How to Secure Android & iOS Apps in Jenkins CI/CD pipelines

Prerequisites to Appdome’s plugin for Jenkins

Beofre you use Appdome’s plugin for jenkins, there are a few things you need to have:

• • An Appdome SRM account
    1. Appdome Build2Secure API token
    2. Fusion-Set ID
  • Jenkins CI/CD server
    1. CURL installed on your Node.
    2. Environment Injector plugin (*Optional)

Step 1: Installing the Build-2Secure plugin in Jenkins

To install the Appdome Build-2Secure plugin:

1. Go to the Jenkins homepage.
2. Select Manage Jenkins on the left menu.
   
3. Select the Manage Plugins command.
   
4. Add the Appdome Build-2Secure plugin to Jenkins through Jenkins Plugin Index as follows:
   
   1. 1. 1. Select the Available tab.
         2. Search for Appdome Build-2Secure.
         3. Select the Appdome build-2Secure and click Download now and install after restart.
         4. Restart your Jenkins server.
            
         5. To confirm the successful installation of the plugin, navigate to Manage Jenkins > Installed plugins and then search for Appdome Build-2Secure.

The Appdome Build-2Secure plugin is versatile and can be used in both freestyle projects and pipelines. To utilize the plugin in a freestyle project, it is necessary to add the plugin as a build step, which will be explained in the following section. Alternatively, if you opt to use a pipeline, we have also included instructions on how to incorporate the plugin into the appropriate stage of your pipeline script later in the guide.

Appdome Build-2Secure Plugin in Jenkins (Freestyle Project)

Step 2: Creating the Build-2Secure plugin in Jenkins

This step provides instructions for adding the Appdome Build-2Secure Plugin in both of the following methods:

• • Adding the Appdome plugin to a new project
  • Adding the Appdome plugin to an existing project

Adding the Appdome Plugin to a New Project

To add the Appdome plugin to a new project:

1. 1. 1. From the Jenkins menu, click New Item.
         
      2. Assign a name to your project and select the Freestyle Project type, then click OK.
         
      3. Use the next page to select the Build Steps command.
         
      4. Expand the list Add build step and select Appdome Build-2Secure.
         
      5. Proceed to set the Appdome build-2Secure plugin configuration, as described in the next step.

Adding the Appdome Plugin to an Existing Project

To add the Appdome plugin to an existing project:

1. 1. 1. Select the project to which you want to add the plugin to.
      2. Go to Configure from the Jenkins menu.
         
      3. Open the Add build step menu and then select Appdome Build-2Secure.
         Appdome build-2Secure UI shows up, allowing you to enter your configuration.
      4. Proceed to set the Appdome build-2Secure plugin configuration, as described in the next step.

Step 3: Configure Appdome build-2Secure Plugin Configuration

After you select Appdome Build-2Secure as a build step, the screen shown below is displayed.

1. Use the Token field to enter your Appdome Build2Secure API token, by following the instructions provided in section Getting and resetting your API Token on Appdome website.
2. Use the Team ID field to enter your Team ID API token, by following the instructions provided in section Getting a Team’s ID on Appdome website.
3. Use the Fusion-set-id field to enter the appropriate Fusion Set ID, by following the instructions provided in section Getting a Fusion Set’s ID on Appdome website.
4. Use the Platform field to select either iOS or Android, depending on the type of application you are building.
   If you want to learn more about file paths read the description below, otherwise, proceed to the next step.

File Paths
When working with files, you can set the files in any of the following methods:
– Provide the full path to the file, which should be located on the node machine.
– Use environment variables with the Environment Injector plugin or Configure the node machine settings in Jenkins.
– Set a remote URL link to a file either on the configuration page.

For instructions on how to set environment variables, see Appendix A: How to Set Environment Variables.

Warning
When using the configuration form, any input that has the same field as an environment variable (e.g. keystore’s path) will take precedence, i.e. it will override the environment variable. Therefore, to ensure proper use of the environment variable input, you must verify that these variables are unique and do not also appear in the configuration form.

• • Use the iOS/Android application field to choose any of the following options:
    •  Specify the full path to the application file on the node where it is running
    •  Set the environment variable name as APP_PATH. If an environment variable is defined, leave the <platform> application field (i.e.: Android application or iOS application) empty.
    •  Set a remote URL link to a file either on the configuration page or as an environment variable named APP_PATH.
      

      Note: The URL link should not contain any commas.

  •  Use the keystore file field to choose any of the following options:
    • Specify the full path to the keystore file on the node where it is running
    •  Set the environment variable name KEYSTORE_PATH. If an environment variable is defined, leave the keystore field empty.
    • You can set a remote URL link to a file either on the configuration page or as an environment variable named KEYSTORE_PATH.
      

      Note: The link should not contain any commas.

  • Use the Provisioning Profile field under iOS signing, choose any of the following options:
    •  Specify the full path to the provisioning profile file(s) on the node where it is running, can add as many files as needed, each file on a new textbox
    • You can set a remote URL link to a file either on the configuration page or as an environment variable name MOBILE_PROVISION_PROFILE_PATHS.  If an environment variable is defined, leave the Provisioning Profile field empty.
    • Set the environment variable name as MOBILE_PROVISION_PROFILE_PATHS, to insert multiple files in an environment variable, each file must be separated by ‘,’ without any spaces.
      For example: First_file.mobileprovision,second_file.mobileprovision,third_file.mobileprovision…
  • Use the Entitlements field under iOS signing, choose any of the following options:
    • Specify the full path to the entitlement file(s) on the node where it is running, can add as many files as needed, each file on a new textbox
    •  Set the environment variable name as ENTITLEMENTS_PATHS
    • You can set a remote URL link to a file either on the configuration page or as an environment variable named ENTITLEMENTS_PATHS. 
      To insert multiple files in an environment variable, each file must be separated by ‘,’ without any spaces.
      For example: First_file.plist,second_file.plist,third_file.plist…
  • Use the Sign Method field to choose the method by which you want to sign your application. The options available will depend on the platform you have.
    The available sign options are:
    • For Android:
      • Sign on Appdome – for further information, follow the instructions specified in the Knowledge Base article
        How to Code Sign Secured Android Apps in DevSecOps Build System.
      • Private Signing – for further information, follow the instructions specified in the Knowledge Base article
        How To Privately Code Sign Sealed Android Apps using DevSecOps Build System.
      • Auto-DEV Signing – for further information, follow the instructions specified in the Knowledge Base article
        How to Automate Secure Android App Code Signing in DevOps CI/CD.
    • For iOS:
      • Sign on Appdome – for further information, follow the instructions specified in the Knowledge Base article
        How to Use Code Sign on Mac for Secured iOS Apps.
      • Private Signing – for further information, follow the instructions specified in the Knowledge Base article
        How to Privately Code Sign Sealed iOS Apps using DevSecOps Build System.
      • Auto-DEV Signing – for further information, follow the instructions specified in the Knowledge Base article
        How to Automate Secure iOS App Code Signing in DevOps CI/CD.
  • Use the Output Location field to enter a new value or leave the default value WORKSPACE/output/appdome_name_of_original_app.aab/.apk/.ipa.
    If you would like to save the output of the built and secured application in a different location, specify a full path of the application example: <your_path/name_of_original_app’.aab/.apk/.ipa>.
    The certified secure document will also be saved to this location.

After filling in all the required parameters, you can save the configuration and begin building your application and securing it with the Appdome Build-2Secure for Jenkins. Skip to Step 5 to do that.

Appdome Build-2Secure Plugin in Jenkins (Pipeline Project)

Step 2: Creating the Build-2Secure plugin in Jenkins

For instructions on how to set environment variables, see Appendix A: How to Set Environment Variables.

• • To use the appPath field
    • Replace ‘<FULL_PATH_OR_URL_TO_APP_FILE>’ with the full path on the node machine.
    • Specify a full path to the file as an environment variable name APP_PATH. If using the environment variable, leave appPath empty.
    • Replace ‘<FULL_PATH_OR_URL_TO_APP_FILE>’ with a remote URL link to a file either on the pipeline page or as an environment variable named APP_PATH.  If using the environment variable, leave appPath empty.
      

      Note: The URL link must not contain any commas.

  • To use the keystorePath field under auto signing for iOS and Android.
    You can choose one of the following options:
    • Replace ‘<FULL_PATH_OR_URL_TO_KEYSTORE_FILE>’ with the full path to the keystore file on the node where it is running.
    • Specify a full path to the file as environment variable name KEYSTORE_PATH. If using the environment variable, leave keystorePath empty.
    • Replace ‘<FULL_PATH_OR_URL_TO_KEYSTORE_FILE>’ with a remote URL link to a file either in the pipeline page or as an environment variable named KEYSTORE_PATH.
      

      Note: The URL link should not contain any commas.

• • To use the provisioningProfiles field under iOS signing. If you insert multi files, each path to a file must be wrapped with “StringWarp” as shown in the template.
    You can select any of the following options:
    • Replace ‘<FULL_PATH _OR_URL_TO_MobileProvision_FILE>’ with the full path to provisioning profile file(s) on the node where it is running, you can add as many files as needed, each path to a file must be wrapped with “StringWarp” as shown in the template.
    • Replace ‘<FULL_PATH _OR_URL_TO_MobileProvision_FILE>’ with a remote URL link to a file either on the pipeline page or as an environment variable named MOBILE_PROVISION_PROFILE_PATHS. If using the environment variable, leave provisioningProfiles empty.
      

      Note: The URL link should not contain any commas.

    • Specify a full path to the file as environment variable name MOBILE_PROVISION_PROFILE_PATHS. If using the environment variable, leave provisioningProfiles empty.
      To insert multiple files as an environment variable, each file must be separated by ‘,’ without any spaces.
      For example:
      First_file.mobileprovision,second_file.mobileprovision,third_file.mobileprovision
      or:
      https://url_to_download/first_file.mobileprovision, https://url_to_download/second_file.mobileprovision,https://url_to_download/third_file.mobileprovision

      Note: You can combine URL links with the complete path to local files stored on the node machine.

• • To use the entitlements field under iOS signing
    If you insert multi files, each path to a file must be wrapped with “StringWarp” as shown in the template.
    You can select any of the following options:
    • Replace ‘<FULL_PATH _OR_URL_TO_entitlements_FILE#i>’ with the full path to entitlement file(s) on the node where it is running, you can add as many files as needed, each path to a file must be wrapped with “StringWarp” as shown in the template.
    • Replace ‘<FULL_PATH _OR_URL_TO_entitlements_FILE#i>’ with a remote URL link to a file either on the pipeline page or as an environment variable named ENTITLEMENT_PATHS.  If using the environment variable, leave entitlements empty.
      

      Note: The URL link should not contain any commas

    • Specify a full path to the file as environment variable name ENTITLEMENT_PATHS as explained above. If using the environment variable, leave entitlements empty.
      To insert multiple files as an environment variable, each file must be separated by ‘,’ without any spaces.
      For example:
      First_file.plist,second_file.plist,third_file.plist
      or:
      https://url_to_download/first_file.plist, https://url_to_download/second_file.plist,https://url_to_download/third_file.plist

      Note: You can combine URL links with the complete path to local files stored on the node machine.

  • To use the outputLocation field
    If you leave outputLocation empty, the default value is set to ‘WORKSPACE/output/appdome_name_of_original_app.aab/.apk/.ipa’. If you would like to save the output of the build and secured application in a different location, replace ‘<FULL_PATH_TO_OUTPUT_APP_OR_EMPTY_FOR_DEFAULT>’ with the full path of the application example: <your_path/name_of_original_app’.aab/.apk/.ipa>.
    The certified secure document will also be saved to this location.

Step 4: Select the method by which you want to sign your iOS or Android application.

• • • For Android:
      Auto Signing – for further information, follow the instructions specified in the Knowledge Base article How to Code Sign Secured Android Apps in DevSecOps Build System.

  stage('Appdome Builder') {
      steps {
          AppdomeBuilder (
              outputLocation: '<FULL_PATH_TO_OUTPUT_APP_OR_EMPTY_FOR_DEFAULT>',
              platform: AndroidPlatform(
                  appPath: '<FULL_PATH_OR_URL_TO_APP_FILE>',
                  certificateMethod: Android_AutoSign(
                      keyPass: hudson.util.Secret.fromString('<YOUR_KEYSTORE_KEY_PASS>'),
                      keystoreAlias: hudson.util.Secret.fromString('<YOUR_KEYSTORE_ALIAS>'),
                      keystorePassword: hudson.util.Secret.fromString('<YOUR_KEYSTORE_PASSWORD>'),
                      keystorePath: '<FULL_PATH_OR_ENV_VAR_OR_URL_TO_KEYSTORE_FILE>'
                  ),
                  fusionSetId: '<YOUR_FUSIONSET_ID>'
              ),
              teamId: '<YOUR_TEAMID_OR_LEAVE_EMPTY_FOR_PERSONAL>',
              token: hudson.util.Secret.fromString('<YOUR_TOKEN>')
          )
      }
  }

• Private Signing – for further information, follow the instructions specified in the Knowledge Base article How To Privately Code Sign Sealed Android Apps using DevSecOps Build System.
  

  stage('Appdome Builder') {
    steps {
      AppdomeBuilder(
   	outputLocation: '<FULL_PATH_TO_OUTPUT_APP_OR_EMPTY_FOR_DEFAULT>',
   	platform: AndroidPlatform(
    		appPath: '<FULL_PATH_OR_ENV_VAR_OR_URL_TO_APP_FILE>',
    		certificateMethod: Android_PrivateSign(
      			fingerprint: '<Your_SHA1_Fingerprint>',
                          googleSigning: true/false
    			),
    			fusionSetId: '<YOUR_FUSIONSET_ID>'
    		),
   		teamId: '<YOUR_TEAMID_OR_LEAVE_EMPTY_FOR_PERSONAL>',
   		token: hudson.util.Secret.fromString('<YOUR_TOKEN>'))
     }
  }

• Auto-DEV Signing – for further information, follow the instructions specified in the Knowledge Base article How to Automate Secure Android App Code Signing in DevOps CI/CD.

    stage('Appdome Builder') {
      steps {
        AppdomeBuilder (
   	outputLocation: '<FULL_PATH_TO_OUTPUT_APP_OR_EMPTY_FOR_DEFAULT>',
   	platform: AndroidPlatform(
    		appPath: '<FULL_PATH_OR_ENV_VAR_OR_URL_TO_APP_FILE>',
    		certificateMethod: Android_AutoDevSign(
      			fingerprint: '<Your_SHA1_Fingerprint>',
      			googleSigning: true/false
    			),
    			fusionSetId: '<YOUR_FUSIONSET_ID>'
    		),
   		teamId: '<YOUR_TEAMID_OR_LEAVE_EMPTY_FOR_PERSONAL>',
   		token: hudson.util.Secret.fromString('<YOUR_TOKEN>'))
  
   	}
  }
  

  
  For iOS:
  Auto Signing – for further information, follow the instructions specified in the Knowledge Base article How to Use Code Sign on Mac for Secured iOS Apps 

  stage('Appdome Builder') {
      steps {
   	AppdomeBuilder(
   		outputLocation: '<FULL_PATH_TO_OUTPUT_APP_OR_EMPTY_FOR_DEFAULT>',
   		platform: IosPlatform(
    		appPath: '<FULL_PATH_OR_ENV_VAR_OR_URL_TO_APP_FILE>',
    			certificateMethod: iOS_AutoSign(
      				entitlements: [
        StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_entitlements_FILE#1>'),
        StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_entitlements_FILE#2>'),
        StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_entitlements_FILE#N>')
      ],
      			keystorePassword: hudson.util.Secret.fromString('<YOUR_KEYSTORE_PASSWORD>'),
      			keystorePath: '<FULL_PATH_OR_ENV_VAR_OR_URL_TO_KEYSTORE_FILE>',
      			provisioningProfiles: [
        StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#1>'),
        StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#2>'),
        StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#N>')
      ]
    			),
    			fusionSetId: '<YOUR_FUSIONSET_ID>'
    		),
   		teamId: '<YOUR_TEAMID_OR_LEAVE_EMPTY_FOR_PERSONAL>',
   		token: hudson.util.Secret.fromString('<YOUR_TOKEN>'))
  	}
  }

  Private Signing – for further information, follow the instructions specified in the Knowledge Base article How to Privately Code Sign Sealed iOS Apps using DevSecOps Build System.
  

  stage('Appdome Builder') {
    steps {
    	AppdomeBuilder (
    		outputLocation: '<FULL_PATH_TO_OUTPUT_APP_OR_EMPTY_FOR_DEFAULT>',
   		platform: IosPlatform (
    		appPath: '<FULL_PATH_OR_ENV_VAR_OR_URL_TO_APP_FILE>',
    		certificateMethod: iOS_PrivateSign ([
        StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#1>'),
        StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#2>'),
        StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#N>')
                   ]),
    		fusionSetId: '<YOUR_FUSIONSET_ID>'
    		),
    	teamId: '<YOUR_TEAMID_OR_LEAVE_EMPTY_FOR_PERSONAL>',
   	token: hudson.util.Secret.fromString('<YOUR_TOKEN>'))
  
   	}
  }
  

  
  Auto-DEV Signing – for further information, follow the instructions specified in the Knowledge Base article How to Automate Secure iOS App Code Signing in DevOps CI/CD.

  stage('Appdome Builder') {
    	steps {
    		AppdomeBuilder (
   			outputLocation: '<FULL_PATH_TO_OUTPUT_APP_OR_EMPTY_FOR_DEFAULT>',
   			platform: IosPlatform(
    			appPath: '<FULL_PATH_OR_ENV_VAR_OR_URL_TO_APP_FILE>',
    				certificateMethod: iOS_AutoDevSign(
      				entitlements: [     
         StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_entitlements_FILE#1>'),
         StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_entitlements_FILE#2>'),
         StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_entitlements_FILE#N>'),
     			 ],
      				provisioningProfiles: [
        StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#1>'),
        StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#2>'),
        StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#N>')
      			]
    				),
    				fusionSetId: '<YOUR_FUSIONSET_ID>'
    			),
                         teamId: '<YOUR_TEAMID_OR_LEAVE_EMPTY_FOR_PERSONAL>',
                         token: hudson.util.Secret.fromString('<YOUR_TOKEN>'))  
                   
          }
  }
  

Note:When using pipelines, your initial build attempt might fail because of the use of the fromString function. If this happens, navigate to the failed build and select Console Output. You will see the following message:

Scripts are not allowed to use “staticMethod hudson.util.Secret fromString java.lang.String”. Administrators can choose to approve or reject this signature.
Clicking the hyperlink takes you to a new page where you can approve the script. Ensure that you approve the script, by clicking the Approve button shown on the left in the image below, in order to successfully proceed with your pipeline build.

Step 5: Build Android & iOS security with the Build-2Secure plugin

After setting up the Build-2Secure plugin for Jenkins, you can initiate the build process in Jenkins. Once the build is complete, you can access its output by navigating to the “workspace“.

Step 7: Confirming Cyber Build and Sign on Appdome

In Jenkins, you can monitor the build process and results by checking the following sections:

• • Build History
    Displays the status and result of each build.
  • Console Output
    Provides detailed information about the build process and any errors or warnings that may have occurred.

You can also use Appdome’s platform to monitor the status of your builds and see a complete history of all your builds.

Appendix A: Jenkins environment Set Up for Build-2Secure

To set environment variables:

1. 1. Go to Manage Jenkins.
      
   2. Go to Manage Nodes and Clouds.
      
   3. Select the agent on which you want to build.
      
   4. Click Configure.
      
   5. Scroll down to Node Properties and select the Environment variables check box if it has not already been selected.
      
   6. Add as many environment variables as required and save.
      

Need Additional Help?

The description above is designed to help you secure Android & iOS apps in Jenkins CI/CD pipelines. If you have questions about using this Build-2Secure plugin, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Related Articles

• How to Automate Secure iOS App Code Signing in DevOps CI/CD

• How to Automate Secure Android App Code Signing in DevOps CI/CD

• Using Certified Secure™ Android & iOS Apps Build Certification in DevOps CI/CD

• How to Secure Android & iOS Apps in GitLab CI/CD Pipelines

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.