Basic Operation

The aabdefender tool operates on Android Application Bundles. As much as possible of the bytecode in the base module of the bundle is translated to native code, and protection added similarly as with the apkdefender tool.aabdefender tool takes an unprotected Android Application Bundle (AAB) as input and produces a corresponding protected bundle as the output. The protected bundle file will be named <original-name>-protected.aab and placed in the same directory as the original bundle.

As with apkdefender tool, there are a number of conditions that prevent translation of specific classes and methods. Some of those methods are detected and excluded from translation by default, but often, exclusion of some additional packages, classes, or methods must be configured to maintain the application stability.

The final signing certificate should be given in the configuration for full application integrity protection. Only RSA certificates are supported, and the certificate must be given in DER or PEM format. The certificate fingerprint enables verifying each module included in the bundle. The final protected Application Bundle is always unsigned, and must be signed separately with an upload key.

aabdefender provides informational output from the execution steps to the stdout. More extensive debug output is collected to aabdefender.log file in the current working directory.

aabdefender operation is controlled with configuration directives given via command line and a JSON configuration file.

Invoking the Tool from the Command Line

The aabdefender tool offers a command line interface. The following examples demonstrate the tool usage on Linux.

To generate a new sample configuration:aabdefender -b new-config app-release.aab

A sample configuration JSON file is generated, with a protection scope derived from the application activities.

Note

The produced scope must be validated, and the signing_certificate option value must be added before use.

To protect the application bundle, execute the following command:

aabdefender -c <path-to-configuration-file> app-release.aab

A protected application app-release-protected.aab is produced.

Command Line Options

The supported command line options are listed in the following table:

Option / Flag	Requirement	Description
`-c`, `--configuration-file`	Mandatory	Path to the JSON configuration file.
`-m`, `--mapping-file`	Mandatory	Path to the R8 mapping file. For more details, see R8 mapping file support.
`-b`, `--build-mode`	Optional	Build mode options: - `new-config`: Generate a new sample configuration JSON file. Requires the signing_certificate value to be set before use. - `check-protection-status`: Verifies if the application is already protected.
`-w`, `--working-directory`	Optional	Absolute path to a working directory where temporary build files will be created.
`-G`, `--generate-report`	Optional	Outputs a protection report file under the working directory named like: `<app-filename>-efficacy_report-<timestamp>.json`, e.g., `app-release.apk-efficacy_report-2024-06-24T11-30-52Z.json`.
`-v`, `--version`	Optional	Outputs apkdefender tool version information and build date.

JSON Configuration File

A sample of the supported configuration file format and options is given below.

 {
        "general_configuration": {
            "enable_debugger_detection": true,
            "enable_root_detection": false,
            "signing_certificate": "./rsa-cert.bin",
            "library_name": "sample_library"
        },
        "protection_scope": {
            "exclude_classes": [],
            "exclude_methods_from_translation": [],
            "exclude_packages": [],
            "exclude_translated_methods_from_wiping": [],
            "include_packages": []
        }
    }

The configuration file format type is JSON. The allowed elements are explained in the tables below. If an optional element is not given, the tool will use the specified default value.

General Configuration
Network Security Configuration
Protection Scope
Renaming Scope

General Configuration

Option	Required	Description
library_name	Mandatory	String Specifies the library name for the native library that `apkdefender` generates. The name should be given without the `"lib"` prefix and `".so"` suffix.
signing_certificate	Mandatory	Array or String A file path or list of file paths to one or more signing certificates (RSA only, in DER or PEM format). Required for full application integrity verification. At least one signing certificate is required for binding. If using Google Play Signing, the signing certificate provided by Google must be given. This is not the same as the developer certificate used to sign the application before Google Play Store upload.. An optional secondary certificate can be provided for local signing and testing.
signing_certificate_fingerprint	Optional	String Recommended to use the `signing_certificate` option, but this may be used when only the certificate fingerprint is available (e.g., with an external distribution signing system). Note that in this case it is not possible to verify the signing algorithm, but the requirement still applies.
enable_require_v3_signature	Optional	Boolean – Set to `true` to prevent fallback to older, less secure signature schemes if v3 signature block does not exist.
enable_asset_encryption	Optional	Boolean – Set to `true` to enable asset encryption. Disabled by default.
enable_resource_encryption	Optional	Boolean – Set to `true` to enable resource strings encryption. String resources from the application are encrypted, excluding any strings that are nested inside other resource types or referenced from the Android manifest. Resource encryption is disabled by default.
enable_debugger_detection	Optional	Boolean – Set to `false` to disable debugger detection. If debugger detection is enabled, protecting an app marked as debuggable in `AndroidManifest.xml` is not allowed. Enabled by default.
enable_strace_detection	Optional	Boolean – Set to `true` to enable `strace` system call and signal tracing utility detection. Cannot be enabled if the application is allowed to run on emulators. Requires `enable_debugger_detection` to also be enabled. Disabled by default.
enable_heuristics_debugger_detection	Optional	Boolean – Set to `true` to enable advanced anti-debugging using heuristics to detect `ptrace` attacks, even on devices using advanced hiding techniques. Disabled by default.
enable_method_wiping	Optional	Boolean – Set to `false` to disable method wiping. If method wiping is enabled, translated static methods that are never invoked from bytecode methods are fully removed. Enabled by default.
enable_root_detection	Optional	Boolean – Set to `true` to enable root/jailbreak detection. If an attempt is made to run the protected application on a rooted device, it will exit. Requires `enable_debugger_detection`. Disabled by default.
root_detection_action	Optional	String – Action on root detection: `report`, `exit`, or `report_and_exit`. `report`: Notify via in-app callback and/or the monitoring service. `exit`: Immediately exit the app `report_and_exit`: Report and then exit. Default is `exit`.
system_integrity_root_certificates	Optional	Array – Path to additional accepted root certificate files in PEM format for system integrity verification. By default only the Google certificates are included. Configuring custom root certificate is needed for any environment that is not CTS compliant.
system_integrity_product_whitelist	Optional	Array – Specifies `ro.build.product` property values for devices exempted from system integrity verification. All other devices still undergo verification.
system_integrity_mode	Optional	String – System integrity verification mode: `strict`: Only TEE-based verification is accepted. `default`: Allows software-based attestation for Android devices before version 8. `basic`: Software based attestation is more widely allowed. Certain attestation flow failures are ignored for older devices.
enable_emulator_detection	Optional	Boolean – Set to `false` to allow running on an emulator. Emulator use is blocked by default.
emulator_detection_action	Optional	String – Behavior when emulator is detected: `report`: Notify via event callback. `exit`: Immediately exit the app. `report_and_exit`: Notify then exit. Warning: Emulator use should be considered a security breach. Configuring the report action is therefore not recommended. Default behavior is to exit.
enable_overlay_detection	Optional	Boolean – Set to `true` to enable notification that some other application is presenting content on top of the app display. The overlay protection is applied at Activity level, and it is possible to select the scope in with option from the application activities with the include_overlays option. The screen overlay detection is disabled by default.
overlay_detection_action	Optional	String – Action when screen overlay is detected: `report`: Notify via callback (see Event callback). `exit`: Exit the app. `report_and_exit`: Report then exit. Default is`report_and_exit`.
status_response_method	Optional	String – set the event callback method as an alternative to annotating the method in the source code. The method name must be given including the package namespace and class name. For inner classes, annotations must be used instead. For more details refer to Event Callback.
enable_wipe_string_fields	Optional	Boolean – Set to `false` to disable wiping of string field initializers from classes, whenever the class is in translation scope. The string field initializers cannot be wiped if reflection is used to them. retrieve Enabled by default.
enable_xamarin_protection	Optional	Boolean – Set to `true` to enable Xamarin for Android specific protection. Disabled by default.
enable_bytecode_literal_obfuscation	Optional	Boolean – Set to `true` to enable removal of bytecode literals. String literals are completely removed from the bytecode, and replaced with native lookup calls to get the string values from the native code. Int literals are obfuscated using control flow obfuscation with junk code injection, where the actual literal initialisation code path taken is determined using a native predicate function that is opaque to the bytecode level analysis. The scope of bytecode literal obfuscation is the untranslated plaintext bytecode within the protection scope. Literals within static class initializers are not obfuscated. Disabled by default.
enable_install_on_removable_media	Optional	Boolean – Set to `true` to allow installation of the app on removable media. Disabled by default.
enable_bytecode_renaming	Optional	Boolean – Set to `true` to enable renaming of bytecode identifiers. The scope is set in the `renaming_scope` section. Disabled by default.
enable_bytecode_visual_spoofing	Optional	Boolean Set to 'false' to disable invisible character usage with the bytecode renaming feature. Note: The invisible characters are not used when protecting in a macOS host, due to limitations in the platform filesystem.
enable_dex_encryption	Optional	Boolean Set to `false` to disable loading and executing Dalvik executable DEX bytecode dynamically from obfuscated static files. By default DEX encryption is automatically detecting the application compatiblity with the feature. Configuring this option disables auto-detection.
limit_allowed_installers	Optional	Array Define a list of package installers that are allowed as the installation source. Usually the allowed sources are application stores. For example ["com.android.vending" ] allows installation from Google Play Store only. An empty list does not place any restrictions. By default the installation source is not limited.
app_store_compatibility	Optional	String Enable APK distribution via non-Google systems. The supported value for this option is "Amazon". Note: Setting this option is exclusive, and other distribution systems then cannot be used for the protected application. By default the protection is compatible with the Google distribution system.
monitor_api_key	Optional	String API key to retrieve Monitoring service configuration. The key can be obtained from the App Shield Portal. The monitor_api_key corresponds to the appClientSecret field in the generated API key JSON.
monitor_api_key_id	Optional	String ID of the Monitoring service API key given with the option monitor_api_key . The monitor_api_key_id corresponds to the appClientId field in the generated API key JSON.
monitor_api_key_owner_email	Optional	String Email address connected to the account that was used to create the Monitoring service API key on Verimatrix Platform.
connection_whitelist	Optional	Array The list of allowed DNS names for connections. If the list is empty or unspecified, the feature is automatically disabled. This feature requires that the Monitoring service is enabled for the application, as any connection attempts to unauthorized DNS hosts are reported to the monitoring interface.
abis	Optional	Array With this option it is possible to define a list of application binary interfaces for which the application native libraries are built during protection. Support for any ABIs not in this list is dropped. By default the native libraries are built for all ABIs supported by the application.
enable_scope_autoconfiguration	Optional	Boolean This option enables automatic generating of the protection scope, producing a minimal stable scope based on Android application lifecycle hooks. The automatic scope generating is disabled by default.

Network Security Configuration

Option	Required	Description
certificate_pinning	Optional	Type: Array Configuration for domains with certificate pinning. For more information refer to Certificate pinning .
domain	Optional	Type: String The connection-specific destinations that given certificates are pinned to. Required if `certificate_pinning` is configured.
pins	Optional	Type: Array File paths to the pinned certificates. For a secure connection to be trusted, one of the public keys in the chain of trust must be in the set of pinned certificates. At least one certificate must be given if `certificate_pinning` is configured.
expiration	Optional	Type: Boolean The date when the pin expires and pinning is disabled. If not given, the pin does not expire.
subdomains	Optional	Type: Boolean Indicates whether subdomains are included in the pin. Set to `true` to match the domain rule also to all subdomains, including subdomains of subdomains. Otherwise the rule only applies to an exact match.
cleartext	Optional	Type: Boolean Indicates whether cleartext traffic is allowed to the pinned domain.

Protection Scope

Option	Required	Description
translated_packageless_classes	Optional	Type: Array Set to `true` to include classes that do not have a package in the translation scope. By default, packageless classes are not translated.
exclude_classes	Optional	Type: Array Matching classes are removed from the protection scope. Useful to exclude individual classes causing performance issues or other problems. Wildcards supported.
exclude_packages	Optional	Type: Array Matching packages are removed from the protection scope. Wildcards supported.
exclude_methods_from_translation	Optional	Type: Array Matching methods are excluded from translation. Wildcards supported.
exclude_translated_methods_from_wiping	Optional	Type: Array Matching methods are excluded from wiping. May be necessary for methods called by native libraries. Wildcards supported.
include_packages	Optional	Type: Array If specified, only listed packages are protected. Others are removed from the protection scope. Wildcards supported.
exclude_strings	Optional	Type: Array List any public string resource names to be blacklisted for encryption. In some cases it may be necessary to exclude any problematic string IDs manually to work around decryption problems. Wildcards are supported.
include_strings	Optional	Type: Array List any public string resource names to whitelist for encryption. Wildcards are supported.
exclude_assets	Optional	Type: Array List any assets to be blacklisted for encryption. In some cases it may be necessary to exclude problematic asset files manually to work around decryption problems. Wildcards are supported.
include_assets	Optional	Type: Array List any assets to be whitelisted for encryption. Wildcards are supported.
include_overlays	Optional	Type: Array The overlay protection is applied at Activity level. List the activities for which the protection is active. The activities must be present in the application bytecode.

Renaming Scope

Option	Required	Description
include_packages	Optional	Type: Arrays Only packages that match the specified list are included in the renaming scope. Wildcards are supported. By default the renaming scope is empty.
exclude_packages	Optional	Type: Arrays Matching packages are removed from the renaming scope that is defined in the include_packages option. Wildcards are supported.
keep_classes	Optional	Type: Arrays Original name is preserved for the matching classes in the renaming scope. Wildcards are supported.
keep_fields	Optional	Type: Arrays Original name is preserved for the matching fields in the renaming scope. Wildcards are supported.