How to Test Appdome-secured iOS Apps on Browserstack

Last updated June 5, 2023 by Appdome

Learn how to test Appdome-secured iOS Apps using Browserstack’s mobile testing suite. Appdome is 100% compatible with all leading mobile application test automation solutions used by DevSecOps teams.  Automated testing of secured iOS app helps developers and others rapidly deploy comprehensive mobile app security and fraud prevention with DevSecOps speed and agility.

This knowledge base article covers the steps needed to test Appdome secured iOS mobile apps by using BrowserStack mobile test automation suite.

Appdome works with all leading mobile automation testing solutions to help customers achieve comprehensive mobile app security at DevSecOps speed and agility, all within the app’s existing application lifecycle.

General Information about Testing in iOS Apps

Browserstack allows testing apps by using its App Live and App Automate features, which can both be used for testing Appdome secured mobile apps.

When using Browserstack to run Live App or App Automate testing on an Appdome protected app, you can choose between either of the following methods:

  • Use Appdome’s Build-to-Test service (recommended)
    Customers with an Appdome SRM license can use Appdome’s Build-to-Test service to quickly and easily test their Appdome-secured mobile apps by using Browserstack, without the need for different Fusion Sets. With Appdome’s Build-to-Test service, Appdome’s in-app defense model recognizes the unique signature of these testing services and allows for easy testing without issuing a security alert or forcing the app to exit, even if these services use tools such as Magisk or Frida. For details, see How to Use Appdome Mobile App Automation Testing.
  • Use threat events
    When using threat events, Appdome protection features may be triggered triggered due to the nature of Browserstack’s test environment, thereby slowing down your work.

The following table describes which Appdome protection features may be triggered, the reason why and how to avoid it (during the app building stage on Appdome):

Appdome feature Reason How to prevent such identification
Prevent App Screen Sharing Browserstack allows live view of the device screen while the test is running Enable Threat Events for Prevent App Screen Sharing with In-App Detection mode – Appdome will detect screen sharing app, but will not close the app.
Anti-Debugging Browserstack signs the app as debuggable upon installation Sign your app on Appdome by using a provisioning profile that includes debuggable entitlement.

– or –

Enable Threat Events for Anti-Debugging with In-App Detection mode – Appdome will detect debuggable app, but will not close the app.

Threat-event Modes

  • In-App Detection – Appdome detects the attack or threat and passes the event in a standard format to the app for processing, namely: the choice how and when to enforce is made based on your app’s settings.
  • In-App Defense – When a security event is detected by Appdome, Appdome will pass the event from the Appdome layer to the app.
    Appdome’s security engine will handle the event, the default behavior is for the app to exit after displaying a compromise notification to the end user (compromise notifications are customizable).

Preventing Protections from being Triggered for Prevent App Screen Sharing

To prevent security protections from being triggered for Prevent App Screen Sharing:

  1. Go to Build > Security.
  2. Go to the Mobile Privacy section.
  3. Enable (toggle On) Prevent App Screen Sharing.
    Prevent App Screen Sharing On Ios

Preventing Protections from being Triggered for Anti-Debugging

To prevent security protections from being triggered for Anti-Debugging:

  1. Go to ONEShield™ by Appdome in any of the Appdome tabs.
  2. Enable Threat Events for the Anti-Debugging feature.
  3. Select the In-App-Detection mode.
    Ios Anti Debugging

Live App testing – iOS

To initiate App Live test of your iOS test app in Browserstack:
  1. Log in to your BrowswerStack account. Alternatively, if you do not yet have an account, Create an account.
  2. Click the Let’s Go button in BrowserStack’s account page.
    The website now displays a page with a list of iOS and Android devices you can test the app with.
  3. Click App Live on the top of the page.
  4. Click Upload to upload your signed app build.
    Uploaded Apps
  5. After the app upload completes, select the device to be used for testing the app.
    To do that, click the device type (in the example shown below, iPhone) and then the device model. The app will be automatically  installed on the selected device and then launched.
    Kill Uninstall
  6. Note:
    In case of any issues with the app, you need to send the device logs to Appdome Support by following these steps:

    1. Go to Build > Security on on Appdome.
    2. Go to the Appdome Dev Options section.
    3. Enable(toggle On) the  option Diagnostic  Logs.
      For details, see Knowledge Base article Appdome Diagnostic Logs for Troubleshooting Secured Apps.
      Ios Diagnosticlogs
    4. Go back to BrowserStack and re-run the steps used for uploading the app with the selected device.
    5. Click the Kill/Uninstall button on the running app.
      Killuninstall
    6. Select the options All Device Logs and Verbose.
      Devtoolsalldevicelogs
    7. Clear the log under DEVTOOLS.
    8. On the device, open the app once more, getting to the point where the issue occurred (and take note of the time).
    9. Click Download at the top right-hand corner under DEVTOOLS.
    10. Set a name for the downloaded log, including the time the issue occurred.
    11. Sent the log by email to support@appdome.com, complete with details on the issue, device model, and OS version used in testing.

Automating App Testing on iOS

When using Browsersdtack with Automate App testing on an Appdome protected app, certain security protections may be triggered due to advanced options that need to be enabled in Browserstack’s test environment. In addition to the protections that are triggered in live testing, as specified earlier in section General Information about Testing in iOS Apps, the following table describes which Appdome protection features may be triggered when performing automated testing, the reason why and how to avoid it (during the app building stage on Appdome):
Appdome feature Reason How to prevent such identification
iOS MiTM Prevention
Browserstack uses a MiTM proxy Enable Threat Events for iOS MiTM Prevention with In-App Detection mode – Appdome will detect MiTM proxy, but will not close the app.
To prevent the triggering of Appdome protection features when Browserstack uses a MiTM proxy:
  1. Go to Build > Security.
  2. Go to the Secure Communication section.
  3. Enable Threat Events for the iOS MiTM Prevention feature.
  4. Select the In-App-Detection mode.
    Ios Mitm Prevention
BrowserStack has several Appium capabilities, namely: a series of key-value pairs that allow you to configure your tests on BrowserStack. For further details, see the  Capabilities Builder – Appium webpage.
The network Log Appium capability can trigger Appdome protection features, as specified below.
BrowserStack-Specific Appium Capability Reason How to prevent such identification
networkLog By default, BrowserStack re-signs the app to enable capturing network log. Enable Threat Events for Anti-Tampering with In-App Detection mode – Appdome will detect app re-signing, but will not close the app.
To prevent the triggering of Appdome protection features when networkLog is used:
  1. Go to ONEShield™ by Appdome in any of the Appdome tabs.
  2. Enable Threat Events for the Anti-Tampering feature.
  3. Select the In-App-Detection mode.
    Ios Anti Tampering

Troubleshooting Tips

  • Most automation test tools can typically be used in one of two modes: emulator modeand real devicemode (specific terms may vary according to the testing tool). If you use the automation test tool in “emulator mode” instead of “real device mode”, the Appdome-secured application will not run on the device. This is expected because Appdome ONEShield protects apps from running on emulators/simulators.  Instead, you should run the automation test tool in real device
  • If you see a message such as: “Application has violated security policies and it will be shut down”, this means that (1) techniques such as emulators, tampering, or reverse engineering are present, and (2) the Fusion Setdoes not contain Appdome Threat-Events. This is expected because Appdome ONEShield protects against those conditions. You can either remove the triggering condition or use Appdome Threat Events if applicable.
  • If your mobile application closes/exits unexpectedly and/or you see a message such as: “Application has violated security policies and it will be shut down”, this usually means that techniques are present which Appdome protects against, such as emulator mode, tampering, reverse engineering, or root hiding. Below are some of the likely causes:
    • The user may be running the testing tool in ’emulator’ mode, which Appdome protects against. To remedy this, run the test in ‘manual’ mode or using real devices.
    • BrowswerStack’s VPN  uses TCP port 80 (http), which does not encrypt traffic. If you built your application with Appdome’s MitM Prevention or other features from Appdome’s Secure Communication category, the TCP session will be blocked. This is expected and by design.

Related Articles

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

NEED HELP?

let's solve it together

LironMaking your security project a success!
By filling out this form, you opt-in to recieve emails from us.