one or more Android or iOS app to each Fusion Set, to complete end-to-end mobile security lifecycles automatically, build-by-build.

Refer to this knowledge base article to learn more about Mobile Integration Templates.

Flex-Release™ – Shareable Security Projects

With Flex-Release, key members of the DevOps team can test and determine the correct integrations and approve Fusion Sets and/or Fused Apps, before sharing them with a different production team. Once in production, that Fusion Set is fully integrated in the automatic build system, without impacting the workload for the production DevOps team. Build-by-build, the organization can guarantee that the required third-party services are integrated into the app.

Sign-Right™

Appdome offers the mobile industry’s first automatic secure app signing and sign verification service. It automates the app signing process and ensures that Fused apps are signed correctly, thus eliminating common signing errors that plague manual mobile integration projects.

Appdome’s Auto-DEV private signing script allows users to sign fused apps locally without uploading the signing certificate to Appdome’s cloud service. The unsigned app is embedded in the script generated by Appdome. Running the script on your trusted environment will extract and sign the app using a certificate in your key chain.

Refer to this knowledge base article to learn more about Auto-Dev Private Signing.

Auto Deploy to Public and Private App Stores

With Appdome-DEV, mobile developers can auto-deploy their Appdome-Fused apps to both public and private app stores.

Refer to these knowledge base articles to learn more about Auto Deploying to Public Appstores; Apple Appstore and Google Play Store and Auto Deploying to Private/Enterprise Appstores: Microsoft Intune, VMware Workspace ONE, IBM MaaS360 and MobileIron.

Fusion History

Fusion History is very powerful for troubleshooting and auditing purposes. Throughout the integration workflow, it provides a complete history of all integration and deployment activities, available on a per app and per Fusion Set basis. This enables Appdome admins to view and audit the complete log history, seeing who did what during each step of the Fusion process. Fusion History also offers built-in versioning and indexing for everything users do on Appdome, such as uploaded apps, fused builds, fusion sets, signing activity and more. In addition, Integration Binding ensures that all activities related to published builds are fully trackable, using mechanisms like timestamps, fusions stamps, and audit stamps. Lastly, users can also access and re-integrate original app binaries to suit any mobile integration use case.

Appdome-DEV APIs

An optional feature, Appdome-DEV provides a collection of APIs that connect all key steps in Appdome’s no-code security process, such as Build, Fuse, Sign, Publish and Fusion Notify, to CI/CD automation systems (such as Jenkins and GitLab CI). This allows development teams to integrate one or more Appdome processes into existing workflows without impact. With Appdome-DEV APIs, developers can choose to rely on Appdome for security features only and/or extend use of Appdome for automatic signing and publishing of Android and iOS apps to any public app stores (like Apple’s AppStore or Google’s Google Play) or private app stores (such as Microsoft Intune, VMware Workspace ONE or IBM MaaS360).

Refer to this knowledge base article to learn how to use Appdome’s REST API.

Appdome-Threat Events™

An optional feature, Appdome’s Threat-Events lets developers code unique app outcomes based on the security event triggered by Appdome. Threat-Events offers the full-range mobile defense and threat events for each security feature on Appdome such as jailbreak and rooting, MiTM violations, tampering, debugging, emulators, simulators. Threat-Events use industry standard notification methods to pass events between the Appdome layer to the app, informing the app any time a malicious event occurs against or in respect of the Appdome protected app. These notifications can be used inside apps to alter the behavior of an app when a threat event occurs, such as closing the app, disabling functionality in the app, scoring the threat and/or using the event in external threat management systems.

Refer to this knowledge base article to learn more about Appdome Threat-Events.

Appdome-DEV PLUS™

An optional feature, Appdome-DEV PLUS is an enhanced offering that lets customers meet the requirements of high-volume and/or multi-app rollouts.

  • For pre-release testing and verification, Appdome-DEV PLUS provides Appdome Certified Release™, a dedicated Appdome release team that conducts pre-release app security and workflow testing, and enhanced response times.
  • For high-volume production deployments, Appdome-DEV PLUS also provides Appdome’s API Enterprise Suite, to scale up simultaneous security builds across 100s or 1000s of mobile apps.
  • Customers requiring support for older mobile OSs or device list, can also purchase Appdome-DEV PLUS Extended Support.

These powerful options ensure that high-volume release schedules will be achieved consistently with the highest level of security.

How Do I Learn More?

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

To zoom out on this topic, visit the Appdome Platform section on our website.

Thank You and Try Appdome!

Thanks for visiting Appdome! Our mission is to make mobile integration easy and offer mobile DevOps an accelerated mobile app lifecycle workflow. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.  

NEED HELP?

let's solve it together

ShlomiMaking your security project a success!
By filling out this form, you opt-in to recieve emails from us.