How to Automate Single Tasks Using the Appdome REST API

Last updated May 19, 2022 by Avita Flit

This KB article describes how to use the Appdome-DEV REST API to automate mobile app security by building security features directly into mobile apps as part of your DevSecOps build process and CI/CD workflows.

We hope you find this knowledge base useful and enjoy using Appdome!

What is the Appdome-DEV REST API?

Appdome-DEV enables developers to automate mobile app security end-to-end. Using Appdome’s REST-API, developers can implement any Appdome feature programmatically using the REST-API. Each step can be implemented separately or as part of a continuous end-to-end workflow.

This article details the technical specifications of these API requests.

6 Easy Steps Automate Single Tasks Using the Appdome REST API

In order to use Appdome’s REST API, you’ll need:

An Ideal Appdome account.
Appdome-DEV license
Your API Token (Learn how to get your API Token)
Team API Key (If you’re building as part of an Appdome Team)
A Fusion Set API KEY (Learn how to get Fusion Set API Key)
Fusion Set API KEY for the App Team (If you’re building as part of an Appdome Team)

How to Build in a Team

You can run any command for any app and Fusion Set (mobile app security templates) in any of your Teams. Just add a URL encoded parameter with your Team API Key (make sure to use a Fusion Set API Key from your Team and not personal account). For example:

https://fusion.appdome.com/api/v1/<SINGLE_TASK_API_COMMAND>?team_id=<TEAM_API_KEY>

The task requests generally are sequential so each task uses an identifier from a previous task to complete. For instance, the Upload task returns an Application ID, which is then sent to the Build Task.

Uploading Apps using the Appdome REST API -Via Amazon server

The upload process holds 3 sequential API commands:

URL	`https://fusion.appdome.com/api/v1/upload-link`
Method	GET
Content-Type	multipart/form-data
Headers	Authorization: <API Token>
API Description	Provides an upload link from Amazon server and matches the unique file ID. Note that the link will expire after the retrieved expiration time.(when uploading an app into a team – add the team ID as a parameter)
CURL Example	`curl -X GET -H "Authorization:dkG90pp9LPsXUC_pPWO0qA" https://fusion.appdome.com/api/v1/upload-link`
Response Format	`{ "url": "https://fusion-applications.s3.us-west-1.amazonaws.com/3328a9b1/d968b4/d55e4b304b0b470968b4_input?AWSAccessKeyId=AKIAJVYXHJTA&Expires=16312&Signature=enXqXZKtG8qAng8=", "file_id": "d55e4b30-123123123", "expire_time_in_min": 30 }`

URL	The retrieved upload link to the Amazon server from the previous command output
Method	PUT
Content-Type	data binary
Payload	App binary file (APK or IPA or AAB)
API Description	It allows you to upload an app to the Amazon server.
CURL Example	`curl -X PUT https://<Amazon upload link> -D "file=@/path/to/file.apk"`
Response Format	`"status":200`

URL	`https://fusion.appdome.com/api/v1/upload-using-link`
Method	POST
Content-Type	multipart/form-data
Headers	Authorization:<API Token>
Payload	(in form format:) `-F file_app_id=<Application file ID>//(from the first API GET response) -F file_name=<the uploded app binary name>`
API Description	It allows you to upload the app from the Amazon server into Appdome. (when uploading an app into a team – add the team ID as a parameter)
CURL Example	`curl -X POST -H "Authorization:dkG90pp9LPsXUC_pPWO0qA" https://fusion.appdome.com/api/v1/upload-using-link -F file_app_id="3328a9b1" -F file_name="demo.apk"`
Response Format	`{ "app": { "id": Application ID, "account_id": Application Account ID, "user_id": Application User ID, "creation_time": Unix Time, "pack_name": App File Name, "pack_size": Size in Bytes, "pack_type": apk/ipa/aab, "pack_bundle_identifier": App Bundle ID, "pack_bundle_version": App Bundle Version, "pack_bundle_display_name": App Display Name, "pack_bundle_build_number": App Build Number, "pack_app_store_description": App Store Description If exist, "status": active/error } }`

Uploading Apps using the Appdome REST API – Via Appdome server

URL	`https://fusion.appdome.com/api/v1/upload`
Method	POST
Content-Type	multipart/form-data
Headers	Authorization:<API Token>
Payload	file: file multipart content
API Description	It allows you to upload an app to Appdome.
CURL Example	`curl -X POST -H "Authorization:dkG90pp9LPsXUC_pPWO0qA" https://fusion.appdome.com/api/v1/upload -F "file=@/path/to/file.apk"` App Team: `curl -X POST -H "Authorization:dkG90pp9LPsXUC_pPWO0qA" "https://fusion.appdome.com/api/v1/upload?team_id=33392-23232-1451-987" -F "file=@/path/to/file.apk"`
Response Format	`{ "app": { "id": Application ID, "account_id": Application Account ID, "user_id": Application User ID, "creation_time": Unix Time, "pack_name": App File Name, "pack_size": Size in Bytes, "pack_type": apk/ipa/aab, "pack_bundle_identifier": App Bundle ID, "pack_bundle_version": App Bundle Version, "pack_bundle_display_name": App Display Name, "pack_bundle_build_number": App Build Number, "pack_app_store_description": App Store Description If exist, "status": active/error } }`

Building Apps using the Appdome REST API

After uploading your app and getting the Application ID, you can now build it using an existing Fusion Set.

URL	`https://fusion.appdome.com/api/v1/tasks`
Method	POST
Content-Type	multipart/form-data
Headers	Authorization:<API Token>
Payload Format	(in form format:) `-F app_id=<Application ID>//(from the Upload task response) -F fusion_set_id=<Your_Fusion_set_API_Key> -F action=fuse -F 'overrides={<overrides, or empty JSON>}'//(see details below) -F plugin_good_private_certs_content=@<path/to/single/file> //(optional)`
API Description	It allows you to fuse a mobile app.
CURL Example	`curl -X POST -H "Authorization: dkG90pp9LPsXUC_pPWO0qA" -F app_id=pl5ZsekOBadRbbZHDGMYUw -F fusion_set_id=vpRwZCDTBW2IfmOFpvHpxA -F action=fuse -F 'overrides={"user_agent":true, "user_agent_value":"Mozilla 5.5"}' -H 'content-type: multipart/form-data' https://fusion.appdome.com/api/v1/tasks`
Response Format	`{ "task_id": ID of the created fuse task }`

When you have to renew your API Token to complete builds:

curl -X POST -H “Authorization:$TOKEN” https://fusion.appdome.com/api/v1/refreshApiToken

The available overrides for the Build task are:

Key	Name in Appdome	Value	Notes
`user_agent`	User Agent Customization	Boolean	Must use with `user_agent_value`
`user_agent_value`	User-Agent Header	String
`plugin_good_probe_url`	Pre-Authentication URL	String of up to 1024 characters	Only if BlackBerry PreAuth is turned on in Fusion Set
`plugin_good_app_version`	GD Entitlement Version	String of up to 250 characters
`plugin_good_app_id`	GD Entitlement ID	String of up to 128 characters
`extended_logs`	Diagnostic Logs	Boolean	Only if enabled for the user.
`extended_logs_gesture_via_http`	Tap to upload logs(iOS)/ Shake to upload logs(Android)	Boolean	Must use with `extended_logs`.
`extended_logs_gesture_via_external_app`	Tap to email logs(iOS)/ Shake to email logs(Android)	Boolean	Must use with `extended_logs`.
`anti_pharming_url_list`	URL List	Array of Strings	Only if URL Whitelisting is turned on in Fusion Set

Adding Context to Apps using the Appdome REST API

After Building your app, you can add context with the pre-configured settings of your selected Fusion Set in the previous step.

URL	`https://fusion.appdome.com/api/v1/tasks`
Method	POST
Content-Type	multipart/form-data
Headers	Authorization:<API Token>
Payload Format	(in form format:) `-F parent_task_id=<Task ID>//(from the Upload task response) -F action=context -F 'overrides={<overrides, or empty JSON>}'//(see details below) -F icon_overlay_content=@<path/to/single/file> //(PNG format file whose size should not exceed 1MB) -F app_customization_application_icon=@<path/to/single/file>//(PNG format file whose size should not exceed 1MB) -F app_customization_application_files=@<path/to/single/file>`
API Description	It allows you to add context to a mobile app.
CURL Example	`curl -X POST -H "Authorization: dkG90pp9LPsXUC_pPWO0qA" -F parent_task_id=lix-X4WwvH6joI9DqjdlnQ -F action=context -F 'overrides={}' -H 'content-type: multipart/form-data' https://fusion.appdome.com/api/v1/tasks`
Response Format	`{ "task_id": ID of the created fuse task }`

The available overrides for the Context task are:

Key	Name in Appdome	Value	Notes
`icon_overlay`	Add Favicon	Boolean	Must use with `icon_overlay_scale, icon_overlay_position, icon_overlay_filename` Must also add Form data `icon_overlay_content` with an icon file (see above) PNG format file whose size should not exceed 1MB
`icon_overlay_scale`	Scale	Number between 20 and 50
`icon_overlay_position`	Favicon Position	‘Top Right’, ‘Top Left’, ‘Bottom Right’, ‘Bottom Left’
`customize_url_enable`	Private URL	Boolean	Must use with `customize_url_value, customize_url_key`.
`customize_url_value`	Private URL Value	String
`should_copy_url_to_clipboard`	Copy URL to Clipboard	Boolean	Must use with `customize_url_enable`.
`customize_url_key`	Private URL Identifier	String
`app_customization_pack_bundle_version`	App Version	String
`app_customization_pack_bundle_identifier`	App Bundle ID	String
`app_customization_pack_bundle_display_name`	App Display Name	String
`app_customization_pack_bundle_build_number`	App Version Code	Number
`app_customization_key_value_list`	Custom Values	JSON	LifeCycle, Context file size should not exceed 1MB

Signing Apps using the Appdome REST API

Using the Appdome REST API, you have 3 different choices to sign your apps:

Automatic Signing (Android, iOS) – If you saved your signing credentials in the Fusion Set, you can use this command to sign the app automatically, and receive a signed binary.
Private Signing (Android, iOS) – If you want to seal the app, download a non-signed binary and sign it locally.
Auto-DEV private Signing (Android, iOS) – The app is sealed and wrapped in a signing script, which you can run to automatically sign the app locally (without uploading the certificates to the platform).

The API request for all the signing tasks are identical, only the action needs to be changed.

For Automatic Signing use sign
For Private Signing use seal
For Auto-DEV Private Signing use sign_script

NOTE: When signing Android apps using Private Signing or Auto-DEV Signing, please add the certificate SHA-1 fingerprint as an override: overrides={"signing_sha1_fingerprint":""}

Example:
‘overrides={“signing_sha1_fingerprint”:”6B:D1:79:F9:5F:7B:BE:64:A3:A5:DC:59:B6:62:E8:67:4F:44:0D:54″}’
or
‘overrides={“signing_sha1_fingerprint”:”6BD179F95F7BBE64A3A5DC59B662E8674F440D54″}’

NOTE: When signing iOS apps, always add the Form data -F provisioning_profile=@<path/to/file>For multiple provisioning profiles, add the above line for each profile.

URL	`https://fusion.appdome.com/api/v1/tasks`
Method	POST
Content-Type	multipart/form-data
Headers	Authorization:<API Token>
Payload Format	(in form format:) `-F parent_task_id=<Task ID>//(from the Upload task response) -F action=sign //OR -F action=seal //OR -F action=sign_script` //For Android: `-F signing_keystore=@<path to file> -F overrides={"signing_keystore_password": "<password>","signing_keystore_alias": "<alias>", "signing_keystore_key_password": "<password>" }//(see more details below)` //For iOS `-F signing_p12_content=@<path to file> -F overrides={"signing_p12_password": "<password>"} -F provisioning_profile=@<path/to/file> -F provisioning_profile=@<path/to/additional file>// (optional)` //For iOS when adding entitlements file `-F 'overrides={"manual_entitlements_matching":true}'// (optional) -F entitlements_files=@<path/to/entitlements file>// (optional) -F entitlements_files=@<path/to/additional entitlements file>// (optional)`
API Description	Allows you to sign a mobile app.
CURL Example Sign	`curl -X POST -H "Authorization: dkG90pp9LPsXUC_pPWO0qA" -F parent_task_id=lix-X4WwvH6joI9DqjdlnQ -F action=sign -F signing_keystore=@<path to file> overrides={"signing_keystore_password": "<password>","signing_keystore_alias": "<alias>", "signing_keystore_key_password": "<password>" } -F -H 'content-type: multipart/form-data' https://fusion.appdome.com/api/v1/tasks`
CURL Example Private Sign	`curl -X POST -H "Authorization: dkG90pp9LPsXUC_pPWO0qA" -F parent_task_id=lix-X4WwvH6joI9DqjdlnQ -F action=seal -F 'overrides={"signing_sha1_fingerprint":"6B:D1:79:F9:5F:7B:BE:64:A3:A5:DC:59:B6:62:E8:67:4F:44:0D:54"}' -H 'content-type: multipart/form-data' https://fusion.appdome.com/api/v1/tasks`
Response Format	`{ "task_id": ID of the created fuse task }`

Available overrides for the Signing Task:

Key	Name in Appdome	Value	Notes
`signing_keystore_use_google_signing`	Use Google Play App Signing	Boolean	Must use with `signing_keystore_google_signing_sha1_key`
`signing_keystore_google_signing_sha1_key`	App Signing Certificate SHA-1 or SHA-256	String

Getting the Status of a Task

You can send a GET request to check the status of a task (of the same user). The Task ID is sent in the URL:

URL	`https://fusion.appdome.com/api/v1/tasks/<task_id>/status`
Method	GET
Headers	Authorization:<API Token>
API Description	Allows you to get the status of a task by ID
CURL Example	`curl -X GET -H "Authorization: dkG90pp9LPsXUC_pPWO0qA" https://fusion.appdome.com/api/v1/tasks/lix-X4WwvH6joI9DqjdlnQ/status`
Response Format	`{ "status": Current Task Status}`

Download Appdome’s Certified Secure Certificate (PDF)

You can send a GET request to download Appdome’s Certified Secure certificate (PDF file) of your secured app.

URL	`https://fusion.appdome.com/api/v1/tasks/<parent_task_id>/certificate`
Method	GET
Headers	Authorization:<API Token>
API Description	Download Appdome’s Certified Secure certificate (PDF file) of your secured app, identified by its task ID
CURL Example	`curl -X GET -H "Authorization: dkG90pp9LPsXUC_pPWO0qA" https://fusion.appdome.com/api/v1/tasks/lix-X4WwvH6joI9DqjdlnQ/certificate`
Response Format	The Certified Secure certificate PDF file

Download Appdome’s Certified Secure Certificate (JSON file)

You can send a GET request to download Appdome Certified Secure (JSON file) of your secured app.

URL	`https://fusion.appdome.com/api/v1/tasks/<parent_task_id>/certificate-json`
Method	GET
Headers	Authorization:<API Token>
API Description	Download Appdome’s secured certificate (JSON file) of your secured app, identified by its task ID
CURL Example	`curl -X GET -H "Authorization: dkG90pp9LPsXUC_pPWO0qA" https://fusion.appdome.com/api/v1/tasks/lix-X4WwvH6joI9DqjdlnQ/certificate-json`
Response Format	The Certified Secure certificate JSON file

How to Validate the Certified Secure Certificate

You can send a POST request to verify the Certified Secure certificate for the secured app.

URL	`https://fusion.appdome.com/api/v1/verify-certificate`
Method	POST
Content-Type	multipart/form-data
Headers	Authorization:<API Token>
Payload Format	(in form format:) `-F task_id=<Task ID>//(from the Upload task response) -F file= <the Secured certificate PDF file>`
API Description	Verify the Certified Secure certificate for the secured app
CURL Example	`curl -X POST -H "Authorization: dkG90pp9LPsXUC_pPWO0qA" -F task_id=lix-X4WwvH6joI9DqjdlnQ -F file=@<path to file> -H 'content-type: multipart/form-data' https://fusion.appdome.com/api/v1/verify_certificate`
Response Format	`{ "verify": true/Certificate is not valid for this task_id}`

Download and Deploy Apps using the Appdome REST API

Once your app is signed or sealed, you can download your secured app using the Download GET request. The Task ID is sent in the URL:

URL	`https://fusion.appdome.com/api/v1/tasks/<task_id>/output`
Method	GET
Headers	Authorization:<API Token>
API Description	Allows you to get the download an Appdome-built app.
CURL Example	OUTPUT_PATH=`echo ` && curl -X GET -H "Authorization: dkG90pp9LPsXUC_pPWO0qA" https://fusion.appdome.com/api/v1/tasks/lix-X4WwvH6joI9DqjdlnQ/output --output $OUTPUT_PATH
Response Format	Binary file

If you used Automatic Signing, you can also automatically deploy the app using the API. First, make sure you configure the automatic deployment parameters in the Deploy page on the Platform.

To send a deployment request for any type of deployment, other the Apple’s Appstore, use this API request:

URL	`https://fusion.appdome.com/api/v1/tasks`
Method	POST
Content-Type	application/json
Headers	Authorization:<API Token>
Payload Format	`{"parent_task_id": Fusion Task ID, "action": "deploy" }`
API Description	Allows you to deploy an Appdome-build (Automatically signed) mobile app
CURL Example	`curl -X POST -H "Authorization: dkG90pp9LPsXUC_pPWO0qA" -d '{"parent_task_id": "lix-X4WwvH6joI9DqjdlnQ", "action": "deploy"}' -H 'content-type: application/json' https://fusion.appdome.com/api/v1/tasks`
Response Format	The JSON response from the relevant store

To deploy your app to Apple’s Appstore, due to Apple’s requirements, you can download a script that will perform this from your Mac, using this API. The Task ID is sent in the URL:

URL	`https://fusion.appdome.com/api/v1/tasks/<task_id>/deploy_script`
Method	GET
Content-Type	application/json
Headers	Authorization:<API Token>
API Description	It allows you to download a script for deploying apps to the Appstore.
CURL Example	`curl -X GET -H "Authorization: dkG90pp9LPsXUC_pPWO0qA" -H 'content-type: application/json' https://fusion.appdome.com/api/v1/tasks/lix-X4WwvH6joI9DqjdlnQ/deploy_script`
Response Format	A bash script for deploying an app to the App Store.

How To Learn More

Check out Appdome Platform, or learn more about Appdome-DEV REST API and Appdome-DEV.

You can also use our API requests Postman Collection.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.