Building an App

This topic provides a detailed explanation of the process of building an app on the Appdome platform with your selected defenses.

For the Appdome Python library example refer to the snippet at the bottom.

Important

If you have not yet created a fusion set, this can only be done only via the platform. As this is the last time you are going to need to visit the platform UI, you are strongly advised to perform this process before running the API calls.

Caveats

  • Remember to visit the platform to obtain your API key and fusion_set_id parameters. If you are working with a team you also need to get the team_id . For details, see Getting started section.

This process consists of two steps that should be performed in the following order:

  • POST request to Appdome to send the app_id obtained the upload process, fusion_set_id obtained from the platform, action parameter with a value of build, and optionally overrides json object detailed at the Build an app API reference page.
  • GET request to check the task status should be polled operation and wait until the request status is success before proceeding to the next action.

The process

Note that the scripts uses some variables such as API_KEY, FUSION_SET_ID, BUILD_OVERRIDES, TEAM_ID. Ensure that you update these variables accordingly.

  1. Obtain the task ID and assign it to the task_id variable for later use.
BUILD_OVERRIDES='{"user_agent":"...","user_agent_value":"..."}'

task_id=$(
    curl -s --request POST \
      --url "https://fusion.appdome.com/api/v1/tasks" \
      --header "Authorization: $API_KEY" \
      --header 'accept: application/json' \
      --header 'content-type: multipart/form-data' \
      --form action=fuse \
      --form fusion_set_id="$FUSION_SET_ID" \
      --form app_id="$(echo "$app" | jq -r .id)" \
      --form overrides="$BUILD_OVERRIDES" |
      jq -r .task_id
  )
  1. Declare a function that will perform the polling operation and notify when the task status is completed.
    Note that the task may fail with a status of error and a message property that indicates the issue for which the task failed. This message can help you resolve the issue before building again.
statusWaiter() {
  task_id=$1
  team_id=$2
  status="progress"
  while [[ $status == "progress" ]]; do
    status=$(curl -s --request GET \
      --url "https://fusion.appdome.com/api/v1/tasks/$task_id/status?team_id=$team_id" \
      --header 'Content-Type: application/json' \
      --header "Authorization: $API_KEY" |
      jq -r '.status')
    sleep 0.5
  done
}

statusWaiter "$task_id" "$TEAM_ID"

At this point, if the status inside statusWaiter is completed, this means you have successfully built an app with your fusion set.

From here, you may proceed to add context (optional) or sign an app.

Appdome python library example

python3 build.py --app_id <app_id_value> --fusion_set_id <fusion_set_id_value> --build_overrides <overrides_json_file>

Overrides

Fuse tasks support overrides, enabling you to surgically modify fusion set values specific to that task.

Overrides, typically JSON primitives, are passed as a string to the overrides form property. Files can also be included as overrides.

When you provide a file or override a value already present in the fusion set, the object is deeply merged.

Here's how to pass overrides without files:

--form overrides='{"plugin_good_app_version" : ""}'

To merge an object with a file:

--form overrides='{
  "mitm_host_server_pinned_certs_list": [
    {
      "value": {
        "mitm_host_server_pinned_certs_type": "no_pinning",
        "mitm_host_server_pinned_certs_domain": "{URL}",
        "mitm_host_server_pinned_certs_file_filename": "{filename}"
      }
    }
  ]
}'
--form mitm_host_server_pinned_certs_list[0].value.mitm_host_server_pinned_certs_file_content=@/Users/johndoe/Downloads/cert.pem

To update only the certificate within an object, specify just the certificate with the correct index:

--form mitm_host_server_pinned_certs_list[0].value.mitm_host_server_pinned_certs_file_content=@/Users/johndoe/Downloads/cert.pem

You can pass multiple files, and their content will be replaced based on their index. If a certificate with a given index doesn't exist, the value is ignored:

--form mitm_host_server_pinned_certs_list[0].value.mitm_host_server_pinned_certs_file_content=@/Users/johndoe/Downloads/cert.pem
--form mitm_host_server_pinned_certs_list[1].value.mitm_host_server_pinned_certs_file_content=@/Users/johndoe/Downloads/cert1.pem

// Will be ignored, as our fusion set only has 2 certs configured
--form mitm_host_server_pinned_certs_list[2].value.mitm_host_server_pinned_certs_file_content=@/Users/johndoe/Downloads/cert2.pem

Passing certificates is also possible for the Mobile Anti Bot list:

--form mobile_anti_bot_list[0].value.payload_signing_key_app_specific=@/Users/johndoe/Downloads/cert1.pem

Note: Indices are zero-based.