How to Use Appdome SDKProtect to Secure Android SDKs
Introduction to Appdome SDKProtect for Android
In the ever-changing world of mobile application development, SDKs (Software Development Kits) play a crucial role in providing developers with pre-built tools, libraries, and APIs to enhance app functionality. However, the very features that make SDKs valuable also introduce significant security concerns due to their inherent complexity and broad accessibility.
SDKs typically encompass a vast array of functionalities packaged into an extensive codebase. This complexity can introduce multiple layers of potential vulnerabilities, as the deep and often intricate code structures provide numerous attack surfaces for malicious entities. Complex systems may contain security flaws that are harder to detect and can be exploited by attackers to perform actions like data breaches or unauthorized access.
SDKs are designed to be integrated into multiple apps, making them highly accessible and reusable across different development projects. While this promotes efficiency and functionality, it also means that SDKs are more exposed to misuse. Publicly available or widely used SDKs can be specifically targeted by attackers because a single vulnerability can potentially impact multiple applications at once.
Prerequisites
Before you start, ensure you have the following:
- An Appdome account (Create a free account here)
- A license for SDKProtect™
- A valid .aar file or iOS framework (Check that your SDK is in one of these formats)
What is Appdome SDKProtect?
Appdome SDKProtect is a new service on Appdome that enables mobile SDK developers to quickly and easily create protected and threat-aware versions of their mobile SDKs, reducing fraud and ensuring compliance. SDKProtect is specifically engineered to secure mobile SDKs against a wide variety of threats.
Key Features of SDKProtect
SDK Threat Shielding encrypts, obfuscates, and safeguards SDK components, fortifying them against cyber threats for enhanced security.
-
- Obfuscate SDK Logic – Obfuscate SDK classes and methods to protect against malicious reverse engineering.
* Excludes Specific Classes – List class or package prefixes to exclude from obfuscation. - Dex File Encryption – Encrypts static and embedded dex files in the SDK.
- Encrypt SDK Strings – Encrypts all SDK Java application strings.
- Verify SDK Assets and Libs – Verify the authenticity of SDK native libraries and assets.
- Obfuscate SDKProtect™ – Obfuscate sources, libraries and strings of Appdome code.
- Encrypt SDK DBs – Protects data created by the SDK on the device by establishing a secure data container that also ensures that the application cannot access the SDK’s encrypted data.
- Encrypt SDK Preferences – Protects SDK shared preferences so they cannot be modified by malicious actors attempting to change the way the SDK behaves.
- SDK MiTM Defense – Validates the authenticity of communication sessions initiated by the SDK. This is achieved by pinning the server-side certificate and performing chain validation.
- Obfuscate SDK Logic – Obfuscate SDK classes and methods to protect against malicious reverse engineering.
SDK Threat Intelligence
Threat Intelligence combines the power of Threat-Shielding and Mobile Risk Evaluation with the following visibility and control options.
- Threat-Monitoring – combines the SDK protections with real-time attack monitoring and enterprise-grade intelligence via Appdome ThreatScope™ Mobile XDR.
- Threat-Streaming – provides real-time telemetry data that can be streamed to the SDK back-end to create specific outcomes or responses when attacks happen.
- Root Detection – Identify users attempting to run your mobile application on a rooted device.
- Emulator Detection – Identify users attempting to run your mobile application on a rooted device.
- Detect Debugging – Detect when a debugger is attached to the SDK or the SDK is marked as Debuggable
- Detect Frida – Automatically detect and block Frida-based toolkits from reverse-engineering and instrumenting your application’s UI and logical flow.
- Detect Inline Hooks – Detect when a debugger is attached to the SDK or the SDK is marked as Debuggable.
- Immutable Device ID – Appdome provides a unique, unchanging device ID to improve security and ensure consistent recognition.
- Android Debug Bridge (ADB) – Automatically detects and prevents the use of Android Debug Bridge (ADB) for malicious reverse engineering, debugging, remote shell, etc.
By implementing these security measures, Appdome’s SDKProtect not only shields mobile SDKs from exploitation but also enhances the overall trustworthiness of the mobile applications that utilize the SDK.
Note: If you wish to use Threat Events with the above SDK features, please make sure that your app includes the correct implementation.
Example
For more details on SDK Threat Events, see How to Implement Threat Event Handling in Android SDKs.
Workflow for Securing iOS SDKs with SDKProtect
- Upload an SDK file
- Create and name the Fusion Set (security template) that will contain the SDK Threat-Shielding feature as shown below:
- Building the SDK Threat-Shielding & SDK Threat Intelligence feature via Appdome Console
-
- Select which features you want to turn on, such as Root Detection, Emulator Detection, Detect Debugging and Detect Inline hooks.
- Click on Build My SDK to initiate the build process.
-
- Download the built SDK file. Click the button, two files will be downloaded to your computer:
Certified Secure Certificate
This certificate verifies that Appdome has secured your SDK with specific security features, as identified in the certification details. Issued to your secured SDK, this certificate details the implementation of Appdome’s SDK Threat Shielding and SDK Threat Intelligence features that you have chosen to build into your SDK.
Related Articles:
- How to Obfuscate SDK Logic using Appdome SDKProtect™
- Obfuscate Mobile Business Logic, Anti-Reversing in Android Apps
- How to Encrypt Resources in Android Apps
- How to Encrypt Java Strings in Android Apps
How Do I Learn More?
If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.
Thank you!
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.