Apply DoveRunner Mobile App Security
DoveRunner Mobile App Security provides self-protection features — code obfuscation, integrity protection, environment detection, and threat tool detection — without any code changes.
Before you start, have the following ready:
- Framework — The framework used to build the app. For hybrid frameworks like React Native, know which version was used.
- KeyStore info — Required if you want DoveRunner Mobile App Security to sign the sealed app on your behalf before uploading to the Play Store.
Sealing an App
Section titled “Sealing an App”Sealing takes three steps:
- Upload your APK or AAB file.
- Configure security options across the five setting groups in the Developer Console.
- Download the sealed app — signed with your keystore, or unsigned for manual signing with apksigner.
Once sealing completes, a download prompt appears. You can also download sealed apps later from Historical Information.
v3.x Release Notes
Section titled “v3.x Release Notes”Sealing version 3.x introduces the following changes from v2.x:
- Dex Protection replaces Dex Encryption — The previous single Yes/No toggle for Dex Encryption has been replaced by two independently configurable options: String Obfuscation and Call Hiding. Each supports three intensity levels (Fast / Balance / Maximum), giving you more granular control over the protection-performance tradeoff.
- ProGuard/R8 now required for Dex Protection — DoveRunner’s Dex Protection works on top of standard ProGuard/R8 obfuscation. Applying Dex Protection without ProGuard/R8 in place will produce weaker results. Ensure your build pipeline includes ProGuard/R8 before enabling Dex Protection.
- App Category removed — The Game / Non-Game App Category selector has been removed. Protection settings are now applied uniformly regardless of app type.
- Data Sealing removed — The Data Sealing feature is no longer available in v3.x. It will return in a future release with an improved implementation.
Configuration Options
Section titled “Configuration Options”Basic Configuration
Section titled “Basic Configuration”The Basic Configuration step covers the app framework, sealing version, sealing mode, and protection settings for native and Dex code.
| Option | Description |
|---|---|
| App Framework | The framework used to develop your app. DoveRunner supports native and hybrid frameworks. Select the appropriate option from the dropdown. |
| Sealing Version | The version of DoveRunner protection to apply. Use the latest version to access the newest security features and framework support. |
| Sealing Mode | Test — Same protection level as Release, but displays a periodic “Test mode” watermark on screen. No additional charges apply.Release — Removes the watermark and enables full production features. |
| SO Encryption | Encrypts native library (.so) files in the APK to protect against reverse engineering.Yes — All supported SO files are encrypted.No — SO files are not encrypted.Partial — Encrypts only specific SO files. Use when full encryption causes performance issues. |
Dex Protection
Section titled “Dex Protection”Dex Protection obfuscates the compiled Dex bytecode to make static and dynamic analysis significantly harder. Requires ProGuard/R8 basic obfuscation to be applied first.
| Option | Description |
|---|---|
| String Obfuscation | Obfuscates string literals in Dex bytecode, making static analysis and string extraction significantly harder.Fast — Lower overhead, lighter obfuscation.Balance — Balanced performance and protection.Maximum — Strongest obfuscation; may impact startup time. |
| Call Hiding | Obfuscates function call patterns in Dex bytecode, making control flow analysis harder.Fast / Balance / Maximum — Same tradeoff as String Obfuscation. |
Environment Detection
Section titled “Environment Detection”Controls how the app responds when it detects a potentially compromised or monitored device environment.
| Option | Default | Description |
|---|---|---|
| Rooting | Block | Detects rooted devices. When blocked, the app closes on detection. |
| Developer Options | Allow | Detects whether Android Developer Options are enabled. Developer mode exposes debugging interfaces that can be exploited. |
| USB Debugging | Block | Detects whether ADB USB debugging is active. When blocked, the app closes if USB debugging is enabled. |
| Wi-Fi Security Protocol | Disabled | When set to Collect Info, records the Wi-Fi security protocol in use (e.g. WPA2, WPA3) for monitoring purposes. Does not affect app behavior. |
| Emulator | Block | Detects Android emulator environments.Block — App closes on emulator detection.Optional — Allows specific emulators; all others are blocked.Allow — App runs in all emulator environments. |
| Work Profile & Samsung Secure Folder | Block | Work profiles can disable certain security features and are used by some attack tools to target apps.Block — App closes when launched inside a Work Profile or Samsung Secure Folder.Optional — Allows specific profiles.Allow — App runs in all work profile environments. |
Tools & Package Detection
Section titled “Tools & Package Detection”Detects malicious tools installed on the device and controls whether the app can run alongside them.
| Option | Default | Description |
|---|---|---|
| Macro Tools | Block | Detects macro automation tools that can be used to abuse app functionality. The blocklist is kept up to date. |
| Packet Attack | Block | Detects packet interception tools that capture or tamper with network traffic. |
| Keylogger | Allow | Detects keylogger apps that capture touch input. Blocked by default in high-security use cases. |
| Overlay Window | Allow | Detects apps drawing overlay windows on top of your app. Overlays can be used to intercept input or capture screen content. |
Advanced Detection
Section titled “Advanced Detection”| Option | Default | Description |
|---|---|---|
| Screen Mirroring & Capture | Allow | Prevents screen content from being captured or mirrored to external displays while the app is in the foreground. Enable Block for apps that handle sensitive information. |
| Over-The-Air Update | No | Delivers custom threat blocklist updates to active installs without requiring a new app release. The custom blocklist is merged with DoveRunner’s default blocklist and pushed to running apps. Configure the blocklist contents in App Configurations. |
Security Guide
Section titled “Security Guide”Before Sealing
Section titled “Before Sealing”ProGuard/R8 configuration
If you use Dex Protection, your ProGuard/R8 setup must preserve your business package structure so DoveRunner can correctly identify and obfuscate your code. See the ProGuard Setup Guide for the required rules and what to avoid.
Other requirements
- Firebase Crashlytics must retain its original package name — do not obfuscate it.
- The following class must not be obfuscated (required for React Native version detection):
com/facebook/react/modules/systeminfo/ReactNativeVersion.java
After Sealing
Section titled “After Sealing”The sealed app must be signed before it can be installed or submitted to the Play Store — the original certificate is invalidated during the sealing process.
Option 1 — Sign via Developer Console (recommended)
Upload your keystore to the Developer Console in advance. When downloading a sealed build, the console will sign it automatically using the registered keystore. No manual steps required.
Option 2 — Sign manually
If you are not using the console’s signing feature, sign the output file manually after download:
| Format | Tool | Command |
|---|---|---|
| APK | apksigner | apksigner sign --ks your.keystore your-app.apk |
| AAB | jarsigner | jarsigner -keystore your.keystore your-app.aab alias |