Appdome ONEShield Mobile App Hardening

Protect mobile apps with App Hardening, Code Obfuscation, Anti-Tampering, Anti-Debugging, Anti-Reversing, and more.

This Knowledge Base article explains how you can use Appdome’s no-code mobile app hardening to fully protect and harden any mobile app without code or coding.

We hope you find it useful and enjoy using Appdome!

About ONEShield Mobile App Hardening

ONEShield™ is  Appdome’s advanced mobile app hardening features, among them anti-tampering, anti-debugging and anti-reversing protections, and other features — making Appdome the single most comprehensive solution to protect mobile apps.

The Appdome platform adds ONEShield™ to every app our customers build on appdome, so every app gets equipped with advanced mobile app hardening automatically! Whether you’re building Appdome Mobile Security Suite, EMM SDKs, or an Identity SDK, your app will automatically be protected with ONEShield advanced app shielding.

The app you are building on Appome can be built with any native tool such as Xcode for iOS or Android Studio, or any other framework, including hybrid and cross-platform frameworks such as  Xamarin, Cordova, React Native, and Flutter. ONEShield™ by Appdome supports only ARM 64-bit architectures.

Follow these step-by-step instructions to add ONEShield™ to Any Mobile App in seconds.

Upload a Mobile App to Your Account

Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.

  1. Click the Build tab.
  2. In the top menu, select any category  (eg: Security, Management, Access, Identity, Mobile Threat, etc).
  3. (optional) switch on the feature and add any configuration or input requirements (if needed).
  4. Click Build My App.

Appdome ONEShield Mobile App Hardening and App Shielding

ONEShield™ includes all of the following app hardening features: 

1. Mobile Anti-Debugging

Anti-Debugging will do the following, depending on the platform:

  • iOS: Connecting a debugger will cause the debugging client (lldb) to halt.
    • After a sufficient wait time, the debug session will terminate and the debugger with a crash.
  • Android:
    • Attempting to attach to the process with a debugger, tracing tool or code injectors will result in the app misbehaving in random and unpredictable ways. The app will eventually terminate.
    • Attempting to debug the Java Virtual Machine (JVM) using JDB (or anything that utilizes the JDWP protocol) will disconnect the debugger automatically.

2. Detect Debugger Code Manipulations

During the app run-time, Appdome will actively detect and block any code manipulations performed by debuggers on the protected app.

3. Mobile Anti-Tampering

Anti-Tampering – Protects against all of the following:

4. Prevent running on Simulators 

A common method for attackers to compromise mobile apps is to run the app on a simulator and observe the app’s behaviors and study how it functions in a running environment (a process called dynamic code analysis). Appdome detects when the app is running on a simulator and disconnects the app. 

5. Checksum Validation 

Calculates a cryptographic hash (a unique fingerprint of information, binary data, and assets), and validates the hash at runtime, detecting any modifications to the app, app resources,  configuration elements and more. 

6. App Integrity and Structure Scan

Checks the app’s composition, data structure, data elements, and communication paths to validate the integrity and authenticity of the app, as well as to detect elements within the app which that could be used as attack vectors (such as unknown or malicious URLs).
Appdome looks for weakening elements in the application such as malicious URLs.

7. Mobile Anti-Reversing

  • In iOS apps, this feature obfuscates selector references in the main executable (which prevents the cross-reference searches). 
  • In Android apps, this feature obfuscates all plaintext strings in DEX files 

8. Obfuscate built Services

Obfuscates Appdome’s code AND the new customer selected services added to the app during Fusion. In addition, the data embedded in Appdome’s code will be encrypted, to prevent common “recon” attacks (like searching for strings in the code).

*Note: 3rd party services will not be obfuscated.  So for example, the code responsible forTOTALDataTM Encryption will be obfuscated, while for VMWare Workspace ONE (AirWatch) only the adapter code that glues the SDK to the application will be obfuscated, the VMWare Workspace ONE (AirWatch) code will remain as it is.

After you have made your selections, click Build My App and in about 20 – 40 seconds your app will be protected with ONEShield™.

After Adding ONEShield™ to a Mobile App on Appdome

After you have added ONEShield™ to any Mobile App on Appdome, there are a few additional steps needed to complete your mobile integration project.

Add Context™ to the Appdome-Built App

Appdome is a full-featured mobile integration platform. Within Context™, Appdome users can brand the app, including adding a favicon to denote the new service added to the app.
For more information on the range of options available in Context™, please read this knowledge base article.

Sign the Appdome-Built App (Required)

In order to deploy an Appdome-Built app, the app must be signed. Signing iOS apps and Signing Android apps on Appdome is easy. Alternatively, you can use Private Signing, download your unsigned app and sign locally using your own signing methods.

Deploy the Appdome-Built App to a Mobile Device

Once you have signed your Appdome-Built app, you can deploy it using your distribution method of choice. For more information on deploying your Appdome-Built apps, please read this knowledge base.

That is it – Enjoy Appdome’s ONEShield™ protection in your app!

How Do I Learn More?

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Paul Levasseur

Have a question?

Ask an expert

EvgenyuMaking your security project a success!