How to Secure Android & iOS Apps in Bitrise CI/CD Pipelines

This Knowledge Base article provides instructions for using the Appdome Build-2Secure step for Bitrise CI/CD pipelines. Appdome’s Build-2Secure step for Bitrise is an out-of-the-box Bitrise CI/CD integration, making it easy for mobile developers to automate the building, signing, and certification of security, anti-fraud, and other protections in Android & iOS apps in Bitrise CI/CD pipelines. No code and no SDKs are required.

The purpose of Appdome’s Build-2Secure step for Bitrise is to streamline and accelerate cyber and anti-fraud delivery in CI/CD pipelines. To do this, the Build-2Secure step for Bitrise automates three important steps in delivering more secure mobile applications to your users fast: (1) building app-level protections into mobile apps, (2) code signing the protected mobile app, and (3) certifying the security of each protected mobile app. The Appdome Build-2Secure step for Bitrise can be used to deliver Certifed Secure™ mobile app security, anti-fraud, anti-malware, mobile anti-bot, and other cyber defense updates to mobile apps on the Appdome Cyber Defense Automation Platform. Use this step for Bitrise as a stand-alone DevSecOps integration or in combination with other DevSecOps integrations in your CI/CD pipeline.

For more general information on Bitrise Workflow Steps, see Managing Tools on the Bitrise website. 

Below are the step-by-step instructions on using the Appdome Build-2Secure step for Bitrise. Enjoy!

Prerequisites to Appdome’s Build-2Secure Step for Bitrise

Before you begin using Appdome with Bitrise you’ll need to have:

• An Appdome SRM account
• Appdome API token
• Fusion-Set ID
• A Bitrise account

Step 1: Getting Started with Build-2Secure Step for Bitrise

The Appdome Build-2Secure step takes the unprotected application file (apk, aab or ipa), rebuilds the file, and signs it by using the On-Appdome platform, based on the selected fusion set and signature method. This step can be performed either as part of an existing workflow or as a new workflow where you must provide the application file as part of the input for this step.

If you already have an existing Workflow, you can skip to Step 3.

Step 2: Creating a New Workflow for Build-2Secure Step in Bitrise

To create a workflow with Appdome Build-2Secure:

1.  Log in to Bitrise and go to the dashboard.

   A list of your current mobile app projects is displayed on the right side of the screen.

   

2. Select the requested app from the apps list. If your app is not on the list, follow the Bitrise process for adding an app. In this example, android-demo-app is selected. After you select a project, a build history screen is displayed.
   
   
3. Click the Workflows button on the top right side of the screen to display the Workflow Editor screen.
   By default, every app has two pre-defined workflows: primary and deploy, which are automatically generated by Bitrise. The images above only display the default primary workflow. When using an existing workflow, it is important to add the Appdome Build-2Securestep to be in the correct position in the flow, namely:
   • After the build step which generates a valid (apk/aab/ipa) file
   • Before the build artifact has been signed and deployed
   • While you can add the Appdome Build-2Secure step into any existing workflow, for the sake of simplicity this document specifies creating a new workflow for building and signing an existing app file.
4. Click the + sign near the WORKFLOW to create a new workflow. The Add new workflow dialog box is displayed.
   

5. Provide a workflow name. In this example, the name Appdome_Build_Sign is used.

   

6. Select the value Empty workflow from the Based on:list, as shown below.
   A new workflow named Appdome_Build_Sign is created

   

7. Click the  Save button (on the top right corner). Alternatively, click ⌘ +S for Mac or Ctrl+S for PC. After the save is completed, the button’s color will change to gray and to Saved label.
    Note:For Android apps, Bitrise selects by default a medium-sized Android & Docker on Ubuntu stack machine. For iOS apps, Bitrise selects a medium-sized Apple Silicon M1 based Xcode, on macOS. You can change the stack type and size by going to Stacks & Machines bar and selecting a different stack or a different size. However, Appdome Build-2Secure step itself does not require more than the default stack.As a first step in the new example workflow, add the Appdome Build-2Secure step from the Bitrise steps repository.

Step 3: Adding Build-2Secure Step to Bitrise Workflow

To add a Build-2Secure step to the Bitrise flow:

1. Add a new step by clicking on the + icon on the left side of the screen, in the step section (below the workflow name). A dialog box appears, displaying all Android valid steps.Notes:Ensure that you do not click the + icon to the right of the workflow name, as this will result in opening a dialog box for adding a new workflow. If you click this icon by mistake, click Esc to abort the action.The screenshots below are relevant to Android-related steps. If your workflow is designed for an iOS app only steps relevant to iOS will be displayed.
   
   Note the black icon on the right of the search bar, which displays the platform for which the displayed steps are relevant
2. Use the Search steps field to perform the following operations:
   1. Type Appdome Build-2Secure .
      
   2. Click on this field after it is found. The new Appdome Build-2Secure step is added to your workflow.
   3. Click the  Save button on the top right corner. Alternatively, click ⌘ +S for Mac or Ctrl+S for PC. After the save is completed, the button’s color will change to gray and to Saved label.
   4. Click the + sign on the right side of the screen, in the step section (below the Appdome Build-2Secure step). A new window with the available steps library is displayed on the right.
      
   5. Use the step library window to search and select the step Deploy to Bitrise.io – Build Artifacts, Test Reports, and Pipeline intermediate files. This step is valid for both Android and iOS apps.
      
      After the step is selected, it will be added to your workflow as the last step.
   6. Click the Save button (on the top right corner). Alternatively, click ⌘ +S for Mac or Ctrl+S for PC. After the save is completed, the button’s color changes to gray and to Saved label.

Step 4: Configuring Bitrise Environmental Variables in the App Workflow

This section provides instructions for configuring Bitrise environment variables, which you can refer to later in the Configuration:

1. Click the Code Signing & Files tab.  This tab allows you to store code signature-related files (for example, certificates and provisioning profiles). The bottom part of the tab allows you to upload generic files.
   Note: As both the Keystore File and the Generic File Storage sections allow file sizes of up to 5MB each, it is not possible to upload an app file here.
2. Upload the project signature-related files in accordance with your project type. For an Android app project When signing an Android app project by using On-Appdome method, Android Keystore file must be uploaded by following the steps below.
   Note: Signing Android apps by using Private-Signing or Auto-Dev-Signing methods does not require any file upload. If you are not planning to use On-Appdome signing for your Android apps, you can skip to step no. 3 – Define Secrets.
   1. Upload the Android Keystore file to the ANDROID KEYSTORE FILE section, by clicking Upload file. After the file has been uploaded, its name will be displayed under the ANDROID KEYSTORE FILE section. Bitrise automatically assigns an environment variable to this field.
   2. Enter the keystore password in its assigned field. Bitrise automatically assigns an environment variable to this field.
   3. Enter the keystore alias in its assigned field. Bitrise automatically assigns an environment variable to this field.
   4. Enter the private key password in its assigned field. Bitrise automatically assigns an environment variable to this field.
   5. When done, click Save metadata.
   6. For an iOS app project:
      

   The Code Signing & Filesscreen looks different than the one for Android. Follow the steps below.

   1. Upload the provisioning profile file to the PROVISIONING PROFILE section. After the file has been uploaded, its name is displayed in this section. You can upload up to 30 provisioning profile files to the platform, each with a maximum size of 5MB.
      If On-Appdome signing method is planned to be used for app signing, you need to upload the .p12 certificate file to the CODE SIGNING CERTIFICATES section and enter the file password in the PASSWORD field.
      Note: If you plan to use only Private-Signing or Auto-Dev-Signing methods, uploading .p12 certificate file is not required. After the certificate file has been uploaded, its details are displayed under the CODE SIGNING CERTIFICATES section.
      Note: Though Bitrise platform supports up to 30 certificate files, Appdome Build-2Secure step supports only one certificate file. Uploading more than one file could result in signing issues.
   2. Entitlement files should be uploaded to the GENERIC FILE STORAGE section at the bottom of the screen. You can upload up to five entitlement files (up to 5MB each).
   3. Before uploading a file, you must provide it with a unique ID in the File Storage ID field.
      In this example, the File Storage ID assigned to the entitlements file is ENTITLEMENTS_1.
      Note: Uploading the file is only possible after providing File Storage ID.
      
   4. Upload your entitlements file by clicking on the Upload file.
      Note: Bitrise may alter the ID you have provided to the file. Its final name will be displayed marked in green below the file name after it had been uploaded. In this example, Bitrise has assigned it the variable name $BITRISEIO_ENTITLEMENTS_1_URL. This name will be the environment variable referred to in the workflow.
      
      You can upload up to five entitlement files (up to 5MB each).Ensure that you give each entitlement file a unique file storage ID, and mind the variable name Bitrise had assigned to it.
   5.  Define Secrets. Secrets are environmental variables that hold sensitive data. These are securely stored in the Bitrise platform.

      1. Click the Secrets tab.

         

      2. Click Add new.
         
      3. Define a Key named APPDOME_API_KEY with the value of your Appdome API token.
      4. Click Save.
      5. Click Add New.

      6. Define a Key named SIGN_FINGERPRINT. If you are building an Android app project that is planned to be uploaded to Google Play, this variable should be holding your Google Play fingerprint. If Google Play signature is not required, this variable should be holding your signing fingerprint.

         

      7. Click Save. Optionally, you can edit and change an existing key value by clicking the Edit button on the right side of its field.

Step 5: Configuring the Appdome Build-2Secure Step

To configure the input variables for the Appdome Build-2Secure Step:

1. Click the Appdome Build-2Secure step. The right side of the screen displays details about the step, as well as the required input variables.
2. Fill-in the parameters as listed below.
   1. App file URL (mandatory) 
      App file (apk/aab/ipa) location to be built and signed by On-Appdome. This field can be a URL address of an external location or an environment variable indicating the file location.
      Note: – You can define your own environment variables under the Env Vars tab. – If you are using the Appdome Build-2Secure step as part of an existing workflow, this field should be populated with the output of the previous step; for example,  $BITRISE_APK_PATH, $BITRISE_AAB_PATH, and $BITRISE_IPA_PATH.

   2. Fusion Set ID (mandatory) 

      Appdome fusion set ID. Ensure that this ID is valid for the type of project you are using (Android/iOS).
   3. Team ID (optional) The team ID on the On-Appdome platform.

Select Signing Method (mandatory)

Use the Signing Method field to select the appropriate method for signing your app. Each signing method requires additional parameters, as detailed below.

1. For An Android app project with On-Appdome signing method: Android keystore file, Keystore password, Keystore alias, and Private key password.
   These mandatory parameters were already defined in the Code Signing & Files tab and are taken from there.

   

2. For an Android app project with Private-Signing  /Auto-Dev-Signing method.
   Set to true if Google Play signing is required, or false if signing is optional. If set to true, ensure that your Google Play signature is in $SIGN_FINGERPRINT environmental parameter under the Secrets tab.
3.  For an iOS app project with On-Appdome signing method:
   1. Code Signing Certificate (mandatory) – Code signing .p12 certificate file, which was previously uploaded to the Code Signing & Files tab.
   2. Certificate Password – Certificate file password, which was previously defined in the Code Signing & Files tab. The password must match its certificate file.
   3. Provisioning Profile (mandatory) – Provisioning profile file/s, which were uploaded to the Code Signing & Files tab. You must specify at least one file in this field.
   4. iOS Entitlement EnvVar/s (optional) – If iOS Entitlements are provided, they will be used for signing the iOS app. Use this field to enter the environmental variable names of the previously uploaded entitlement files. For multiple entitlement files, you can enter multiple names separated by space.
      Note:The signing process will automatically use the Provisioning profiles and .p12 certificate file previously uploaded in the Code Signing & Files tab.
4. For an iOS app project with Private-Signing/Auto-Dev-Signing method:
   1. Provisioning Profile (mandatory) – Provisioning profile file/s, which were uploaded to the Code Signing & Files tab. You must specify at least one file in this field.
   2. iOS Entitlement EnvVar/s (optional) – If iOS Entitlements are provided, they will be used for signing the iOS app. Use this field to enter the environmental variable names of the previously uploaded entitlement files. For multiple entitlement files, you can enter multiple names separated by space.
      
   3. Note: The signing process automatically uses the Provisioning profiles and .p12 certificate file you have previously uploaded in the Code Signing & Files tab.
5. When done, click the Save button (on the top right corner). Alternatively, click ⌘ +S for Mac or Ctrl+S for PC. After the save operation is completed, the button’s color changes to gray and to the Saved label.

Step 6: Build & Sign Android & iOS Security with Build-2Secure

1. Click the Run Workflow purple button on the right.
   Note: If several workflows are available, ensure that you run the correct workflow.
   
2. If you are required to provide a branch name for your build, enter the branch name and click Run Workflow. A new window is displayed, showing the build and sign process log.

The Appdome Build-2secure will automatically listen for the build and sign commands sent from Bitrise and add the mobile app security, anti-fraud, and other protections to your Android or iOS mobile app as specified in the Fusion Set associated with this app.

Step 7: Retrieve DevSecOps Certification with Build-2Secure Step

Related Articles

• How to Secure Android & iOS Apps in Jenkins CI/CD pipelines
• How to Secure Android & iOS Apps in GitLab CI/CD Pipelines
• How to Use Secure Android & iOS Apps in GitHub CI/CD

Conclusion

Need Additional Help? 

The description above is designed to help you secure Android & IOS apps in Bitrise CI/CD pipelines. If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform. 

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.