How to Secure Android & iOS Apps in Jenkins CI/CD pipelines
Prerequisites to Appdome’s plugin for Jenkins
Beofre you use Appdome’s plugin for jenkins, there are a few things you need to have:
- An Appdome SRM account
- Jenkins CI/CD server
- CURL installed on your Node.
- Environment Injector plugin (*Optional)
Step 1: Installing the Build-2Secure plugin in Jenkins
To install the Appdome Build-2Secure plugin:
- Go to the Jenkins homepage.
- Select Manage Jenkins on the left menu.
- Select the Manage Plugins command.
- Add the Appdome Build-2Secure plugin to Jenkins through Jenkins Plugin Index as follows:
- Select the Available tab.
- Search for Appdome Build-2Secure.
-
Select the Appdome build-2Secure and click Download now and install after restart.
- Restart your Jenkins server.
- To confirm the successful installation of the plugin, navigate to Manage Jenkins > Installed plugins and then search for Appdome Build-2Secure.
The Appdome Build-2Secure plugin is versatile and can be used in both freestyle projects and pipelines. To utilize the plugin in a freestyle project, it is necessary to add the plugin as a build step, which will be explained in the following section. Alternatively, if you opt to use a pipeline, we have also included instructions on how to incorporate the plugin into the appropriate stage of your pipeline script later in the guide.
Appdome Build-2Secure Plugin in Jenkins (Freestyle Project)
Step 2: Creating the Build-2Secure plugin in Jenkins
This step provides instructions for adding the Appdome Build-2Secure Plugin in both of the following methods:
-
- Adding the Appdome plugin to a new project
- Adding the Appdome plugin to an existing project
Adding the Appdome Plugin to a New Project
To add the Appdome plugin to a new project:
- From the Jenkins menu, click New Item.
- Assign a name to your project and select the Freestyle Project type, then click OK.
- Use the next page to select the Build Steps command.
- Expand the list Add build step and select Appdome Build-2Secure.
- Proceed to set the Appdome build-2Secure plugin configuration, as described in the next step.
- Assign a name to your project and select the Freestyle Project type, then click OK.
Adding the Appdome Plugin to an Existing Project
To add the Appdome plugin to an existing project:
-
- Select the project to which you want to add the plugin to.
- Go to Configure from the Jenkins menu.
- Open the Add build step menu and then select Appdome Build-2Secure.
Appdome build-2Secure UI shows up, allowing you to enter your configuration. - Proceed to set the Appdome build-2Secure plugin configuration, as described in the next step.
Step 3: Configure Appdome build-2Secure Plugin Configuration
After you select Appdome Build-2Secure as a build step, the screen shown below is displayed.
- Use the Token field to enter your Appdome Build2Secure API token, by following the instructions provided in section Getting and resetting your API Token on Appdome website.
- Use the Team ID field to enter your Team ID API token, by following the instructions provided in section Getting a Team’s ID on Appdome website.
- Use the Fusion-set-id field to enter the appropriate Fusion Set ID, by following the instructions provided in section Getting a Fusion Set’s ID on Appdome website.
- Use the Platform field to select either iOS or Android, depending on the type of application you are building.
If you want to learn more about file paths read the description below, otherwise, proceed to the next step.
File Paths
When working with files, you can set the files in any of the following methods:
– Provide the full path to the file, which should be located on the node machine.
– Use environment variables with the Environment Injector plugin or Configure the node machine settings in Jenkins.
– Set a remote URL link to a file either on the configuration page or as an environment variable.
For instructions on how to set environment variables, see Appendix A: How to Set Environment Variables.
Warning
When using the configuration form, any input that has the same field as an environment variable (e.g. keystore’s path) will take precedence, i.e. it will override the environment variable. Therefore, to ensure proper use of the environment variable input, you must verify that these variables are unique and do not also appear in the configuration form.
-
- Use the iOS/Android application field to choose any of the following options:
- Specify the full path to the application file on the node where it is running
- Set the environment variable name as APP_PATH. If an environment variable is defined, leave the <platform> application field (i.e.: Android application or iOS application) empty.
- Set a remote URL link to a file either on the configuration page or as an environment variable named APP_PATH.
Note: The URL link should not contain any commas.
- Use the keystore file field to choose any of the following options:
- Specify the full path to the keystore file on the node where it is running
- Set the environment variable name KEYSTORE_PATH. If an environment variable is defined, leave the keystore field empty.
- You can set a remote URL link to a file either on the configuration page or as an environment variable named KEYSTORE_PATH.
Note: The link should not contain any commas.
- Use the Provisioning Profile field under iOS signing, choose any of the following options:
- Specify the full path to the provisioning profile file(s) on the node where it is running, can add as many files as needed, each file on a new textbox
- You can set a remote URL link to a file either on the configuration page or as an environment variable name MOBILE_PROVISION_PROFILE_PATHS. If an environment variable is defined, leave the Provisioning Profile field empty.
- Set the environment variable name as MOBILE_PROVISION_PROFILE_PATHS, to insert multiple files in an environment variable, each file must be separated by ‘,’ without any spaces.
For example: First_file.mobileprovision, second_file.mobileprovision, third_file.mobileprovision…
- Use the Entitlements field under iOS signing, choose any of the following options:
- Specify the full path to the entitlement file(s) on the node where it is running, can add as many files as needed, each file on a new textbox
- Set the environment variable name as ENTITLEMENTS_PATHS
- You can set a remote URL link to a file either on the configuration page or as an environment variable named ENTITLEMENTS_PATHS.
To insert multiple files in an environment variable, each file must be separated by ‘,’ without any spaces.
For example: First_file.plist,second_file.plist,third_file.plist…
- Use the Sign Method field to choose the method by which you want to sign your application. The options available will depend on the platform you have.
The available sign options are:- For Android:
- Sign on Appdome – for further information, follow the instructions specified in the Knowledge Base article
How to Code Sign Secured Android Apps in DevSecOps Build System. - Private Signing – for further information, follow the instructions specified in the Knowledge Base article
How To Privately Code Sign Sealed Android Apps using DevSecOps Build System. - Auto-DEV Signing – for further information, follow the instructions specified in the Knowledge Base article
How to Automate Secure Android App Code Signing in DevOps CI/CD.
- Sign on Appdome – for further information, follow the instructions specified in the Knowledge Base article
- For iOS:
- Sign on Appdome – for further information, follow the instructions specified in the Knowledge Base article
How to Use Code Sign on Mac for Secured iOS Apps. - Private Signing – for further information, follow the instructions specified in the Knowledge Base article
How to Privately Code Sign Sealed iOS Apps using DevSecOps Build System. - Auto-DEV Signing – for further information, follow the instructions specified in the Knowledge Base article
How to Automate Secure iOS App Code Signing in DevOps CI/CD.
- Sign on Appdome – for further information, follow the instructions specified in the Knowledge Base article
- For Android:
- Use the Output Location field to enter a new value or leave the default value:
WORKSPACE/output/appdome_orig_app_name.aab/.apk/.ipa
If you would like to save the output of the built and secured application in a different location, specify a full path of the application example: <your_path/name_of_original_app’.aab/.apk/.ipa>.
The certified secure document will also be saved to this location. - Build with logs: Mark checkbox if you’d like to build your app with diagnostic logs.
- Build to Test: Allows automated testing of Appdome Secured Apps in standard DevOps testing suites.
Do not use this service for individual device testing.
Specify the supported Testing Service.
Note: for iOS – only Saucelabs is supported. - Second Output (.aab apps only): Mark checkbox if you’d like to sign second output. Set a path for the second .apk file to be downloaded.
Specify a full path for the application, for example: <your_path/second_output>.apk
Note: this option is relevant only for apps signed with Appdome Auto Sign or Private Sign. Not applicable for Auto-Dev Private Signed apps.
- Use the iOS/Android application field to choose any of the following options:
After filling in all the required parameters, you can save the configuration and begin building your application and securing it with the Appdome Build-2Secure for Jenkins. Skip to Step 5 to do that.
Appdome Build-2Secure Plugin in Jenkins (Pipeline Project)
Step 2: Creating the Build-2Secure plugin in Jenkins
This step provides instructions for adding the Appdome Build-2Secure Plugin in both of the following methods:
- Adding the Appdome plugin to a new project
- Adding the Appdome plugin to an existing project
Adding the Appdome Plugin to a New Project
To add the Appdome plugin to a new project:
- From the Jenkins menu, click New Item.
- Assign a name to your project and select the Pipeline type, then click OK.
- Use the next page to select the Pipeline command.
- Write your pipeline steps as required.
- Proceed to setting the Appdome build-2Secure plugin configuration, as described in the next step.
Adding the Appdome Plugin to an Existing Project
To add the Appdome plugin to an existing project:
-
- Select the project to which you want to add the plugin.
- Go to Configure from the Jenkins menu:
- Use the next page to select the Pipeline:
- Write your pipeline steps as required.
- Proceed to setting the Appdome build-2Secure plugin configuration, as described in the next step.
Step 3: Configuring Build-2Secure Plugin on Appdome
To use the Appdome build-2Secure plugin, add one of the next pipeline templates:
Inputs explanation:
Replace all placeholders, which are located within brackets (for example, ‘<YOUR_TOKEN>’) with the right value in accordance with the relevant template:
-
- To use the token field, replace ‘<YOUR_TOKEN>’ with your Appdome Build2Secure API token. You can obtain this token by following the instructions provided in the API guide.
- To use the teamId field (optional), replace ‘<YOUR_TEAMID_OR_LEAVE_EMPTY_FOR_PERSONAL>’ with your team ID or leave it empty for personal workspace. You can obtain this key by following the instructions provided in the API guide.
- To use the fusionSetId field, replace ‘<YOUR_FUSIONSET_ID>’ with the appropriate fusion-set-id for your iOS or Android application. For details, see the section Getting a Fusion Set’s ID in the API guide. If you want to learn more about file paths read the description below, otherwise, proceed to the next step.
File Paths
When working with files, you can set the files in any of the following methods:
– Provide the full path to the file, which should be located on the node machine.
– Use environment variables with the Environment Injector plugin or Configure the node machine settings in Jenkins.
– Set a remote URL link to a file either on the configuration page or as an environment variable.
For instructions on how to set environment variables, see Appendix A: How to Set Environment Variables.
-
- To use the appPath field
- Replace ‘<FULL_PATH_OR_URL_TO_APP_FILE>’ with the full path on the node machine.
- Specify a full path to the file as an environment variable name APP_PATH. If using the environment variable, leave appPath empty.
- Replace ‘<FULL_PATH_OR_URL_TO_APP_FILE>’ with a remote URL link to a file either on the pipeline page or as an environment variable named APP_PATH. If using the environment variable, leave appPath empty.
Note: The URL link must not contain any commas.
- To use the keystorePath field under auto signing for iOS and Android.
You can choose one of the following options:- Replace ‘<FULL_PATH_OR_URL_TO_KEYSTORE_FILE>’ with the full path to the keystore file on the node where it is running.
- Specify a full path to the file as environment variable name KEYSTORE_PATH. If using the environment variable, leave keystorePath empty.
- Replace ‘<FULL_PATH_OR_URL_TO_KEYSTORE_FILE>’ with a remote URL link to a file either in the pipeline page or as an environment variable named KEYSTORE_PATH.
Note: The URL link should not contain any commas.
- To use the appPath field
-
- To use the provisioningProfiles field under iOS signing. If you insert multi files, each path to a file must be wrapped with “StringWarp” as shown in the template.
You can select any of the following options:- Replace ‘<FULL_PATH _OR_URL_TO_MobileProvision_FILE>’ with the full path to provisioning profile file(s) on the node where it is running, you can add as many files as needed, each path to a file must be wrapped with “StringWarp” as shown in the template.
- Replace ‘<FULL_PATH _OR_URL_TO_MobileProvision_FILE>’ with a remote URL link to a file either on the pipeline page or as an environment variable named MOBILE_PROVISION_PROFILE_PATHS. If using the environment variable, leave provisioningProfiles empty.
Note: The URL link should not contain any commas. - Specify a full path to the file as environment variable name MOBILE_PROVISION_PROFILE_PATHS. If using the environment variable, leave provisioningProfiles empty.
To insert multiple files as an environment variable, each file must be separated by ‘,’ without any spaces.
For example:
First_file.mobileprovision, second_file.mobileprovision, third_file.mobileprovision
or:
https://url_to_download/first_file.mobileprovision, https://url_to_download/second_file.mobileprovision, https://url_to_download/third_file.mobileprovisionNote: You can combine URL links with the complete path to local files stored on the node machine.
- To use the provisioningProfiles field under iOS signing. If you insert multi files, each path to a file must be wrapped with “StringWarp” as shown in the template.
-
- To use the entitlements field under iOS signing
If you insert multi files, each path to a file must be wrapped with “StringWarp” as shown in the template.
You can select any of the following options:- Replace ‘<FULL_PATH _OR_URL_TO_entitlements_FILE#i>’ with the full path to entitlement file(s) on the node where it is running, you can add as many files as needed, each path to a file must be wrapped with “StringWarp” as shown in the template.
- Replace ‘<FULL_PATH _OR_URL_TO_entitlements_FILE#i>’ with a remote URL link to a file either on the pipeline page or as an environment variable named ENTITLEMENT_PATHS. If using the environment variable, leave entitlements empty.
Note: The URL link should not contain any commas - Specify a full path to the file as environment variable name ENTITLEMENT_PATHS as explained above. If using the environment variable, leave entitlements empty.
To insert multiple files as an environment variable, each file must be separated by ‘,’ without any spaces.
For example:
First_file.plist,second_file.plist,third_file.plist
or:
https://url_to_download/first_file.plist, https://url_to_download/second_file.plist, https://url_to_download/third_file.plistNote: You can combine URL links with the complete path to local files stored on the node machine.
- To use the outputLocation field
If you leave outputLocation empty, the default value is set to:
‘WORKSPACE/output/appdome_orig_app_name.aab/.apk/.ipa’.
If you would like to save the output of the build and secured application in a different location, replace ‘<FULL_PATH_TO_OUTPUT_APP_OR_EMPTY_FOR_DEFAULT>’ with the full path of the application example: <your_path/name_of_original_app’.aab/.apk/.ipa>.
The certified secure document will also be saved to this location.
- To use the entitlements field under iOS signing
Step 4: Select the method by which you want to sign your iOS or Android application.
-
-
- For Android:
Auto Signing – for further information, follow the instructions specified in the Knowledge Base article How to Code Sign Secured Android Apps in DevSecOps Build System.
- For Android:
stage('Appdome Builder') { steps { AppdomeBuilder ( outputLocation: '<FULL_PATH_TO_OUTPUT_APP_OR_EMPTY_FOR_DEFAULT>', platform: AndroidPlatform( appPath: '<FULL_PATH_OR_URL_TO_APP_FILE>', certificateMethod: Android_AutoSign( keyPass: hudson.util.Secret.fromString('<YOUR_KEYSTORE_KEY_PASS>'), keystoreAlias: hudson.util.Secret.fromString('<YOUR_KEYSTORE_ALIAS>'), keystorePassword: hudson.util.Secret.fromString('<YOUR_KEYSTORE_PASSWORD>'), keystorePath: '<FULL_PATH_OR_ENV_VAR_OR_URL_TO_KEYSTORE_FILE>' ), fusionSetId: '<YOUR_FUSIONSET_ID>' ), teamId: '<YOUR_TEAMID_OR_LEAVE_EMPTY_FOR_PERSONAL>', token: hudson.util.Secret.fromString('<YOUR_TOKEN>') ) } } -
- Private Signing – for further information, follow the instructions specified in the Knowledge Base article How To Privately Code Sign Sealed Android Apps using DevSecOps Build System.
stage('Appdome Builder') { steps { AppdomeBuilder( outputLocation: '<FULL_PATH_TO_OUTPUT_APP_OR_EMPTY_FOR_DEFAULT>', platform: AndroidPlatform( appPath: '<FULL_PATH_OR_ENV_VAR_OR_URL_TO_APP_FILE>', certificateMethod: Android_PrivateSign( fingerprint: '<Your_SHA1_Fingerprint>', googleSigning: true/false ), fusionSetId: '<YOUR_FUSIONSET_ID>' ), teamId: '<YOUR_TEAMID_OR_LEAVE_EMPTY_FOR_PERSONAL>', token: hudson.util.Secret.fromString('<YOUR_TOKEN>')) } } - Auto-DEV Signing – for further information, follow the instructions specified in the Knowledge Base article How to Automate Secure Android App Code Signing in DevOps CI/CD.
stage('Appdome Builder') { steps { AppdomeBuilder ( outputLocation: '<FULL_PATH_TO_OUTPUT_APP_OR_EMPTY_FOR_DEFAULT>', platform: AndroidPlatform( appPath: '<FULL_PATH_OR_ENV_VAR_OR_URL_TO_APP_FILE>', certificateMethod: Android_AutoDevSign( fingerprint: '<Your_SHA1_Fingerprint>', googleSigning: true/false ), fusionSetId: '<YOUR_FUSIONSET_ID>' ), teamId: '<YOUR_TEAMID_OR_LEAVE_EMPTY_FOR_PERSONAL>', token: hudson.util.Secret.fromString('<YOUR_TOKEN>')) } }
For iOS:
Auto Signing – for further information, follow the instructions specified in the Knowledge Base article How to Use Code Sign on Mac for Secured iOS Appsstage('Appdome Builder') { steps { AppdomeBuilder( outputLocation: '<FULL_PATH_TO_OUTPUT_APP_OR_EMPTY_FOR_DEFAULT>', platform: IosPlatform( appPath: '<FULL_PATH_OR_ENV_VAR_OR_URL_TO_APP_FILE>', certificateMethod: iOS_AutoSign( entitlements: [ StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_entitlements_FILE#1>'), StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_entitlements_FILE#2>'), StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_entitlements_FILE#N>') ], keystorePassword: hudson.util.Secret.fromString('<YOUR_KEYSTORE_PASSWORD>'), keystorePath: '<FULL_PATH_OR_ENV_VAR_OR_URL_TO_KEYSTORE_FILE>', provisioningProfiles: [ StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#1>'), StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#2>'), StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#N>') ] ), fusionSetId: '<YOUR_FUSIONSET_ID>' ), teamId: '<YOUR_TEAMID_OR_LEAVE_EMPTY_FOR_PERSONAL>', token: hudson.util.Secret.fromString('<YOUR_TOKEN>')) } }Private Signing – for further information, follow the instructions specified in the Knowledge Base article How to Privately Code Sign Sealed iOS Apps using DevSecOps Build System.
stage('Appdome Builder') { steps { AppdomeBuilder ( outputLocation: '<FULL_PATH_TO_OUTPUT_APP_OR_EMPTY_FOR_DEFAULT>', platform: IosPlatform ( appPath: '<FULL_PATH_OR_ENV_VAR_OR_URL_TO_APP_FILE>', certificateMethod: iOS_PrivateSign ([ StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#1>'), StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#2>'), StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#N>') ]), fusionSetId: '<YOUR_FUSIONSET_ID>' ), teamId: '<YOUR_TEAMID_OR_LEAVE_EMPTY_FOR_PERSONAL>', token: hudson.util.Secret.fromString('<YOUR_TOKEN>')) } }
Auto-DEV Signing – for further information, follow the instructions specified in the Knowledge Base article How to Automate Secure iOS App Code Signing in DevOps CI/CD.stage('Appdome Builder') { steps { AppdomeBuilder ( outputLocation: '<FULL_PATH_TO_OUTPUT_APP_OR_EMPTY_FOR_DEFAULT>', platform: IosPlatform( appPath: '<FULL_PATH_OR_ENV_VAR_OR_URL_TO_APP_FILE>', certificateMethod: iOS_AutoDevSign( entitlements: [ StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_entitlements_FILE#1>'), StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_entitlements_FILE#2>'), StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_entitlements_FILE#N>'), ], provisioningProfiles: [ StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#1>'), StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#2>'), StringWarp('<FULL_PATH_OR_ENV_VAR_OR_URL_TO_MobileProvision_FILE#N>') ] ), fusionSetId: '<YOUR_FUSIONSET_ID>' ), teamId: '<YOUR_TEAMID_OR_LEAVE_EMPTY_FOR_PERSONAL>', token: hudson.util.Secret.fromString('<YOUR_TOKEN>')) } }
Note
When using pipelines, your initial build attempt might fail because of the use of the fromString function. If this happens, navigate to the failed build and select Console Output. You will see the following message:
Scripts are not allowed to use “staticMethod hudson.util.Secret fromString java.lang.String”. Administrators can choose to approve or reject this signature.
Clicking the hyperlink takes you to a new page where you can approve the script. Ensure that you approve the script, by clicking the Approve button shown on the left in the image below, in order to successfully proceed with your pipeline build.
Step 5: Build Android & iOS security with the Build-2Secure plugin
After setting up the Build-2Secure plugin for Jenkins, you can initiate the build process in Jenkins. Once the build is complete, you can access its output by navigating to the “workspace“.
Step 6: Retrieve DevSecOps Certification with Build-2Secure
Each build produces a Certified Secure™ artifact used to clear your release and ensure DevSecOps compliance. This file will be located in the designated Output Location that you defined in the Build-2Secure plugin setup. Alternatively, if you left the location as default, you can just go to your job and click on Workspace to find the output folder that contains the Appdome secured application
Step 7: Confirming Cyber Build and Sign on Appdome
In Jenkins, you can monitor the build process and results by checking the following sections:
-
- Build History
Displays the status and result of each build. - Console Output
Provides detailed information about the build process and any errors or warnings that may have occurred.
- Build History
You can also use Appdome’s platform to monitor the status of your builds and see a complete history of all your builds.
Appendix A: Jenkins environment Set Up for Build-2Secure
To set environment variables:
-
- Go to Manage Jenkins.
- Go to Manage Nodes and Clouds.
- Select the agent on which you want to build.
- Click Configure.
- Scroll down to Node Properties and select the Environment variables check box if it has not already been selected.
-
Add as many environment variables as required and save.
- Go to Manage Jenkins.
Need Additional Help?
The description above is designed to help you secure Android & iOS apps in Jenkins CI/CD pipelines. If you have questions about using this Build-2Secure plugin, please send them our way at support.appdome.com or via the chat window on the Appdome platform.
Related Articles
-
How to Automate Secure Android App Code Signing in DevOps CI/CD
-
Using Certified Secure™ Android & iOS Apps Build Certification in DevOps CI/CD
Thank you!
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.
