search

androidAndroid CLI Manual

MAD (Mobile Application Defense) is a tool to protect Android applications (Cordova, React Native, Flutter or native Java/Kotlin) with additional layers of security.

hashtag
Environment preparation

First Step: Download the compressed file sent by the MAD technical team (usually named “mad_cli_android.zip”). This file contains the tool binaries and the required dependency libraries.

Second Step: Extract the file contents into a secure directory on your build system, for example: “~/Projects/mad_cli_android/”. Ensure the user that will run the build has read and write permissions for this directory.

Third Step: Open the operating system Terminal and navigate to the folder where the file was extracted: “cd ~/Projects/mad_cli_android”

hashtag
Configuration File Creation

MAD uses a file in the .xml format to define the protections that will be incorporated into the target application during the integration process.

File Structure

<?xml version="2.0" encoding="UTF-8" standalone="no"?>
<!--
 Mobile Application Defense  LTDA CONFIDENTIAL
 Copyright 2014-2026  Mobile Application Defense  
 All Rights Reserved.
 NOTICE:  All information contained here is, and remains
 the property of Mobile Application Defense   and its suppliers,
 if any.  The intellectual and technical concepts contained
 herein are proprietary to  Mobile Application Defense  
 and its suppliers and may be covered by U.S. and Foreign Patents,
 patents in process, and are protected by trade secret or copyright law.
 Dissemination of this information or reproduction of this material
 is strictly forbidden unless prior written permission is obtained
 from Mobile Application Defense  .
-->
<madConfiguration>
    <general>
        <apiToken>api-token-command-center</apiToken>
        <bundleName>bundle-name-app</bundleName>
        <mode>default</mode> <!-- default | monitor -->
        <stack>react-native</stack> <!-- cordova | flutter | java -->
    </general>
    <bundleObfuscation>
        <obfuscateDex>true</obfuscateDex>
        <obfuscateAssets>true</obfuscateAssets>
    </bundleObfuscation>
    <certificatePinning>
        <enabled>true</enabled>
        <host domain="*.example.com">
            <pin type="publicKey">1abc23de-456f-789g-hij0-k1234546klm=</pin>
        </host>
        <host domain="example2.com">
            <pin type="certificate">1abc23de-456f-789g-hij0-k1234546klm=</pin>
            <pin type="certificate">1abc23de-456f-789g-hij0-k1234546klm=</pin>
        </host>
    </certificatePinning>
    <antiDebugging>
        <enabled>true</enabled>
    </antiDebugging>
    <xposedDetection>
        <enabled>true</enabled>
        <modules>true</modules>
    </xposedDetection>
    <antiTampering>
        <enabled>true</enabled>
        <checkIntegrity>true</checkIntegrity>
        <verifyHashSections>true</verifyHashSections>
    </antiTampering>
    <rootDetection>
        <enabled>true</enabled>
        <selinux>true</selinux>
        <unlockedBootloader>true</unlockedBootloader>
    </rootDetection>
    <emulatorDetection>
        <enabled>true</enabled>
    </emulatorDetection>
    <memoryProtection>
        <enabled>true</enabled>
    </memoryProtection>
    <proxyDetection>
        <enabled>true</enabled>
    </proxyDetection>
    <vishingProtection>
        <enabled>true</enabled>
    </vishingProtection>
    <vcamDetection>
        <enabled>true</enabled>
    </vcamDetection>
    <screenProtection>
        <enabled>true</enabled>
    </screenProtection>
    <appCloneDetection>
        <enabled>true</enabled>
    </appCloneDetection>
    <overlayDetection>
        <enabled>true</enabled>
    </overlayDetection>
    <alertMessage>
      <enabled>true</enabled>
      <title>Security alert</title>
       <message>
            A security issue was found on your device.
            For your protection, the application will be closed now.
       </message>
    </alertMessage>
</madConfiguration>

The document must start with the tag <madConfiguration> and end with </madConfiguration>. Any structural inconsistency may compromise the validation and integration process.

Section <general>

The tag <general> concentrates the essential information for identifying the application and secure communication with the Command Center. Correctly filling these fields is mandatory.

Required fields

  • <apiToken> Token provided by the MAD team. It is used for authentication and secure communication with the Command Center.

  • <bundleName> Unique identifier of the application. Must follow the reverse domain name naming pattern, for example: com.your.application

  • <stack> Defines the main technology used in the application's development. Examples:

    • java

    • cordova

    • react

    • react-native

    • flutter

Use of Environment Variables

For environments with multiple applications or integration via CI/CD pipelines, it is recommended to use environment variables. This approach reduces exposure of sensitive information and facilitates reuse of configurations.

Supported variables

  • $MAD_API_TOKEN

  • $MAD_BUNDLE_NAME

  • $MAD_APP_STACK

Configuration example using variables

the variables must be properly exported in the environment so they are resolved correctly.

hashtag
Main command

The protection process is performed using a single command, which receives the original APK or AAB and generates a new version of the application properly protected and signed. Re-signing is necessary because the code injection and obfuscation steps modify the application binary, changing its hash and, consequently, invalidating the developer's original digital signature.

The base command to protect your application is the following:

PreviousQuick GuideNextiOS Manual

Last updated