Logo Admin Hdr
How to > DevSecOps Automation in CI/CD > Test Secured Mobile Apps > How to Test Appdome-secured Android Apps on SauceLabs

How to Test Appdome-secured Android Apps on SauceLabs

Last updated June 5, 2023 by Appdome

Appdome works with all leading mobile automation testing solutions to help customers achieve comprehensive mobile app security at DevSecOps speed and agility, all within the app’s existing application lifecycle.

This Knowledge Base article provides instructions on learning how to test Appdome-secured Android Apps by using the SauceLabs automation test platform for DevSecOps.

General

SauceLabs allows testing apps by using its Live and Automation testing suits. Both can be used for testing the Appdome-secured mobile apps. When using Saucelabs to run Live Mobile App or Automated testing on an Appdome-protected app, you can choose between either of the following methods:

  • Use Appdome’s Build-to-Test service (recommended)
    Customers with an Appdome SRM license can use Appdome’s Build-to-Test service to quickly and easily test their Appdome-secured mobile apps by using SauceLabs, without the need for different Fusion Sets. With Appdome’s Build-to-Test service, Appdome’s in-app defense model recognizes the unique signature of these testing services and allows for easy testing without issuing a security alert or forcing the app to exit, even if these services use tools such as Magisk or Frida. For details, see How to Use Appdome Mobile App Automation Testing.
  • Use threat events
    When using threat events, Appdome protection features may be triggered triggered due to the nature of SauceLabs’s test environment, thereby slowing down your work.

The following table describes which Appdome protection features may be triggered, the reason why, and how to avoid it (during the app building stage on Appdome):

Appdome Feature Reason How to Prevent Such Identification
App Is Debuggable Saucelabs sets the apps as debuggable Enable Threat Events for Detect App Is Debuggable with In-App Detection mode – Appdome will detect the rooted devices, but will not close the app.
Detect Developer Options Required to interact with the device Enable Threat Events for Detect Developer Options with In-App Detection mode – Appdome will detect that the setting Developer options is enabled, but will not close the app.

Developer options is an Android setting that allows developers to configure system behaviors for administrative and troubleshooting purposes. When this setting is enabled, developers can run their app on an Android Mobile device without proper digital signature.
Block Android Debug Bridge (ADB) Required to interact with the device Enable Threat Events for Block Android Debug Bridge (ADB) with In-App Detection mode – Appdome will detect ADB is enabled, but will not close the app.

ADB is a very powerful and versatile command-line tool that  allows communicating with Android devices or Android apps either remotely or via a USB interface to perform a wide range of actions by running and executing an extensive list of commands installing and debugging apps, and it provides access to an Android shell. While ADB is  intended for use by legitimate developers in building, debugging, and troubleshooting Android apps, it can also be used by  cybercriminals, fraudsters, and hackers for other purposes.
Prevent App Screen Sharing Saucelabs performs screen recording, so if this feature is enabled all test videos will show black screen Disable Prevent App Screen Sharing.

Threat Event Modes

  • In-App Detection – Appdome detects the attack or threat and passes the event in a standard format to the app for processing, namely: the choice how and when to enforce is made based on your app’s settings.
  • In-App Defense – When a security event is detected by Appdome, Appdome will pass the event from the Appdome layer to the app.
    Appdome’s security engine will handle the event, the default behavior is for the app to exit after displaying a compromise notification to the end user (compromise notifications are customizable).

Preventing Protections from being Triggered for App Is Debuggable

To prevent security protections from being triggered for App Is Debuggable:
  1. Go to ONEShield™ by Appdome in any of the Appdome tabs.
  2. Enable Threat Events for the Detect App is Debuggable feature.
  3. Select the In-App-Detection mode.
    Detect App is Debuggable feature

Preventing Protections from being Triggered for Detect Developer Options

To prevent security protections from being triggered for Detect Developer Options:
  1. Go to Build > Security.
  2. Go to the OS Integrity section.
  3. Enable (toggle On) Detect Developer Options.
  4. Select the check box Threat Events.
  5. From the list of threat event type, select In-App Detection.
    Detect Developer Options Android

Preventing Protections from being Triggered for Block Android Debug Bridge (ADB)

To prevent security protections from being triggered for Block Android Debug Bridge (ADB):
  1. Go to Build > Anti Fraud.
  2. Go to the Mobile Fraud Prevention section.
  3. Enable (toggle On) Block Android Debug Bridge (ADB).
  4. Select the check box Threat Events.
  5. From the list of threat event type, select In-App Detection.
    Block Android Debug Bridge (ADB)

Preventing Protections from being Triggered for Prevent App Screen Sharing

To disable Prevent App Screen Sharing:

  1. Go to Build > Security.
  2. Go to the Mobile Privacy section.
  3. Disable (toggle Off) Prevent App Screen Sharing.
    Prevent App Screen Sharing Off iOS

Testing .aab Apps

Unlike .apk apps, .aab apps must be re-signed before installation.

To avoid triggering Appdome’s Anti Tampering protection as a result of the re-signing process, you can use either of the following options:

  • Use Appdome Private Sign with the following Saucelabs’s private SHA1 signing key: A909F159453508C2D8526B8732F675D282368619
  • Convert the test.aab app into Universal.apk, by using the same key that was used for signing the .aab app, and use the Universal.apk file to test with Sacuelabs.
  • Go to ONEShield™ by Appdome in any of the tabs, enable Threat Events for the Anti-Tampering feature and select the In-App-Detection mode. This will not prevent Appdome’s protection from detecting Anti-Tampering but it will not close the app.
    Anti tampering threat events

Live Mobile App testing – Android

To initiate App Live test of your test app in Saucelabs:
  1. After successfully building and signing your app on Appdome, log in to your Saucelabs account. Alternatively, if you do not yet have an account, create an account.
    Note

    For .aab app types, please refer to section Automate App testing – Android
     before building the app on Appdome.
  2. On the left sidebar select App Management.
    If you see an option to select     between devices on a Virtual Cloud and Real Devices, select Real Devices.
    iOS Saucelabs App management
    list of your apps will be displayed.
    If you have not uploaded any app before, the list will be empty.

    If your test app does not appear in the above list, you can upload it by
    dragging the app, or by clicking choose file.
    Sacucelabs app Management
  3. After you uploaded your test app, hover your mouse/cursor over the app to display the Settings and App Versions option.
    Settings and app versions button
  4. Click Settings and App Versions.
  5. Disable Instrumentation and Image Injection, thus preventing Saucelabs from re-signing the app.
  6. Click App Management.
    App management tab
  7. Hover your mouse or cursor over the app, to display the Start Test option.
  8. Click Start Test to select the test device.
    iOS Start test button
  9. Select an available test device from the displayed list and click Launch.
    This will start a manual test of the uploaded app on the selected device.
    Selected Android device
    To see live device logs, click Log on the menu on the right.
    Log menu right
  10. When Done, click STOP  on the right menu.

If you want to test using Appium, check out the SauceLabs Appium Wiki.

Automate App testing – Android

The following Appium capabilities, which are being used in the automation test code, can also trigger protection features:

Saucelabs Specific Appium Capability Reason How to prevent such identification
networkCapture Saucelabs will re-sign the app Enable Threat Events for Anti-Tampering with In-App Detection mode – Appdome will detect app re-signing, but will not close the app.
resigningEnabled Saucelabs will re-sign the app Enable Threat Events for Anti-Tampering with In-App Detection mode – Appdome will detect app re-signing, but will not close the app.
saucelaLabsImageInjectionEnabled Saucelabs will re-sign the app Enable Threat Events for Anti-Tampering with In-App Detection mode – Appdome will detect app re-signing, but will not close the app.
saucelaLabsBypassScreenshotsRestriction Saucelabs will re-sign the app Enable Threat Events for Anti-Tampering with In-App Detection mode – Appdome will detect app re-signing, but will not close the app.

To enable Threat Events for Anti-Tampering on Appdome:

  1. Go to ONEShield™ by Appdome in any of the tabs.
  2. Enable Threat Events for the Anti-Tampering feature.
  3. Select the In-App-Detection mode.
    Anti tampering threat events

Notes:

To avoid app re-signing by Saucelabs, it is required to disable the Instrumentation and 
Image Injection feature on Saucelabs cloud.
For additional measures to take during app build on Appdome, see above sections General and Testing .aab apps.

Related Articles

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

NEED HELP?

let's solve it together

KarenMaking your security project a success!
By filling out this form, you opt-in to recieve emails from us.