How to Use Secure Android & iOS Apps in GitHub CI/CD
This Knowledge Base article provides instructions for using the Appdome Build-2Secure plugin for GitHub CI/CD pipelines. Appdome’s Build-2Secure plugin for GitHub is an out-of-the-box GitHub CI/CD integration, making it easy for mobile developers to automate the building, signing, and certification of security, anti-fraud, and other protections in Android & iOS apps in GitHub CI/CD pipelines. No code and no SDKs are required.
The purpose of Appdome’s Build-2Secure plugin for GitHub is to streamline and accelerate cyber and anti-fraud delivery in CI/CD pipelines.
To do this, the Build-2Secure plugin for GitHub automates three important steps in delivering more secure mobile applications to your users fast: (1) building app-level protections into mobile apps, (2) code signing the protected mobile app, and (3) certifying the security of each protected mobile app. The Appdome Build-2Secure plugin for GitHub can be used to deliver Certified Secure™ mobile app security, anti-fraud, anti-malware, mobile anti-bot, and other cyber defense updates to mobile apps on the Appdome Cyber Defense Automation Platform. Use this plugin for GitHub as a stand-alone DevSecOps integration or in combination with other DevSecOps integrations in your CI/CD pipeline.
For more general information on GitHub Actions, see GitHub Actions Documentation on the Github website.
Here are the step-by-step instructions on using the Appdome Build-2Secure plugin for GitHub. Enjoy!
Prerequisites
- An Appdome SRM account
- A GitHub Account.
If you do not have an existing account, you can create one on GitHub website. - On GitHub:
- A repository (created automatically when creating a GitHub account).
- .YML file, located on the path repository/.github/workflows/*.yml
Note:
If you do not yet have a workflow, refer to Appendix A: Creating a Workflow File.
How does Appdome Implement GitHub Actions?
Now you can easily secure and customize your mobile apps on GitHub using the Appdome GitHub Actions. No coding or technical expertise is required. Automate the process of adding security features such as encryption, biometric authentication, and more to your mobile apps. Additionally, sign your app with your own enterprise certificate for added flexibility and control. Get the flexibility and control you need to secure and customize your mobile apps with the Appdome GitHub action.
What are Actions?
Actions are reusable snippets of code that help automate repeated processes, speed up project setup, and make it easy to integrate with third-party tools.
What are Secrets?
Secrets are encrypted variables that you create in an organization, repository, or repository environment. The secrets that you create are available to use in GitHub Actions workflows.
Step 1: Building Your YML Workflow with Appdome Build-2Secure Action.
To build your YML:
- Go to your workflow *.yml file.
This file is composed of the following blocks:- on – Controls when the workflow will run.
- jobs – A workflow run is made up of one or more jobs that can run sequentially or in parallel.
- build: This workflow contains a single job called build.
- run-on: The type of runner that the job will run on, run-on info.
- steps: Represent a sequence of tasks that will be executed as part of the job.
- name – Name of the step.
- run – Run commands using the runner shell.
- build: This workflow contains a single job called build.
- Click on Edit file
. - Click on Search on the search bar at the left side for Appdome Build-2Secure and click on it.
- Add the Appdome’s action snipped code into the steps block on your YML file.
This snipped code contains all action inputs, some of which might be not relevant for your run.- Inputs – See Appendix B, Appdome Build-2Secure Inputs.
- Blocks for each run type:
- Sign on Appdome – see Appendix C: SIGN_ON_APPDOME –Android and iOS.
- Private Signing – see Appendix D: Private Signing – ANDROID and iOS.
- Auto Dev Signing – see Appendix E: Auto Dev Signing – ANDROID and iOS
- Optionally, store all your sensitive variables on GitHub encrypted secrets for repository.
This measure, while optional, is highly recommended. For details see Github Documentation. - Define the variables of secrets as follows:
- Create a secret name SECRET_EXAMPLE.
- On the secret field, enter the value of SECRET_EXAMPLE.
Now it can be encrypted called as ${{ secrets.SECRET_EXAMPLE }}
- Optionally, store KEYSTORE_FILE as base64 value on secrets, by following these steps:
- Create a secret name KEYSTORE_BASE64 by entering the following command on Terminal:
base64 -i your_keystore.keystore -o keystore_base64.txt
- Copy the content of the text file to the secret field.
The text file can now be referred to as ${{ secrets.KEYSTORE_BASE64 }}; Similarly, you can repeat the above process for all file fields in the yml file. - After the workflow file is ready click on start commit, then commit new file.
- Repeat the above process for all file fields in the yml file.
- Create a secret name KEYSTORE_BASE64 by entering the following command on Terminal:
Step 2: Running Appdome Build-2Secure Action
To run Appdome Build-2Secure action:
- Go to the Actions tab.
- Select your workflow from the Actions list.
- Expand the Run workflow list and click Run workflow.
After the build is complete, you can download the secured app from the Artifacts tab.
Step 3: Access the Appdome-Secured app
After your Appdome step, you can find the Appdome secured app under the following name:
${{ env.APPDOME_SECURED_APP }}
Note that for the second output option described above, the additional universal apk file will be found under the following name:
${{ env.APPDOME_SECURED_APP_SECOND_OUTPUT }}
For example:
Summary
This guide provides instructions for using the Appdome action to secure and customize mobile apps on GitHub. Following the steps outlined above allows you to automate the process of adding security features to your mobile apps, as well as sign your app with your own enterprise certificate. Appdome action provides the flexibility and the control required to ensure that your mobile apps are secure and customized to meet your specific needs.
Appendix A: Creating a Workflow File
If the workflow file does not exist:
-
- On your repository, click the Actions tab.
- Click the New workflow button.
- Click on set up a workflow yourself”.
- Paste this workflow .yml template
# A simple .yml template locate on <repository/.github/workflows/appdoem_ci.yml> name: APPDOME_CI_EXAMPLE # Controls when the workflow will run on: # Triggers the workflow on push or pull request events but only for the "main" branch push: branches: [ "main" ] pull_request: branches: [ "main" ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" build: # The type of runner that the job will run on runs-on: ubuntu-latest # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - uses: actions/checkout@v3 - name: Appdome build-2secure uses: Appdome/github_build-2secure@1.0 with: APP_FILE: "" FUSION_SET_ID: "" SIGN_OPTIONS: "" APPDOME_API_TOKEN: ""
Appendix B: Appdome Build-2Secure Inputs
# Appdome build-2secure inputs
steps:
- name: Appdome buid-2secure
uses: nirappdome/appdome_android_action@version
with:
# -Mandatory inputs-
APPDOME_API_TOKEN: # Appdome API KEY, ${{secrets.APPDOME_API_KEY}}
APP_FILE: # none_protected_application can be pass as path/on/repository
# OR https://download_link
FUSION_SET_ID: # Appdome Fusion Set_Id Android/iOS
SIGN_OPTIONS: # “SIGN_ON_APPDOME” OR “PRIVATE_SIGNING” OR “AUTO_DEV_SIGNING”
# -Mandatory inputs-#
# -Optional inputs, depends on: "SIGN_OPTIONS", Android/iOS #
KEYSTORE_FILE: # Sign keystore file, ${{secrets.KEYSTORE_BASE64}}
# OR path/on/repository path/on/repository ...
# OR https://download_link https://download_link ...
MOBILE_PROVISION_PROFILE_FILE: # iOS only, ${{secrets.PROVISION_PROFILE_BASE64}}
# OR path/on/repository
# OR https://download_link https://download_link ...
ENTITLEMENTS_FILE: "path/on/repository" "path/on/repository" ...
OR “https download link” “https download link” ....
OR ${{secrets.ENTITLEMENTS_BASE64}}
# -Optional inputs, general.
SECOND_OUTPUT: true # Adding this will generate a universal .apk file, in addition to the secure .aab app file.
Note: not supported for Auto-Dev signed apps
BUILD_WITH_LOGS: true # Add to build your app with diagnostic logs.
BUILD _TO_TEST: "bitbar"|"browserstack"|"lambdatest"|"saucelabs"
specify your selected automated testing service to build the app in test-ready mode.
Note: in iOS, only saucelabs is supported.
OUTPUT_APP_NAME: output_file_name [no extension]-Optional. This will set the output
name for your secured app[will also affect the second output for universal apk's from .aab apps].
Appendix C: SIGN_ON_APPDOME –Android and iOS
Android
# Appdome build-2secure, "SIGN_ON_APPDOME" - Android
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
- name: Appdome build-2secure
uses: Appdome/github_build-2secure@1.0
with:
APP_FILE: "path/on/repository" OR “https download link”
FUSION_SET_ID: "Appdome fusion set Android"
SIGN_OPTIONS: "SIGN_ON_APPDOME"
APPDOME_API_TOKEN: ${{secrets.APPDOME_API_KEY}}
KEYSTORE_FILE: ${{secrets.KEYSTORE_BASE64}}
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}}
KEYSTORE_ALIAS: ${{secrets.KEYSTORE_ALIAS}}
KEYSTORE_KEY_PASSWORD: ${{secrets.KEYSTORE_KEY_PASS}}
iOS
# Appdome build-2secure, "SIGN_ON_APPDOME" - iOS
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
- name: Appdome build-2secure
uses: Appdome/github_build-2secure@1.0
with:
APP_FILE: "path/on/repository" OR “https download link”
FUSION_SET_ID: "Appdome fusion set iOS"
SIGN_OPTIONS: "SIGN_ON_APPDOME"
APPDOME_API_TOKEN: ${{secrets.APPDOME_API_KEY}}
CERTIFICATE_FILE: ${{secrets.CERTIFICATE_BASE64}}
OR "path/on/repository"
CERTIFICATE_PASSWORD: ${{secrets.CERTIFICATE_PASSWORD}}
ENTITLEMENTS_FILE: "path/on/repository" "path/on/repository" ...
OR “https download link” “https download link” ....
OR ${{secrets.ENTITLEMENTS_BASE64}}
MOBILE_PROVISION_PROFILE_FILE: "path/on/repository" "path/on/repository" ...
OR “https download link” “https download link” ....
OR ${{secrets.PROVISION_PROFILE_BASE64}}
Appendix D: Private Signing. ANDROID and iOS
Android
# Appdome build-2secure, "PRIVATE_SIGNING" - Android
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
- name: Appdome build-2secure
uses: Appdome/github_build-2secure@1.0
with:
APP_FILE: "path/on/repository" OR “https download link”
FUSION_SET_ID: "Appdome fusion set Android"
SIGN_OPTIONS: "PRIVATE_SIGNING"
APPDOME_API_TOKEN: ${{secrets.APPDOME_API_KEY}}
SIGN_FINGERPRINT: ${{secrets.APPDOME_SIGN_FINGERPRINT}}
GOOGLE-PLAY-SIGNING: "true" -Optional
iOS
# Appdome build-2secure, "PRIVATE_SIGNING" - iOS
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
- name: Appdome build-2secure
uses: Appdome/github_build-2secure@1.0
with:
APP_FILE: "path/on/repository" OR “https download link”
FUSION_SET_ID: "Appdome fusion set iOS"
SIGN_OPTIONS: "PRIVATE_SIGNING"
APPDOME_API_TOKEN: ${{secrets.APPDOME_API_KEY}}
MOBILE_PROVISION_PROFILE_FILE: "path/on/repository" "path/on/repository" ...
OR “https download link” “https download link” ....
OR ${{secrets.PROVISION_PROFILE_BASE64}}
Appendix E: Auto Dev Signing – ANDROID and iOS
Android
# Appdome build-2secure, "AUTO_DEV_SIGNING" - Android
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
- name: Appdome build-2secure
uses: Appdome/github_build-2secure@1.0
with:
APP_FILE: "path/on/repository" OR “https download link”
FUSION_SET_ID: "Appdome fusion set"
SIGN_OPTIONS: "AUTO_DEV_SIGNING"
APPDOME_API_TOKEN: ${{secrets.APPDOME_API_KEY}}
SIGN_FINGERPRINT: ${{secrets.APPDOME_SIGN_FINGERPRINT}}
GOOGLE-PLAY-SIGNING: "true" -Optional
iOS
# Appdome build-2secure, "AUTO_DEV_SIGNING" - iOS
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
- name: Appdome build-2secure
uses: Appdome/github_build-2secure@1.0
with:
APP_FILE: "path/on/repository" OR “https download link”
FUSION_SET_ID: "Appdome fusion set iOS"
sign_options: "AUTO_DEV_SIGNING"
APPDOME_API_TOKEN: ${{secrets.APPDOME_API_KEY}}
MOBILE_PROVISION_PROFILE_FILE: "path/on/repository" "path/on/repository" ...
OR “https download link” “https download link” ....
OR ${{secrets.PROVISION_PROFILE_BASE64}}
ENTITLEMENTS_FILE: "path/on/repository" "path/on/repository" ...
OR “https download link” “https download link” ....
OR ${{secrets.ENTITLEMENTS_BASE64}}
Related Articles:
- How to Secure Android & iOS Apps in Jenkins CI/CD pipelines
- How to Secure Android & iOS Apps in GitLab CI/CD Pipelines
- How to Secure Android &iOS Apps in Bitrise CI/CD Pipelines
How Do I Learn More?
The description above is designed to help you secure Android & IOS apps in GitHub CI/CD pipelines. If you have questions about using this Build-2Secure step for Bitrise. If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.
Thank you!
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.
