How to Secure Android & iOS Apps in GitHub CI/CD Pipelines
This Knowledge Base article provides instructions on how to use the Appdome Build-2Secure plugin for GitHub CI/CD pipelines.
Appdome’s Build-2Secure plugin for GitHub is an out-of-the-box GitHub CI/CD integration, making it easy for mobile developers to automate the building, signing, and certification of security, anti-fraud, and other protections in Android & iOS apps in GitHub CI/CD pipelines.
Now, you can easily secure and customize your mobile apps on GitHub using the Appdome GitHub Actions. No coding or SDKs are required. Automate the process of adding security features such as encryption, biometric authentication, and more to your mobile apps. As well as, signing your app with your enterprise certificate for added flexibility and control.
What are Secrets?
Secrets are encrypted variables you create in an organization, repository, or repository environment. The secrets that you create are available to use in GitHub Actions workflows. For more information on how to use secrets in GitHub Actions, refer to the GitHub documentation “Using secrets in GitHub Actions”.
How does Appdome Implement GitHub Actions?
Appdome’s Build-2Secure plugin for GitHub aims to streamline and accelerate cyber and anti-fraud delivery in CI/CD pipelines.
To do this, the Build-2Secure plugin for GitHub automates three crucial steps in delivering more secure mobile applications to your users quickly:
For more general information on GitHub Actions, see GitHub Actions Documentation on the GitHub website.
Prerequisites
- An Appdome SRM account
- A GitHub Account.
If you do not have an existing account, you can create one on the GitHub website. - On GitHub:
- A repository is automatically created when setting up a GitHub account.
- .YML file, located on the path repository/.github/workflows/*.yml
Step 1: Add the Appdome GitHub Action to Your Existing Workflow
- Edit your GitHub actions workflow file located at repository/.github/workflows/<workflow_file>.yml – If you do not have a workflow, please view the GitHub Actions Quickstart to get set up.
- The Build-2Secure Action requires a built app to function.
- While editing the workflow file, open the marketplace panel on the right and search for “Appdome”.
- This snipped code contains all action inputs, some of which may not relevant for your run.
- Inputs – See Appendix A, Appdome Build-2Secure Inputs.
- Blocks for each run type:
- Sign on Appdome – see Appendix B: SIGN_ON_APPDOME –Android and iOS.
- Private Signing – see Appendix C: Private Signing – ANDROID and iOS.
- Auto Dev Signing – see Appendix D: Auto Dev Signing – ANDROID and iOS
- Optionally, store all your sensitive variables on GitHub encrypted secrets for repository.
This measure, while optional, is highly recommended. For details, see GitHub Documentation. - Define the variables of secrets as follows:
- Create a secret name SECRET_EXAMPLE.
- On the secret field, enter the value of SECRET_EXAMPLE.
Now it can be encrypted called as ${{ secrets.SECRET_EXAMPLE }}
- Optionally, store KEYSTORE_FILE as base64 value on secrets, by following these steps:
- Create a secret name KEYSTORE_BASE64 by entering the following command on Terminal:
base64 -i your_keystore.keystore -o keystore_base64.txt
- Copy the content of the text file to the secret field.
The text file can now be referred to as ${{ secrets.KEYSTORE_BASE64 }}; Similarly, you can repeat the above process for all fields in the yml file. - After the workflow file is ready, click start commit, then commit new file.
- Repeat the above process for all file fields in the yml file.
- Create a secret name KEYSTORE_BASE64 by entering the following command on Terminal:
Step 2: Running Appdome Build-2Secure Action
To run the Appdome Build-2Secure action:
- Go to the Actions tab.
- Select your workflow from the Actions list.
- Expand the Run workflow list and click Run workflow.
- After the build is complete, you can download the secured app from the Artifacts tab.
Step 3: Access the Appdome-Secured app
After completing step 2, you can find the Appdome secured app under the following name:
${{ env.APPDOME_SECURED_APP }}
Note: The additional universal apk file for the second output option described above can be found under the following name:
${{ env.APPDOME_SECURED_APP_SECOND_OUTPUT }}
For example:
The plugin also exports an artifact with all of Appdome’s output files. The name of the artifact is determined by the job name and run number.
${{ github.job }}_${{ github.run_number }}_Appdome_Outputs
For this example, every time you run the timeline, the artifact will have a unique name and be connected to a unique number which is directly related to how many times the job runs. The artifact name will be called: “My_Job_3_Appdome_Outputs”
For example, in the following example, the job name is “a” and the job has been run 317 times.
Summary
This guide provides instructions for using the Appdome action to secure and customize mobile apps on GitHub. Following the steps outlined above allows you to automate the process of adding security features to your mobile apps, as well as sign your app with your own enterprise certificate. Appdome action provides the flexibility and the control required to ensure that your mobile apps are secure and customized to meet your specific needs.
Appendix A: Appdome Build-2Secure Inputs
# -Mandatory inputs-
APPDOME_API_TOKEN: # Appdome
API KEY: ${{secrets.APPDOME_API_KEY}}
APP_FILE: # none_protected_application can be passed as path/on/repository
# OR https://download_link
FUSION_SET_ID: # Appdome Fusion Set_Id Android/iOS
SIGN_OPTIONS: # “SIGN_ON_APPDOME” OR “PRIVATE_SIGNING” OR “AUTO_DEV_SIGNING”
# -Mandatory inputs-#
TEAM_ID: <Your_appdome_team_id>. # Optional
# -Optional inputs, depends on: "SIGN_OPTIONS", Android/iOS #
KEYSTORE_FILE: ${{secrets.KEYSTORE_BASE64}} # Sign keystore file
# OR path/on/repository ...
# OR https://download_link ...
MOBILE_PROVISION_PROFILE_FILE: ${{secrets.PROVISION_PROFILE_BASE64}} ...
# OR <path/on/repository>,<path/on/repository> ...
# OR <https://download_link>,<https://download_link>
ENTITLEMENTS_FILE: ${{secrets.ENTITLEMENTS_BASE64}}
# OR <path/on/repository>,<path/on/repository> ...
# OR <https://download_link>,<https://download_link> ...
# -Optional inputs, general.
SECOND_OUTPUT: true # Adding this will generate a universal .apk file, in addition to the secure .aab app file.
# Note: not supported for Auto-Dev signed apps
BUILD_WITH_LOGS: true # Add to build your app with diagnostic logs.
BUILD _TO_TEST:"bitbar"|"browserstack"|"lambdatest"|"saucelabs"
# Specify your selected automated testing service to build the app in test-ready mode.
# Note: in iOS, only saucelabs is supported.
OUTPUT_APP_NAME: output_file_name [no extension]-Optional. This will set the output name for your secured app[will also affect the second output for universal apk's from .aab apps].
Appendix B: SIGN_ON_APPDOME –Android and iOS
Android
For additional information, please refer to the article: Automatic Code Signing for Secured Android Apps on Appdome
APP_FILE: "path/on/repository" OR “https download link”
FUSION_SET_ID: "Appdome fusion set Android"
SIGN_OPTIONS: "SIGN_ON_APPDOME"
APPDOME_API_TOKEN: ${{secrets.APPDOME_API_KEY}}
KEYSTORE_FILE: ${{secrets.KEYSTORE_BASE64}}
KEYSTORE_PASSWORD: ${{secrets.KEYSTORE_PASSWORD}}
KEYSTORE_ALIAS: ${{secrets.KEYSTORE_ALIAS}}
KEYSTORE_KEY_PASSWORD: ${{secrets.KEYSTORE_KEY_PASS}}
iOS
For additional information, please refer to the article: How Appdome Enables Signing Secured iOS Apps without Xcode
Note: When adding multiple entitlements or provisioning profiles, make sure to write them in a single string, with a comma separating them.
APP_FILE: "path/on/repository" OR “https download link”
FUSION_SET_ID: "Appdome fusion set iOS"
SIGN_OPTIONS: "SIGN_ON_APPDOME"
APPDOME_API_TOKEN:${{secrets.APPDOME_API_KEY}}
CERTIFICATE_FILE: ${{secrets.CERTIFICATE_BASE64}}
OR "path/on/repository"
CERTIFICATE_PASSWORD: ${{secrets.CERTIFICATE_PASSWORD}}
ENTITLEMENTS_FILE: "<path/on/repository>,<path/on/repository>" ...
OR “<https_download_link>,<https_download_link>” ....
OR ${{secrets.ENTITLEMENTS_BASE64}}
MOBILE_PROVISION_PROFILE_FILE: "<path/on/repository>,<path/on/repository>" ...
OR "<https_download_link>,<https download link>" ....
OR ${{secrets.PROVISION_PROFILE_BASE64}}
Appendix C: Private Signing – Android and iOS
Android
For additional information, please refer to the article: How to Sign Secured Android Apps Using apksigner
APP_FILE: "path/on/repository" OR “https download link”
FUSION_SET_ID: "Appdome fusion set Android"
SIGN_OPTIONS: "PRIVATE_SIGNING"
APPDOME_API_TOKEN: ${{secrets.APPDOME_API_KEY}}
SIGN_FINGERPRINT: ${{secrets.APPDOME_SIGN_FINGERPRINT}}
GOOGLE_PLAY_SIGNING: "true" -Optional
iOS
For additional information, please refer to the article: How to Sign Secured iOS Apps Using Codesign
Note: When adding multiple entitlements or provisioning profiles, make sure to write them in a single string, with a comma separating them.
APP_FILE: "path/on/repository" OR “https download link”
FUSION_SET_ID: "Appdome fusion set iOS"
SIGN_OPTIONS: "PRIVATE_SIGNING"
APPDOME_API_TOKEN: ${{secrets.APPDOME_API_KEY}}
MOBILE_PROVISION_PROFILE_FILE: "<path/on/repository>,<path/on/repository>" ...
OR “<https_download_link>,<https_download_link>” ....
OR ${{secrets.PROVISION_PROFILE_BASE64}}
Appendix D: Auto Dev Signing – ANDROID and iOS
Android
For additional information, please refer to the article: How to Sign Secured Android Apps Using a Local Appdome Supplied Script
APP_FILE: "path/on/repository" OR “https download link”
FUSION_SET_ID: "Appdome fusion set"
SIGN_OPTIONS: "AUTO_DEV_SIGNING"
APPDOME_API_TOKEN: ${{secrets.APPDOME_API_KEY}}
SIGN_FINGERPRINT: ${{secrets.APPDOME_SIGN_FINGERPRINT}}
GOOGLE_PLAY_SIGNING: "true" -Optional
iOS
For additional information, please refer to the article: How to Sign Secured iOS Apps Using a Local Appdome Supplied Script
Note: When adding multiple entitlements or provisioning profiles, make sure to write them in a single string, with a comma separating them.
APP_FILE: "path/on/repository" OR “https download link”
FUSION_SET_ID: "Appdome fusion set iOS"
sign_options: "AUTO_DEV_SIGNING"
APPDOME_API_TOKEN: ${{secrets.APPDOME_API_KEY}}
MOBILE_PROVISION_PROFILE_FILE: "<path/on/repository>,<path/on/repository>" ...
OR “<https_download_link>,<https_download_link>” ....
OR ${{secrets.PROVISION_PROFILE_BASE64}}
ENTITLEMENTS_FILE: "<path/on/repository>,<path/on/repository>" ...
OR “<https_download_link>,<https_download_link>” ....
OR ${{secrets.ENTITLEMENTS_BASE64}}
Related Articles:
- How to Secure Android & iOS Apps in Jenkins CI/CD pipelines
- How to Secure Android & iOS Apps in GitLab CI/CD Pipelines
- How to Secure Android &iOS Apps in Bitrise CI/CD Pipelines
How Do I Learn More?
The description above is designed to help you secure Android & IOS apps in GitHub CI/CD pipelines. If you have questions about using this Build-2Secure step for GitHub actions. If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.
Thank you!
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.