Note: The latest $VERSION is 24.2.0
The Mobile Protect SDK for native Android apps is distributed via Maven. This document will take you through the steps to integrate SDK into your build system. For other guides, check out Mobile Protect Installation Guides
To fetch the Mobile Protect SDK for Android via Maven, an API key is needed. If you haven’t received an API key for Mobile Protect, please contact us.
Stating with v23, we introduced a new Gradle plugin, available on our Maven repository. This plugin now automatically installs required dependencies and is applied at the project level. You no longer need to manually install a jar.
Follow this documentation to install Mobile Protect v23 and this documentation to migrate from v22.
The installation guide for v22 is also available here.
Installing Mobile Protect SDK with Maven for v23 and above
This documentation will guide you through the installation of Mobile Protect, if you are already using an older version of Mobile Protect and wish to upgrade, follow the migration guide.
Step 1: Add the Mobile Protect Maven Repository
The Mobile Protect for Android SDK is hosted on a private Maven repository. To be able to fetch the dependency, you must first register the dependency within your Gradle manifest.
You will need to add our repository to the plugin repositories, and declare it in your settings.gradle file:
pluginManagement {
repositories {
mavenCentral()
gradlePluginPortal() //optional: depends on the plugin you are currently using
google()
//Mobile Protect Maven Repository
maven {
credentials {
//Leave the username as "MAVEN"
username "MAVEN"
password "$MOBILEPROTECT_REPO_API_KEY"
}
url "https://mobile-protect-repos.securetheorem.com/mobileprotect-android"
}
}
}
Our plugin will then download its project dependencies so you will also need to add our repository to your project’s build.gradle file, add:
allprojects {
repositories {
mavenCentral()
google()
//Mobile Protect Maven Repository
maven {
credentials {
//Leave the username as "MAVEN"
username "MAVEN"
password "$MOBILEPROTECT_REPO_API_KEY"
}
url "https://mobile-protect-repos.securetheorem.com/mobileprotect-android"
}
}
}
Note: If you use settings for dependency management (for ex. if you see the error “Build was configured to prefer settings repositories over project repositories”) the Data Theorem repository will need to be added in settings.gradle under dependencyResolutionManagement->repositories
Step 2: Configure the Mobile Protect API Key
If you chose to define the API key globally, you can add it to the global Gradle properties in ~/.gradle/gradle.properties (plaintext file) or in your local.properties with:
MOBILEPROTECT_REPO_API_KEY={MOBILEPROTECT_REPO_API_KEY}
Replacing {MOBILEPROTECT_REPO_API_KEY} with the Mobile Protect API key, which can be found in the mobile_protect_sdk_update_api_key.txt file from the zip downloaded in step 1. Do not wrap the key in any quote characters.
Note: If you chose the global option, make sure to set the environment variable GRADLE_USER_HOME to ~/.gradle.
That key is NOT SENSITIVE. The key is only used to download the Mobile Protect SDK, but cannot be used to pull any data from the app nor the backend. A different and more secure key is required for pulling data. It is safe to commit in your repository.
Step 3: Add the Mobile Protect Gradle Plugin
Declare the plugin within your project’s build.gradle as follows:
plugins {
id "com.dtplugin.mobileprotect" version("$VERSION")
// if you want to auto update to the latest use: version("+")
}
Note: If you encounter duplication issues because you have both TrustKit and MobileProtect, you can use the com.dtplugin.mobileprotect-notrustkit artefact and keep TrustKit as is.
Step 4: Add the Mobile Protect configuration
In the Android project, create the xml directory (/app/src/main/res/xml) if it does not exist. Then, copy the mobileprotect.xml config file into the xml resources folder.
The XML file contains an AUTH_TOKEN key; however, the key is NOT SENSITIVE. The key is only used to identify the data sent by Mobile Protect to the backend, but cannot be used to pull any data from the app nor the backend. A different and more secure key is required for pulling data. It is safe to commit and have the token in the .apk as it is used as an identifier, similar to Google's Firebase: https://firebase.google.com/docs/projects/api-keys
Step 5: Start Mobile Protect
Now you're ready to initialize the SDK. Within your application's main Application class, preferably in the onCreate() method, add the following initializing code:
MobileProtect.init(this, R.xml.mobileprotect);
Results
Please visit https://www.securetheorem.com/mobile/protect to see the list of your apps and the state of protection, along with the individual protection item details.
Optional: Add TrustKit certificate pinning
https://datatheorem.atlassian.net/servicedesk/customer/portal/1/article/2044461101
Optional: Enable static obfuscation
https://datatheorem.atlassian.net/wiki/x/EgDcgQ
Optional: Disable for specific tasks
If your app uses some other bytecode modifying tools such as Jacoco for code coverage, it might create conflicts, MobileProtect offers you the possibility to disable it for those specific tasks.
For example, to disable it when running gradle testCoverage, you can add this config in your root build.gradle
MobileProtectPluginConfiguration {
excludeForTasks = mutableListOf("testCoverage")
}
Hilt compatibility:
If you are using Dagger Hilt, you may need to add additional configuration.
Starting with 24.2.0, we introduced a hilt compatibility option in our plugin if you are still facing issues with dagger hilt:
MobileProtectPluginConfiguration {
enableHiltCompatibility = true
}
With older versions, you may need to configure hilt in the app’s build.gradle with the following:
hilt {
enableAggregatingTask = false
enableExperimentalClasspathAggregation = true
}
Migrating to the maven plugin installation (if you are currently using the mobile-protect-gradle-plugin.jar classpath file)
Step 1: Remove the old dependencies
In your project’s build.gradle, remove the old jar and aspectJ dependencies:
// remove the mobileprotect and aspectJ classpath dependencies
classpath files("PATH_TO/mobile-protect-gradle-plugin.jar")
classpath "org.aspectj:aspectjtools:1.9.4"
You can also remove mobile-protect-gradle-plugin.jar from your project.
In your app’s build.gradle, remove the dependencies and the plugin apply line:
// remove the mobileprotect and safetynet dependencies
dependencies {
implementation("com.datatheorem:mobileprotect-android:$VERSION")
implementation("com.datatheorem:mobileprotect-transformations:$VERSION")
implementation("com.google.android.gms:play-services-safetynet:$SAFETYNET_VERSION")
}
// remove the plugin apply
apply plugin: 'com.dtplugin.mobileprotect'
Step 2: Add the Mobile Protect Maven plugin repository
You will need to add our repository to the plugin repositories, and declare it in your settings.gradle file:
pluginManagement {
repositories {
mavenCentral()
google()
//Mobile Protect Maven Repository
maven {
credentials {
//Leave the username as "MAVEN"
username "MAVEN"
password "$MOBILEPROTECT_REPO_API_KEY"
}
url "https://mobile-protect-repos.securetheorem.com/mobileprotect-android"
}
}
}
Step 3: Add the Mobile Protect Gradle Plugin
Declare the plugin within your project’s build.gradle as follows:
plugins {
id "com.dtplugin.mobileprotect" version("$VERSION")
// if you want to auto update to the latest use: version("+")
}