Note: The latest $VERSION
is 24.0.0
The Mobile Protect SDK for native Android apps is distributed via Maven. This document will take you through the steps to integrate SDK into your build system. For other guides, check out Mobile Protect Installation Guides
To fetch the Mobile Protect SDK for Android via Maven, an API key is needed. If you haven’t received an API key for Mobile Protect, please contact us.
Stating with v23, we introduced a new Gradle plugin, available on our Maven repository. This plugin now automatically installs required dependencies and is applied at the project level. You no longer need to manually install a jar.
Follow this documentation to install Mobile Protect v23 and this documentation to migrate from v22.
The installation guide for v22 is also available here.
Installing Mobile Protect SDK with Maven for v23 and above
This documentation will guide you through the installation of Mobile Protect, if you are already using an older version of Mobile Protect and wish to upgrade, follow the migration guide.
Step 1: Add the Mobile Protect Maven Repository
The Mobile Protect for Android SDK is hosted on a private Maven repository. To be able to fetch the dependency, you must first register the dependency within your Gradle manifest.
You will need to add our repository to the plugin repositories, and declare it in your settings.gradle file:
pluginManagement { repositories { mavenCentral() gradlePluginPortal() //optional: depends on the plugin you are currently using google() //Mobile Protect Maven Repository maven { credentials { //Leave the username as "MAVEN" username "MAVEN" password "$MOBILEPROTECT_REPO_API_KEY" } url "https://mobile-protect-repos.securetheorem.com/mobileprotect-android" } } }
Our plugin will then download its project dependencies so you will also need to add our repository to your project’s build.gradle
file, add:
allprojects { repositories { mavenCentral() google() //Mobile Protect Maven Repository maven { credentials { //Leave the username as "MAVEN" username "MAVEN" password "$MOBILEPROTECT_REPO_API_KEY" } url "https://mobile-protect-repos.securetheorem.com/mobileprotect-android" } } }
Note: If you use settings for dependency management (for ex. if you see the error “Build was configured to prefer settings repositories over project repositories”) the Data Theorem repository will need to be added in settings.gradle
under dependencyResolutionManagement->repositories
Step 2: Configure the Mobile Protect API Key
If you chose to define the API key globally, you can add it to the global Gradle properties in ~/.gradle/gradle.properties
(plaintext file) or in your local.properties
with:
MOBILEPROTECT_REPO_API_KEY={MOBILEPROTECT_REPO_API_KEY}
Replacing {MOBILEPROTECT_REPO_API_KEY}
with the Mobile Protect API key, which can be found in the mobile_protect_sdk_update_api_key.txt
file from the zip downloaded in step 1. Do not wrap the key in any quote characters.
Note: If you chose the global option, make sure to set the environment variable GRADLE_USER_HOME
to ~/.gradle
.
That key is NOT SENSITIVE. The key is only used to download the Mobile Protect SDK, but cannot be used to pull any data from the app nor the backend. A different and more secure key is required for pulling data. It is safe to commit in your repository.
Step 3: Add the Mobile Protect Gradle Plugin
Declare the plugin within your project’s build.gradle
as follows:
plugins { id "com.dtplugin.mobileprotect" version("$VERSION") // if you want to auto update to the latest use: version("+") }
Note: If you encounter duplication issues because you have both TrustKit and MobileProtect, you can use the com.dtplugin.mobileprotect-notrustkit
artefact and keep TrustKit as is.
Step 4: Add the Mobile Protect configuration
In the Android project, create the xml
directory (/app/src/main/res/xml
) if it does not exist. Then, copy the mobileprotect.xml
config file into the xml
resources folder.
The XML file contains an AUTH_TOKEN
key; however, the key is NOT SENSITIVE. The key is only used to identify the data sent by Mobile Protect to the backend, but cannot be used to pull any data from the app nor the backend. A different and more secure key is required for pulling data. It is safe to commit and have the token in the .apk as it is used as an identifier, similar to Google's Firebase: https://firebase.google.com/docs/projects/api-keys
Step 5: Start Mobile Protect
Now you're ready to initialize the SDK. Within your application's main Application class, preferably in the onCreate()
method, add the following initializing code:
MobileProtect.init(this, R.xml.mobileprotect);
Results
Please visit https://www.securetheorem.com/mobile/protect to see the list of your apps and the state of protection, along with the individual protection item details.
Optional: Add TrustKit certificate pinning
https://datatheorem.atlassian.net/servicedesk/customer/portal/1/article/2044461101
Optional: Enable static obfuscation
https://datatheorem.atlassian.net/wiki/x/EgDcgQ
Hilt compatibility:
If you are using Dagger Hilt, you may need to add the following config to your App’s build.gradle
hilt { enableAggregatingTask = false enableExperimentalClasspathAggregation = true }
Migrating to the maven plugin installation (if you are currently using the mobile-protect-gradle-plugin.jar
classpath file)
Step 1: Remove the old dependencies
In your project’s build.gradle
, remove the old jar and aspectJ dependencies:
// remove the mobileprotect and aspectJ classpath dependencies classpath files("PATH_TO/mobile-protect-gradle-plugin.jar") classpath "org.aspectj:aspectjtools:1.9.4"
You can also remove mobile-protect-gradle-plugin.jar
from your project.
In your app’s build.gradle
, remove the dependencies and the plugin apply line:
// remove the mobileprotect and safetynet dependencies dependencies { implementation("com.datatheorem:mobileprotect-android:$VERSION") implementation("com.datatheorem:mobileprotect-transformations:$VERSION") implementation("com.google.android.gms:play-services-safetynet:$SAFETYNET_VERSION") } // remove the plugin apply apply plugin: 'com.dtplugin.mobileprotect'
Step 2: Add the Mobile Protect Maven plugin repository
You will need to add our repository to the plugin repositories, and declare it in your settings.gradle file:
pluginManagement { repositories { mavenCentral() google() //Mobile Protect Maven Repository maven { credentials { //Leave the username as "MAVEN" username "MAVEN" password "$MOBILEPROTECT_REPO_API_KEY" } url "https://mobile-protect-repos.securetheorem.com/mobileprotect-android" } } }
Step 3: Add the Mobile Protect Gradle Plugin
Declare the plugin within your project’s build.gradle
as follows:
plugins { id "com.dtplugin.mobileprotect" version("$VERSION") // if you want to auto update to the latest use: version("+") }