Integrating Kryptowire into CI/CD – How To Guide

Chris GogoelAndroid, DevSecOps, Enterprise Security, iOS, Software Development

kryptowire devsecops

CI/CD Integration Options – Which CI/CD tools does Kryptowire support?

Kryptowire supports all CI/CD tools, the only difference between tools is the integration method. Both options described below utilize the Kryptowire REST API ‘/api/submit’ route either directly or indirectly. You are free to use all optional scan customization through this method as well to tag your apps, select which teams should have access to the reports, and enhance the scan with test credentials!

Plugin Integration – Jenkins, Azure DevOps, GitHub Actions

Kryptowire provides a plugin for the product which allows the DevOps team to install and configure build submissions through a custom plugin UI. For example, documentation for the Jenkins plugin can be found here, jenkins/docs at master · kryptowiredev/jenkins · GitHub and the GitHub Actions plugin can be found here, Kryptowire Analysis · Actions · GitHub Marketplace · GitHub. For Azure DevOps, you’ll simply need to provide your organization name in Azure (e.g.{organization_name}) to your Kryptowire point of contact to get the plugin added to your account!

Build Step Integration – Any CI/CD Product (including products with a Plugin option)

Customer DevOps team configures a build-step in the CI/CD product which sends the mobile app artifact (.apk or .ipa file) to the Kryptowire EMM Portal via a single REST API call to the ‘/api/submit’ route. This can be achieved anywhere in the pipeline where the mobile app artifact is available and can be achieved through any preferred scripting language (Bash, Python, JS, etc). An example for using Python to submit the mobile app artifact is below. A sample can be provided by Kryptowire for your preferred scripting language on request and full documentation is available through your Kryptowire EMM Portal account.

params = {'key': KRYPTOWIRE_API_KEY, 'platform': 'android'}
app_file = {'app': open('./path/to/app.apk', 'rb')}

r = + '/api/submit', data=params, files=app_file)

CI/CD Integration – Where should I integrate Kryptowire?

Kryptowire can be integrated at any stage in the pipeline where your mobile app artifact is available (.apk or .ipa file). For best practice, Kryptowire should be integrated at multiple stages of the development process, outlined below.

Internal Test Build Compiled

Kryptowire testing should be integrated when you first build the application into the mobile app artifact (.apk or .ipa) file for testing purposes. This ensures that Kryptowire is integrated as early as possible into the development lifecycle and will analyze the test version before it is wrapped or protected with any RASP tools used by the customer. This allows for better remediation guidance to be provided by Kryptowire reporting as no classes/methods will be obfuscated. This stage enables fast identification and correction of problems early in the development process and directly with the development team.

UAT Build Compiled

Testing should next be integrated after the application is built for User Acceptance Testing (UAT) and/or security validation. This version of the application is meant to represent the near-final version that will be provided to the end-user or application store. The testing here will capture any changes to the build process that will be used for the final production version, including RASP tools, prod configuration options, or prod libraries. The reporting provided here can be used by the validation team to ensure there are not any final changes needed from a security standpoint.

Production Monitoring

Using the Kryptowire Watchlist feature, all production applications should be monitored that are live in the Application Market. Monitoring production applications will allow users to capture any potential changes from when the application is signed and distributed by the official application market. Alerting is configurable on the Kryptowire EMM Portal to ensure your team(s) know when an issue is identified that is live in Production.