How to Use DevSecOps Build System to Secure Mobile Apps at Scale
Organizations use Appdome to automate the integration of 3rd-party services to mobile apps. Mobile DevOps teams use Appdome-DEV™ to better integrate Appdome in their Continuous Integration (CI) and Continuous Delivery (CD) processes and achieve an accelerated mobile app lifecycle. So, what is Appdome-DEV, and how do you use Appdome-DEV to secure mobile apps at scale?
This Knowledge Base article answers the question of what Appdome-DEV is and describes the role it plays in CI/CD processes and how it offers DevOps an accelerated mobile app lifecycle workflow.
Appdome-DEV empowers mobile developers to customize, enhance, and deploy their apps to public and private app stores and offers:
- All Appdome-GO Features PLUS
- CI/CD integration + Automated Integration Life Cycle
- Advanced Team Controls and App Approvals
- Flex-Release™ – shared templates and Fused-Apps
- Advanced Security Controls Threat-Events
- Mobile Threat Control with a Mobile Threat Subscription
- Encryption Control with a TOTALData Encryption subscription
- Session Control with a Secure Communication subscription
- Custom MFA Control with an MFA subscription
- Auto-Dev Private Signing
- Auto Deploy to public and private App-stores
We hope you find this knowledge base useful and enjoy using Appdome!
Prerequisites for using Appdome-DEV™
- Appdome account – IDEAL + Appdome-DEV.
- Mobile App (.ipa for iOS, or .apk or .aab for Android)
- Signing Credentials (e.g., signing certificates and provisioning profile)
- A CI/CD System for integration.
The Challenge of CI/CD in Mobile Apps
Mobile development and DevOps teams know that Continuous Integration (CI) and Continuous Delivery (CD) accelerate release cycles and improve mobile app delivery. Unfortunately, most CI/CD processes don’t account for the work needed to implement third-party SDKs, APIs, and services such as mobile security, enterprise authentication, mobility management, and more. These services are typically outside the control of mobile developers and DevOps teams. If external services cause breaks as new versions of a mobile app are released, CI/CD stops. Even more likely, a new release of an API/SDK or mobile operating system requires the integration to start from scratch, causing delays and disruption to CI/CD workflows.
Remove Mobile Integration From the Build
Appdome provides mobile developers and DevOps a no-code, mobile security, and development platform to quickly add mobile services, SDKs, and APIs into any Android and iOS mobile app in seconds – post-build. There is no code or coding required. This enables anyone, including DevOps, to integrate third-party services into mobile apps and complete projects themselves – with no dependencies on what’s coded inside the app.
Typically, mobile developers must work hard to add and maintain mobile SDK/API and third-party services in apps. Creating continuous integration and continuous delivery is the way to improve mobile app delivery speed and quality. With Appdome, the line-by-line, manual development work required to add SDK/APIs and other services to apps is gone. This also includes any required mobile standard, framework, method, and workflow needed inside the mobile app. The bottom line is that developers can simply build great apps, focusing their attention on the use case and user experience required for the app. After building the app, anyone can use Appdome to automatically add third-party services as a final step in CI/CD processes.
Align Appdome With Existing Mobile Development Workflows
Development organizations invest heavily in CI/CD tools and create unique CI/CD development cycles that meet their mobile app development needs. Appdome integrates with CI/CD tools including, Jenkins, GitLab CI, TeamCity, Bamboo, CircleCI, Codeship, Codefresh, Azure DevOps, and others. Organizationally, project managers and DevOps teams assign specific steps and responsibilities in the CI/CD workflow to particular experts. Ensuring that the right people are doing the right job accelerates the development cycle. Appdome is designed to integrate directly into existing CI/CD workflows at a platform and organizational level. Organizations can connect Appdome directly to build systems and assign integration responsibilities to different team-mates as needed.
Appdome-DEV Offers an Accelerated Mobile App Lifecycle Workflow
Appdome offers a CI/CD integration called Appdome-DEVTM. Appdome-DEV expands on Appdome’s no-code mobile integration capabilities to provide mobile development teams with all the tools needed to accelerate mobile integration lifecycles. Inside Appdome-DEV, developers will find mobile integration templates, teams, integration with build systems, automatic publishing, and more. Appdome-DEV allows organizations to complete hundreds of simultaneous integrations, making Appdome the perfect complement to other CI/CD processes, systems, and tools that enterprises already have deployed.
Key Benefits of Appdome-DEV
Below is a list of specific Appdome-DEV features that enable mobile development and DevSecOps teams to automate mobile integration and delivery projects and workflows:
Mobile Release Teams
Appdome Teams & Workspaces provide roles, segregation of duties, and collaboration across the organization and speed mobile app security releases. Appdome Teams and Workspaces allow owners of a speciﬁc organizational responsibilities to come together to complete mobile security projects. For example, team members can include experts on development, security, IAM, delivery, and other areas related to the mobile app lifecycle. Appdome supports two models of Teams: Organization (internal users only) and Open (internal and external users). For example, using the Open Team Model, an organization that builds mobile apps for customers can invite the customer to become a member of the team so that they can add the right network conﬁgurations to the Fused app and sign it with their enterprise developer certiﬁcates. Appdome Teams are unique separate entities that exist in a secure, private, multi-tenant environment.
Refer to this knowledge base article to learn how you can collaborate using Appdome Teams.
Release Team Management
Appdome supports two entitlement models for Release Teams: Collaborate and Manage.
- Collaborate allows release team members to claim and assign responsibilities in an open ﬂexible system of entitlements. This collaborative workﬂow empowers diverse functional areas to perform the work needed to release an app.
- Manage allows a team leader to assign entitlements to different release team members, according to their expertise for the various steps in the mobile integration workﬂow.
For example, app-signing entitlements can be given to team members who are not part of the development organization. Manage also allows approvals of mobile integration and publication. Organizations can use different models for testing and production to improve mobile app delivery.
Refer to this knowledge base article to learn how you can use Entitlements to collaborate on mobile integration projects.
Security and Integration Templates
Mobile developers and DevOps teams can create reusable mobile security templates called Fusion Sets™ on Appdome. Fusion Sets allow organizations to specify the security features needed in each Android and iOS app, using these Fusion Sets to consistently meet mobile app security objectives, compliance objectives, and more. Fusion Set can include any combination of Appdome and third-party features, SDKs, or APIs available on Appdome. Using Feature-Freeze™, an individual user or authorized Appdome team member can lock a Fusion Set for production use, guaranteeing that the approved Fusion Set will not be changed. Organizations can subscribe one or more Android or iOS apps to each Fusion Set to complete end-to-end mobile security lifecycles automatically, build-by-build.
Refer to this knowledge base article to learn more about Mobile Integration Templates.
Flex-Release™ – Shareable Security Projects
With Flex-Release, key members of the DevOps team can test and determine the correct integrations and approve Fusion Sets and/or Fused Apps before sharing them with a different production team. Once in production, that Fusion Set is fully integrated into the automatic build system without impacting the workload for the production DevOps team. Build-by-build, the organization can guarantee that the required third-party services are integrated into the app.
Appdome offers the mobile industry’s ﬁrst automatic secure app signing and sign veriﬁcation service. It automates the app signing process and ensures that Fused apps are signed correctly, thus eliminating common signing errors that plague manual mobile integration projects.
Appdome’s Auto-DEV private signing script allows users to sign fused apps locally without uploading the signing certificate to Appdome’s cloud service. The unsigned app is embedded in the script generated by Appdome. Running the script on your trusted environment will extract and sign the app using a certificate in your key chain.
Refer to this knowledge base article to learn more about Auto-Dev Private Signing.
Auto Deploy to Public and Private App Stores
With Appdome-DEV, mobile developers can auto-deploy their Appdome-Fused apps to both public and private app stores.
Refer to these knowledge base articles to learn more about Auto Deploying to Public Appstores, Apple Appstore and Google Play Store and Auto Deploying to Private/Enterprise Appstores: Microsoft Intune, VMware Workspace ONE, IBM MaaS360 and MobileIron.
Fusion History is very powerful for troubleshooting and auditing purposes. Throughout the integration workflow, it provides a complete history of all integration and deployment activities, available on a per-app and per-fusion set basis. This enables Appdome admins to view and audit the complete log history, seeing who did what during each step of the Fusion process. Fusion History also offers built-in versioning and indexing for everything users do on Appdome, such as uploaded apps, fused builds, fusion sets, signing activity, and more. In addition, Integration Binding ensures that all activities related to published builds are fully trackable, using mechanisms like timestamps, fusions stamps, and audit stamps. Lastly, users can also access and re-integrate original app binaries to suit any mobile integration use case.
An optional feature, Appdome-DEV provides a collection of APIs that connect all critical steps in Appdome’s no-code security process, such as Build, Fuse, Sign, Publish, and Fusion Notify, to CI/CD automation systems (such as Jenkins and GitLab CI). This allows development teams to integrate one or more Appdome processes into existing workflows without impact. With Appdome-DEV APIs, developers can choose to rely on Appdome for security features only and/or extend the use of Appdome for automatic signing and publishing of Android and iOS apps to any public app stores (like Apple’s AppStore or Google’s Google Play) or private app stores (such as Microsoft Intune, VMware Workspace ONE or IBM MaaS360).
Refer to this knowledge base article to learn how to use Appdome’s REST API.
An optional feature, Appdome’s Threat-Events lets developers code unique app outcomes based on the security event triggered by Appdome. Threat-Events offers full-range mobile defense and threat events for each security feature on Appdome, such as jailbreak and rooting, MiTM violations, tampering, debugging, emulators, and simulators. Threat-Events use industry-standard notification methods to pass events between the Appdome layer to the app, informing the app any time a malicious event occurs against or with respect to Appdome-protected app. These notiﬁcations can be used inside apps to alter the behavior of an app when a threat event occurs, such as closing the app, disabling functionality in the app, scoring the threat and/or using the event in external threat management systems.
Refer to this knowledge base article to learn more about Appdome Threat-Events.
An optional feature, Appdome-DEV PLUS is an enhanced offering that lets customers meet the requirements of high-volume and/or multi-app rollouts.
- For pre-release testing and verification, Appdome-DEV PLUS provides Appdome Certified Release™, a dedicated Appdome release team that conducts pre-release app security and workflow testing and enhanced response times.
- For high-volume production deployments, Appdome-DEV PLUS also provides Appdome’s API Enterprise Suite to scale up simultaneous security builds across 100s or 1000s of mobile apps.
- Customers requiring support for older mobile OSs or device lists can also purchase Appdome-DEV PLUS Extended Support.
These powerful options ensure that high-volume release schedules are achieved consistently with the highest level of security.
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up today.
If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.