# Configuration
# Installing AppSealing CLI Tool
Extract the compressed file to the preferred directory and grant authorization.
For Unix:
# mkdir /opt/appsealing
# cd /opt/appsealing
# unzip SealingTool.zip
# rm -rf SealingTool.zip
# cd ..
# chmod -R 750 appsealing/
# chown -R 6jenkins:6jenkins appsealing/
For Windows:
# AppSealing CLI Tool Verification
The following command verifies the tool. The tool is valid when the 'jar verified' message is displayed.
#jarsigner -verify -verbose -certs /opt/appsealing/sealing.jar_ |
# AppSealing Jenkins parameter settings
| Parameters | Definition | Type | Settings Value |
|---|---|---|---|
| AS_JAR_PATH <Required> | sealing.jar file path | String | ex) /opt/appsealing/sealing.jar |
| AS_URL <Required> | Sealing API URL | String | https://api.appsealing.com/covault/gw (opens new window) |
| AS_AUTH_KEY <Required> | Authentication key | String | ( Provided separately ) |
| AS_SRC_APK <Required> | original APK/AAB file path | String | ex)./source/application.apk |
| AS_SEALED_APK <Required> | Path to save the Sealed APK/AAB file | String | ex)./source/application_sealed.apk |
| AS_APP_TYPE | Sealing security service | ||
| - GAME : Game security service | |||
| - NON_GAME : Non-game security service | String | Default : GAME | |
| AS_SERVICE_VERSION | Sealing service version number | ||
| (aab sealing is supported on v2.21.0.0 or later) | String | Ex) 2.15.0.0 | |
| Default: latest | |||
| AS_DEPLOY_MODE <Required> | ** Deploy mode ** | ||
| # - test : AppSealing watermark displayed | |||
| # - release : No AppSealing watermark_ | Choice | {test / release} | |
| Default : test | |||
| AS_DEX_ENCRYPT | DEX encryption option | ||
| -no : DEX encryption not applied | |||
| -yes : apply DEX encryption | Choice | { no / yes } | |
| Default : no_ | |||
| AS_SELECTIVE_DEX_ENCRYPT | Selective Dex Encryption Option | ||
| (This option is Recognized only when the DEX encryption is applied.) | |||
| - no: encryption for whole dex files | |||
| - yes: encryption for some classes and packages | Choice | {no / yes} | |
| Default : no | |||
| AS_BLOCK_ENVIRONMENT | Emulator and root environment option | ||
| - emulator : Blocks app running on emulator | |||
| - rooting : Blocks app running on rooted device | |||
| - Supported emulator : BlueStacks, Nox_ | Extended choice | { emulator, rooting} | |
| _Default : not selected | |||
| AS_ALLOW_EMULATOR | Allow exceptional emulator when all emulator is blocked | ||
| - LDPlayer : Allow LDPlayer | |||
| - BlueStacks : Allow Bluestacks | |||
| - Nox : Allow Nox app player- Other emulators will be supported in future | Extended choice | { BlueStacks, Nox, LDPlayer } | |
| Default : not selected | |||
| The written tools will be allowed. | |||
| AS_BLOCK_WORK_PROFILE | Work profile option(Block app execution from work profile environment such as Samsung Secure folder) | ||
| - yes : Block app execution** | |||
| - no : Allow app execution ** | Choice | {yes / no} | |
| Default : yes | |||
| AS_ALLOW_WORK_PROFILES | Allow exceptional work profiles when all work profiels are blocked. | ||
| - Samsung SecureFolder | |||
| - Google FamilyLink. | |||
| Extended Choice | {Samsung SecureFolder, Google FamilyLink} | ||
| Default: not selected. | |||
| The written tools will be allowed. | |||
| AS_BLOCK_KEYLOGGER | Key logger block option | ||
| - yes :Block app running with key logging tool | |||
| - no : Allow app running with key logging tool | Choice | {yes / no} | |
| Default : no | |||
| AS_HIDE_OVERLAY_WINDOWS | Hide screen overlay option. This option is available from 2.30.0.0, and this option will work from Android 12 device. | ||
| - yes :Hide overlay windows on sealed app | |||
| - no : Allow overlay windows on sealed app | Choice | {yes / no} | |
| Default : no | |||
| AS_ALLOW_EXTERNAL_TOOL | Macro and network tool option | ||
| - macro : Allow macro tools | |||
| - sniff : Allow packet sniffing and spoofing tools | Extended Choice | {macro, sniff} | |
| Default: not selected. The written tools will be blocked. | |||
| AS_SERVICE_TYPE | AppSealing service type options | ||
| - HYBRID_AOS : Hybrid AppSealing. React Native, Ionic, Cordova Framework should use this option. | |||
| - NATIVE_AOS :Native AppSealing.If your app is not the HYBRID_AOS type, currently this option is not required. | Choice | { HYBRID_AOS / NATIVE_AOS } | |
| Default : NATIVE_AOS | |||
| AS_FRAMEWORK | Your App's framework | ||
| - Hybrid Frameworks should explicitly use this option | |||
| - **REACT_NATIVE: Use this when you are uploading React Native app. | |||
| - IONIC: Use this when you are uploading Ionic app. | |||
| - CORDOVA: Use this when you are uploading Cordova app. | Choice | {REACT_NATIVE / IONIC / CORDOVA} | |
| Default : not selected | |||
| AS_APP_SIGNING | Automatic app signing option after sealing | ||
| App-signing can be applied along with sealing. | |||
| - none : Only sealing is applied without additional app signing. | |||
| - appsealing_key : After sealing, it is signed with the appsealing signing key. (For development) In case of AAB package, this option applies as 'none' value and the app is unsigned.) | |||
| - registered_key : After sealing, it is signed with the app signing key registered with the AppSealing Developer Console (ADC).(For distribution) | Choice | **{none / appsealing_key | |
| Default : none |
i* Provided separately and only the provided value must be used
_i** Must select only one value _
_i*** Multiple values can be selected by using delimiter __with ',' (comma). Default value is None(Empty String)
[Required] Parameter must be configured and Default value is not configured**
# Examples of parameter type settings
Figure 2‑1 String type parameter setting
Figure 2‑2 Option type parameter setting
Figure 2‑3 Extended option type setting
# Execution Script Configuration
# Linux & Mac
java -jar ${AS_JAR_PATH} -url ${AS_URL} -authkey ${AS_AUTH_KEY} -srcapk ${AS_SRC_APK} -sealedapk ${AS_SEALED_APK}
-deploymode ${AS_DEPLOY_MODE} -block_environment ${AS_BLOCK_ENVIRONMENT} -allow_emulator ${AS_ALLOW_EMULATOR} -allow_external_tool ${AS_ALLOW_EXTERNAL_TOOL} -dex_encrypt ${AS_DEX_ENCRYPT}
-select_dex_encrypt #{AS_SELECTIVE_DEX_ENCRYPT} -service_version ${AS_SERVICE_VERSION} -app_type ${AS_APP_TYPE} -allow_external_tool ${AS_ALLOW_EXTERNAL_TOOL} -block_work_profile=${AS_BLOCK_WORK_PROFILE} -allow_work_profiles=${AS_ALLOW_WORK_PROFILES} -block_keylogger=${AS_BLOCK_KEYLOGGER} -service_type ${AS_SERVICE_TYPE} -framework ${AS_FRAMEWORK} –app_signing ${AS_APP_SIGNING}
Figure 3‑4 Linux & Mac shell script example
# Windows
java -jar %AS_JAR_PATH% -url %AS_URL% -authkey %AS_AUTH_KEY% -srcapk %AS_SRC_APK% -sealedapk %AS_SEALED_APK% -deploymode %AS_DEPLOY_MODE% -block_environment %AS_BLOCK_ENVIRONMENT% -allow_emulator %AS_ALLOW_EMULATOR% -allow_external_tool %AS_ALLOW_EXTERNAL_TOOL% -dex_encrypt %AS_DEX_ENCRYPT%} -select_dex_encrypt %AS_SELECTIVE_DEX_ENCRYPT% -service_version %AS_SERVICE_VERSION% -app_type %AS_APP_TYPE% -allow_external_tool %AS_ALLOW_EXTERNAL_TOOL% -block_work_profile %AS_BLOCK_WORK_PROFILE% -allow_work_profiles=%AS_ALLOW_WORK_PROFILES% -block_keylogger=%AS_BLOCK_KEYLOGGER% -service_type %AS_SERVICE_TYPE% -framework %AS_FRAMEWORK% -app_signing %AS_APP_SIGNING%E% -framework %AS\_FRAMEWORK% -app\_signing %AS\_APP\_SIGNING%
Figure 3‑5 Windows batch command script example
# Example of configured screen
Figure 3‑6 Jenkins Build example
# Configuring execution script using the configure file
This feature can be used starting from AppSealing CLI Tool version 2.0.5 or above. The file name is in 'config.txt' and the format is in as shown below.
###############################################
#### AppSealing Configuration File ####
###############################################
# Usage example
# $ java -jar sealing.jar -config ./config.txt
###############################################
### AppSealing CLI Tool Parameter #####
###############################################
# Sealing API URL
url=https://api.appsealing.com/covault/gw
# AppSealing Authentication Key (Enterprise authentication key)
authkey=#####put_your_unique_key_phrase_here#####
# Original source APK/AAB file path (File path of original APK/AAB)
srcapk=#####put_your_original_apk_file_path_here#####
# Sealed APK/AAB file path (Save path for Sealed APK/AAB)
sealedapk=#####put_your_sealed_apk_file_path_here#####
# Deploy mode { release | test }
deploymode=#####put_your_deploy_mode_value_here#####
# Emulator and root device option { emulator, rooting }
block_environment=#####put_your_block_emulator_rooting_rule_value_here#####
# Allow emulator exceptionally when you block emulators { BlueStacks, Nox, LDPlayer, ...}
allow_emulator=#####put_your_block_emulator_rooting_rule_value_here#####
# Allow apps to run in environments with external tools installed option { macro, sniff }
allow_external_tool=#####put_your_allow_external_tool_rule_value_here#####
# Work profile block option( yes, no )
block_work_profile=#####put_your_block_work_profile_option_value_here#####
# Allow Work profile exceptionally when you block workprofiles set yes.( Google FamilyLink, Samsung SecureFolder )
allow_work_profiles=#####put_your_allow_work_profiles_option_value_here#####
# Allow apps to run in environments with keylogger installed { yes, no }
block_keylogger=#####put_your_block_keylogger_here#####
# DEX encryption option { no | yes }
dex_encrypt=####put_your_dex_encrypt_value_here####
# Enable to select partial dex encryption option { no | yes }
select_dex_encrypt=####put_your_select_dex_encrypt_value_here####
# Sealing service version (When you request to seal for AAB, you must set service version 2.21.0.0 or later)
# Hybrid versions are different from Native service, you need
service_version=####put_your_sealing_service_version_value_here####
#app_type { GAME | NON_GAME }
app_type=####put_your_app_type_value_here####
# AppSealing service type (Required for Hybrid) { NATIVE_AOS | HYBRID_AOS } ( default : NATIVE_AOS )
service_type=####put_your_service_type_value_here####
# App Build Framework (Required for Hybrid) { REACT_NATIVE | IONIC | CORDOVA }
Framework=####put_your_framework_value_here####
# App Signing Option for sealing app { none | appsealing_key | registered_key } (default : none)
# none : AppSealing has been applied, but it has not been signed. In order to install it on the device or
# distribute ito the store, developer must sign it with a signing key.
# appsealing_key : AppSealing is applied and signed with the debug key. The signed app can be installed
# on the device and tested during development (evaluation) stage, but in order to distribute it
# to the store, developer must use the signed app with the distribution key. In case of AAB
# package, this option applies as ‘none’ value and the app is unsigned.
# registered_key : AppSealing is applied and signed with a pre-registered key. To use this option,
# developer must pre-register the key to be used for app-signing in the AppSealing Developer
# Console (ADC). Developers can download signed app that with distribution signing key.
# ('upload-key' if 'Google Play Signing is applied.)
app_signing=####put_your_app_signing_value_here####
#####put_your_Enter the parameter value here.
Tip :
Sealing option can be configured using both the configuration file and the execution script file. Use configuration file to configure options that are fixed and use parameters for options that are changed frequently. (Duplicated options in both execution script and configuration file will be Sealed with the option configured in parameter. The parameter in the execution script has the higher priority than the one in the configure file.)
# Example of execution script for Native AppSealing
Native app: App build with general Android Studio, Flutter, Unity, or Unreal engine. Ex) using execution script only for srcapk and sealedapk parameter and the rest for configuration file in Windows,
Batch command example)
java -jar %AS_JAR_PATH% -config %AS_CONFIG_FILE_PATH% -srcapk %AS_SRC_APK% -sealedapk %AS_SEALED_APK%
Config.txt Example)
###############################################
### AppSealing CLI Tool Parameter #####
###############################################
# Sealing API URL
url=https://api.appsealing.com/covault/gw
# AppSealing Authentication Key (Enterprise authentication key)
authkey=123456789ABCDE
# Original source APK/AAB file path (File path of original APK/AAB)
srcapk=D:\\APKS\\APPLICATION.APK
# Sealed APK/AAB file path (Save path for Sealed APK/AAB)
sealedapk=D:\\APKS\\APPLICATION_SEALED.APK
# Deploy mode { release | test }
deploymode=release
# Emulator and root device option { emulator, rooting }
block_environment=emulator, rooting
# Allow emulator exceptionally when you block emulators { BlueStacks, Nox, LDPlayer, ...}
allow_emulator=BlueStacks, Nox, LDPlayer
# Work profile block option( yes, no )
block_work_profile=yes
# Allow work profiles exceptionally when you block work profiles { Google FamilyLink, Samsung SecureFolder}
allow_work_profiles=Google FamilyLink, Samsung SecureFolder
# Allow apps to run in environments with keylogger installed { yes, no }
block_keylogger=no
# Allow apps to run in environments with external tools installed option { macro, sniff }
allow_external_tool=macro, sniff
# DEX encryption option { no | yes }
dex_encrypt=no
# Enable to select partial dex encryption option { no | yes }
select_dex_encrypt=no
# Sealing service version (When you request to seal for AAB, you must set service version 2.21.0.0 or later)
service_version={native version number}
# App_type { GAME | NON_GAME }
app_type={app_type}
# App Signing Option for sealed app {none | appsealing_key | registered_key } (default : none)
app_signing=none
Notice: For Windows Platform, double file separator must be used in path configuration. Ex) D:\AppSealing\sealing.jar
# Example of execution script for Hybrid AppSealing
Hybrid app: App built with ReactNative, Ionic or Cordova.
Ex) using execution script only for srcapk and sealedapk parameter and the rest for configuration file in Windows, for ReactNative app.
Batch command example)
java -jar %AS_JAR_PATH% -config %AS_CONFIG_FILE_PATH% -srcapk %AS_SRC_APK% -sealedapk %AS_SEALED_APK%
Config.txt Example)
###############################################
### AppSealing CLI Tool Parameter #####
###############################################
# Sealing API URL
url=https://api.appsealing.com/covault/gw
# AppSealing Authentication Key (Enterprise authentication key)
authkey=123456789ABCDE
# Original source APK/AAB file path (File path of original APK/AAB)
srcapk=D:\\APKS\\APPLICATION.APK
# Sealed APK/AAB file path (Save path for Sealed APK/AAB)
sealedapk=D:\\APKS\\APPLICATION_SEALED.APK
# AppSealing service type { NATIVE_AOS | HYBRID_AOS } ( default : NATIVE_AOS )
service_type=HYBRID_AOS
# App’s Framework { REACT_NATIVE | IONIC | CORDOVA }
framework=REACT_NATIVE
# Deploy mode { release | test }
deploymode=release
# Emulator and root device option { emulator, rooting }
block_environment=emulator, rooting
# Allow emulator exceptionally when you block emulators { BlueStacks, Nox, LDPlayer, ...}
allow_emulator=BlueStacks, Nox, LDPlayer
# Work profile block option( yes, no )
block_work_profile=no
# Allow apps to run in environments with keylogger installed { yes, no }
block_keylogger=no
# Allow apps to run in environments with external tools installed option { macro, sniff }
allow_external_tool=macro, sniff
# DEX encryption option { no | yes }
dex_encrypt=no
# Enable to select partial dex encryption option { no | yes }
select_dex_encrypt=no
# Sealing service version ( AppSealing’s hybrid version is different from native security service’s)
service_version={hybrid version number}
# App_type { GAME | NON_GAME }
app_type={app_type}
# App Signing Option for sealed app {none | appsealing_key | registered_key } (default : none)
app_signing=none
Notice: For Windows Platform, double file separator must be used in path configuration. Ex) D:\AppSealing\sealing.jar