How to Test Secured Android Apps on Lambdatest, Mobile DevSecOps Best Practices

Last updated June 5, 2023 by Appdome

This knowledge base article covers the steps needed to test Appdome secured Android  mobile apps by using Lambdatest mobile test automation suite.

Which Appdome Security Protections May be Triggered due to Lambdatest’s Test Environment

When using Lambdatest to run Real Device App Testing or App Automation testing on an Appdome protected app, you can choose between either of the following methods:
  • Use Appdome’s Build-to-Test service (recommended)
    Customers with an Appdome SRM license can use Appdome’s Build-to-Test service to quickly and easily test their Appdome-secured mobile apps by using Lambdatest, without the need for different Fusion Sets. With Appdome’s Build-to-Test service, Appdome’s in-app defense model recognizes the unique signature of these testing services and allows for easy testing without issuing a security alert or forcing the app to exit, even if these services use tools such as Magisk or Frida. For details, see How to Use Appdome Mobile App Automation Testing.
  • Use threat events
    When using threat events, Appdome protection features may be triggered triggered due to the nature of Lambdatest’s test environment, thereby slowing down your work.
The following table describes which Appdome protection features may be triggered, the reason why and how to avoid it (during the app building stage on Appdome)
Appdome feature Reason How to prevent such identification
Detect Developer Options Required to interact with the device Enable Threat Events for Detect Developer Options with In-App Detection mode – Appdome will detect that the setting Developer options is enabled, but will not close the app.

Developer options is an Android setting that allows developers to configure system behaviors for administrative and troubleshooting purposes.

Block Android Debug Bridge (ADB) Required to interact with the device Enable Threat Events for Block Android Debug Bridge (ADB) with In-App Detection mode – Appdome will detect ADB is enabled, but will not close the app.
ADB is a very powerful and versatile command-line tool that  allows communicating with Android devices or Android apps either remotely or via a USB interface to perform a wide range of actions by running and executing an extensive list of commands installing and debugging apps, and it provides access to the Android shell. While ADB is  intended for use by legitimate developers in building, debugging, and troubleshooting Android apps, it can also be used by  cybercriminals, fraudsters, and hackers for other purposes.
Prevent App Screen Sharing Lambdatest performs screen recording, so if this feature is enabled all test videos may show black screen Disable Prevent App Screen Sharing.

Threat Event Modes

  • In-App Detection – Appdome detects the attack or threat and passes the event in a standard format to the app for processing (your app chooses how and when to enforce).
  • In-App Defense – When a security event is detected by Appdome, Appdome will pass the event from the Appdome layer to the app. Appdome’s security engine will handle the event, the default behavior is for the app to exit after displaying a compromise notification to the end user (compromise notifications are customizable).

Preventing Protections from being Triggered for Detect Developer Options

To prevent security protections from being triggered for Detect Developer Options:
  1. Go to Build > Security.
  2. Go to the OS Integrity section.
  3. Enable (toggle On) Detect Developer Options.
  4. Select the check box Threat Events.
  5. From the list of threat event type, select In-App Detection.
    Androiddetectdeveloperoptions

Preventing Protections from being Triggered for Block Android Debug Bridge (ADB)

To prevent security protections from being triggered for Block Android Debug Bridge (ADB):
  1. Go to Build > Anti Fraud.
  2. Go to the Mobile Fraud Prevention section.
  3. Enable (toggle On) Block Android Debug Bridge (ADB).
  4. Select the check box Threat Events.
  5. From the list of threat event type, select In-App Detection.
    Block Adb

Preventing Protections from being Triggered for Prevent App Screen Sharing

To prevent security protections from being triggered for Prevent App Screen Sharing:

  1. Go to Build > Security.
  2. Go to the Mobile Privacy section.
  3. Ensure that Prevent App Screen Sharing is disabled (toggle off).

Prevent App Screen Sharing Disabled

Testing .aab Apps

Unlike .apk apps, .aab apps must be re-signed before installation.

To avoid triggering Appdome’s Anti Tampering protection as a result of the re-signing process, you can use either of the following options:

  • Convert the test .aab app into Universal.apk, by using the same key that was used for signing the .aab app, and use the Universal.apk file to test with Lambdatest.
  • Go to ONEShield™ by Appdome in any of the tabs, enable Threat Events for the Anti-Tampering feature and select the In-App-Detection mode.
    Antitampertingthreatevents

Real Device (Live) App testing – Android

To initiate Real Device (Live) App test of your test app in Lambdatest:
  1. Log in to your Lambdatest account. Alternatively, if you do not yet have an account, Create an account.
  2. On the menu on the right bar, click Real Device > App Testing.
    You will now see a list of previously uploaded iOS and Android apps.
    Previosulydisplayedapps
  3. Select Android platform on the left side of the screen.
  4. Select your app to test from the apps list.

    If you have not previously uploaded your app, you can do it now by clicking on UPLOAD to upload the app directly from your computer, or URL to obtain the app from somewhere else.
  5. Select a test device of your choice by selecting its brand, device name and OS version from the list on the right.
  6. Click Start to start testing.
    Starttesting
    The app will be automatically installed on the selected device and then launched. The app’s device control buttons are displayed on the left.
  7. Click the app on the screen to use it.
  8. When done, click End Session (red button on the left side of the screen).

Automating App Testing on Android

Lambdatest has several Appium capabilities, namely: a series of key-value pairs that allow you to configure your tests on Lambdatest. For further details, see the  Capabilities Builder – Appium webpage.
The network Log Appium capability may trigger Appdome protection features, as specified below.
Lambdatest-Specific Appium Capability Reason How to prevent such identification
networkLog By default, Lambdatest re-signs the app to enable capturing network log. Enable Threat Events for Anti-Tampering with In-App Detectionmode – Appdome will detect app re-signing, but will not close the app.
networkLog Lambdatest uses a MiTM proxy Enable Threat Events for Android MiTM Prevention with In-App Detection mode – Appdome will detect MiTM proxy, but will not close the app.
To prevent the triggering of Appdome protection features when networkLog is used:
  1. Go to ONEShield™ by Appdome in any of the Appdome tabs.
  2. Enable Threat Events for the Anti-Tampering feature.
  3. Select the In-App-Detection mode.
    Antitampertingthreatevents
To prevent the triggering of Appdome protection features for Android MiTM Prevention:
  1. Go to Build > Security.
  2. Go to the Secure Communication section.
  3. Enable Threat Events for the Android MiTM Prevention feature.
  4. Select the In-App-Detection mode.
    Androidmitmpreventionthreatevents

Note:

For additional measures to take during app build on Appdome, see the above sections Testing on Android Apps and Testing .aab Apps.

Troubleshooting Tips

  • Most automation test tools can typically be used in one of two modes: emulator mode and real device mode (specific terms may vary according to the testing tool). If you use the automation test tool in “emulator mode” instead of “real device mode”, the Appdome-secured application will not run on the device. This is expected because Appdome ONEShield protects apps from running on emulators/simulators.  Instead, you should run the automation test tool in real device
  • If you see a message such as: “Application has violated security policies and it will be shut down”, this means that (1) techniques such as emulators, tampering, or reverse engineering are present, and (2) the Fusion Set does not contain Appdome Threat-Events. This is expected because Appdome ONEShield protects against those conditions. You can either remove the triggering condition or use Appdome Threat Events if applicable.

Related Articles

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

 

NEED HELP?

let's solve it together

JingMaking your security project a success!
By filling out this form, you opt-in to recieve emails from us.