---
title: "Basic Configuration"
description: "Learn about the basic configuration options and parameters for the DoveRunner Mobile App Security CLI tool."
---
> For the complete documentation index, see [llms.txt](/llms.txt).

import { Badge } from '@astrojs/starlight/components';


DoveRunner Mobile App Security CLI tool is jar file which can upload your APK/AAB and download it with DoveRunner Mobile App Security module installed.
You can use all configuration via command line which was visible in web console.

## CLI tool Options (for v3) <Badge text="NEW" variant="success" />

This is the list of the available options when using sealing.jar file for Appsecurity version 3.0.0.0 or higher.<br />
In 3.0.0.0 version, we replaced options to protect Dex files.<br />
In 3.2.0.0 version, `dex_encrypt` / `select_dex_encrypt` options were re-introduced (partial encryption only), and new options `use_callback_feature`, `disable_file_integrity_check`, and `enable_signing_certificate_identity_check` were added.<br />


<Badge text="WARNING" variant="caution" /> If you are looking for options for version lower than 3.0.0.0, please refer this [link](#cli-tool-options-for-v2x-and-hybrid-).<br />
3.0.0.0 is not supporting Hybrid frameworks yet. (Dec/2025)

:::note[API Endpoint by Region]
| Region | URL |
|--------|-----|
| Global / Tokyo | `https://api.appsealing.com/covault/gw` |
| India (Mumbai) | `https://in-api.appsealing.com/covault/gw` |
| Indonesia (Jakarta) | `https://jakarta-api.appsealing.com/covault/gw` |
:::

|Option|Description|Available Values|Required|Default Value|
|------|-----------|----------------|--------|-------------|
|&#x2011;url|Sealing API URL — select the endpoint for your region (see table above)|Regional URL|Required||
|&#x2011;authkey|Your account`s auth key. You can find this key at the CLI tool download page.| Provided separately|Required||
|&#x2011;srcapk|Source APK or App Bundle file which you need protect|file path of created APK or AAB|Required||
|&#x2011;sealedapk|Destination path including sealed file`s name which you need to download |file path of sealed APK or AAB|Required||
|&#x2011;service_type|DoveRunner Mobile App Security Hybrid has different version management, so if you are uploading Hybrid app such as ReactNative, Ionic, Cordova, you should put HYBRID_AOS here.|`NATIVE_AOS`, `HYBRID_AOS`|Optional|`NATIVE_AOS`|
|&#x2011;framework|This option is required when you are uploading HYBRID_AOS app.|`REACT_NATIVE`, `IONIC`, `CORDOVA`|Optional||
|&#x2011;service_version|DoveRunner Mobile App Security service version|`latest` or specific version like `3.0.0.0`|Optional|`latest`|
|&#x2011;deploymode|Test mode will show DoveRunner Mobile App Security watermark but you can test without any limit. Release mode will remove watermark, but it's MAD will be calculated as payed usage.|`test`, `release`|Optional|`test`|
|&#x2011;so_encrypt <Badge text="From 3.1.0.0" variant="note" />|Doverunner server will automatically encrypt available SO fils under app's lib folder.<br />**- It does not encrypt SO files from the known 3rd party libraries, which can conflict with Doverunner.**|`yes`, `no`|Optional|`yes`|
|&#x2011;select_so_encrypt <Badge text="From 3.1.0.0" variant="note" />|Doverunner server will encrypt your SO files based on your parameter.<br /> - `selective_so` parameter must have values to use this option. <br /> **- This option works only when `so_encrypt` is `yes`.**|`yes`, `no`|Optional|`no`|
|&#x2011;selective_so <Badge text="From 3.1.0.0" variant="note" />|You can specify your SO files under lib folder of your app. Each SO file is separated by commas (,). <br />**- This option works only when `so_encrypt` and `select_so_encrypt` are both `yes`.**|`"libAAA.so,libCC.so,...libZZZ.so"`|Optional||
|&#x2011;dex_string_obfuscation |It obfuscate Strings in classes.dex. <br />**Only applied to app's main packages.**<br />- `selective`: Only obfuscates strings in the class/package registered in App Configuration on the console. Register the target class/package in the console before using this value. <Badge text="From 3.2.0.0" variant="success" />|`disable`, `fast`, `balance`, `maximum`, `selective` |Optional|`balance`|
|&#x2011;dex_call_hiding |It obfuscates Method call flows in classes.dex. <br />**Only applied to app's main packages.**|`disable`, `fast`, `balance`, `maximum` |Optional|`balance`|
|&#x2011;dex_encrypt <Badge text="From 3.2.0.0" variant="success" />|Re-introduced in 3.2.0.0. Enables DEX encryption. **Only partial (selective) encryption is supported — setting `dex_encrypt=yes` with `select_dex_encrypt=no` is ignored and no encryption is applied.**|`yes`, `no`|Optional|`no`|
|&#x2011;select_dex_encrypt <Badge text="From 3.2.0.0" variant="success" />|Enables partial DEX encryption. **Must be used together with `dex_encrypt=yes`. Before using this option, register the target class/package in App Configuration on the console.**|`yes`, `no`|Optional|`no`|
|&#x2011;block_environment|You can block Rooting or Emulator environement at this option. <br />**You can use multiple options with comma.**|`rooting`, `emulator`|Optional||
|&#x2011;allow_emulator|You can allow specific emulators after blocking emulators at above option. <br />**You can use multiple options with comma.** |`LDPlayer`, `BlueStacks`, `Nox`|Optional||
|&#x2011;block_work_profile|You can block app launch from work profile environment such as Secure Folder|`yes`, `no`|Optional|`yes`|
|&#x2011;allow_work_profiles|You can allow exeptional work profiles when above option is set `yes`|`Samsung SecureFolder`|Optional||
|&#x2011;use_query_all_packages|With this permission, DoveRunner Mobile App Security can detect cheat tools which change their package_name, but need to submit a form to Google Play Console and get approved to upload the app on Google Play Console. To check the details, please visit our help center page. [Read Help center guide](https://support.doverunner.com/hc/en-us/articles/12554252246937-What-is-QUERY-ALL-PACKAGES-permission)|`yes`, `no`|Optional|`no`|
|&#x2011;block_keylogger|You can block keylogger apps which hide on end&#x2011;user smartphone and capture the key log information.|`yes`, `no`|Optional|`no`|
|&#x2011;hide_overlay_windows|You can block external app's UI overlay on your application to avoid unexpected manipulation. This option will work from Android 12 devices.|`yes`, `no`|Optional|`no`|
|&#x2011;block_screen_capture|When any screen mirroring or capturing app is trying to hijack an app's screen, it will only get a black screen. But this will not send any hacking detection report, and will not quit the app.|`yes`, `no`|Optional|`no`|
|&#x2011;allow_external_tool|Macro(Auto clicker) and Packet attack tools are blocked by default. You can allow these tool by using this option. <br />**You can use multiple options with comma.**|`macro`, `sniff`|Optional||
|&#x2011;block_developer_options|You can block app execution from a smartphone with Developer options enabled.|`yes`, `no`|Optional|`no`|
|&#x2011;block_usb_debugging|You can block app execution form a smartphone with USB Debugging enabled|`yes`, `no`|Optional|`yes`|
|&#x2011;wifi_security_protocol|You can collect smartphone's current Wi-Fi security protocol information such as `WEP`,`WPA`. When you enable this option, `android.permission.ACCESS_WIFI_STATE` is added to your application|`collect`, `disable`|Optional|`disable`|
|&#x2011;app_signing|After DoveRunner Mobile App Security, app's signature is disabled. To install sealed app on smartphone, you need to sign your sealed APK or AAB manually or using this option. You can use registered_key option after register your keystore on DoveRunner Mobile App Security console.<br />**- `appsealing_key`: signs with a test (debug) key. Available for APK only — for AAB it is ignored and the app is left unsigned (same as `none`).**|`none`, `appsealing_key`, `registered_key`|Optional|`none`|
|&#x2011;use_callback_feature <Badge text="From 3.2.0.0" variant="success" />|When `true`, the app is not terminated upon threat detection (except hooking). Instead, a detection report is sent to the app security server and a broadcast is triggered — allowing the app developer to receive the result via a receiver and decide app behavior (e.g., terminate or collect additional info). This feature may become enterprise-only in a future release. For callback integration documentation, please contact the Help Center.|`true`, `false`|Optional|`false`|
|&#x2011;disable_file_integrity_check <Badge text="From 3.2.0.0" variant="success" />|Disables file integrity verification.|`true`, `false`|Optional|`false`|
|&#x2011;enable_signing_certificate_identity_check <Badge text="From 3.2.0.0" variant="success" />|Enables app signing certificate verification. Before setting to `true`, register the SHA256 signing hash in the console — go to the app's settings page and find **Signing Verification Management**.|`true`, `false`|Optional|`false`|
|&#x2011;sealing_preset_name|Assigns a preset name created in the console. If managing individual options is cumbersome, you can configure a preset in the console and apply all settings collectively using this option. Some configurations (e.g., threat response message customization) are only available through a preset and cannot be set directly via CLI.|Preset name string|Optional||

## Example usage with simple options
Example command line when you apply DoveRunner Mobile App Security with only required options. All other options will be applied as default values.

**Using a preset (Recommended):** Configure protection settings in the DoveRunner console as a preset, then reference the preset name. All protection options are managed from the console.
```bash
$ java -jar sealing.jar -url https://api.appsealing.com/covault/gw -authkey 123456789ABCDE -srcapk app-release.aab -sealedapk app-release-sealed.aab -sealing_preset_name my-preset-name
```

**Without preset:** All protection options use their default values.
```bash
$ java -jar sealing.jar -url https://api.appsealing.com/covault/gw -authkey 123456789ABCDE -srcapk app-release.aab -sealedapk app-release-sealed.aab
```

## Example usage with enabling all options 
Example command line When you apply DoveRunner Mobile App Security on your App bundle with only using required options.
```bash
$ java -jar sealing.jar -url https://api.appsealing.com/covault/gw -authkey 123456789ABCDE -srcapk app-release.aab -sealedapk app-release-sealed.aab -service_type NATIVE_AOS -service_version latest -deploymode release -dex_string_obfuscation balance -dex_call_hiding balance -dex_encrypt yes -select_dex_encrypt yes -so_encrypt yes -block_environment rooting,emulator -allow_emulator LDPlayer,BlueStacks,Nox -block_work_profile yes -allow_work_profiles 'Samsung SecureFolder' -block_developer_options yes -block_usb_debugging yes -block_keylogger yes -block_screen_capture yes -hide_overlay_windows yes -allow_external_tool macro,sniff -wifi_security_protocol collect -use_query_all_packages no -use_callback_feature false -disable_file_integrity_check false -enable_signing_certificate_identity_check false -app_signing registered_key
```

## Run sealing.jar using the config.txt file

You can run CLI tool file with below option, and can manage all options at config.txt file.
```bash
$ java -jar sealing.jar -config ./config.txt
```

### config.txt file
```
# DoveRunner AppSecurity CLI Tool - Configuration File
# Usage example: java -jar sealing.jar -config ./config.txt
#
# This file is based on AppSecurity 3.0.0.0 or higher.
# For older versions (2.x), refer to the example files in the examples/ folder.

# Sealing API URL (Region-specific URLs: https://docs.doverunner.com/mobile-app-security/android/cicd/basic-configuration/)
url=https://api.appsealing.com/covault/gw

# Authentication Key (available in DoveRunner Developer Console)
authkey=

# Original APK/AAB file path
srcapk=

# Sealed APK/AAB output path
sealedapk=

# App signing option { none | registered_key }
# none : AppSecurity applied but not signed. Developer must sign before installing or distributing.
# registered_key : Signed with a key pre-registered in the DoveRunner Developer Console (https://console.doverunner.com).
app_signing=

# Sealing preset option. When set, security options below can be controlled from the console.
sealing_preset_name=


# App service type { NATIVE_AOS | HYBRID_AOS }
service_type=

# Hybrid app framework { REACT_NATIVE | IONIC | CORDOVA }
framework=

# Service version
service_version=

# Deploy mode { release | test }
deploymode=


# Dex protection options (3.0.0.0+) - replaces legacy Dex encryption options.
# CAUTION: Both options cannot be set to 'disable' at the same time.

# Obfuscate strings in classes.dex { disable | fast | balance | maximum | selective } (default: balance)
dex_string_obfuscation=

# Obfuscate method call flows in classes.dex { disable | fast | balance | maximum } (default: balance)
dex_call_hiding=


# Dex encryption (3.2.0.0+) { no | yes }
# CAUTION: dex_encrypt and select_dex_encrypt must be set to the same value. (yes/yes or no/no)
dex_encrypt=

# Selective Dex encryption (3.2.0.0+) (only applies when dex_encrypt=yes) { no | yes }
select_dex_encrypt=

# SO file encryption (3.1.0.0+) { yes | no }
so_encrypt=

# Selective SO file encryption (3.1.0.0+) { yes | no }
select_so_encrypt=


# Disable file integrity check { true | false } (default: false (integrity check enabled))
# When set to true, file integrity check will not be performed.
# Typically used for Play Protection, SideKick and similar scenarios where files are modified by Google before distribution.
# Ensure an alternative integrity mechanism is in place before deploying to production.
disable_file_integrity_check=

# Enable signing certificate identity check { true | false } (default: false (disabled))
# IMPORTANT: SHA-256 certificate fingerprints must be registered in the DoveRunner Developer Console before enabling this option.
# Enabling without prior registration will not work correctly.
enable_signing_certificate_identity_check=


# Block emulator and/or rooted device { emulator, rooting }
block_environment=

# Allow specific emulators when emulator blocking is enabled { BlueStacks, Nox, LDPlayer }
allow_emulator=

# Block work profile environment { yes | no }
block_work_profile=

# Allow specific work profile apps { Samsung SecureFolder }
allow_work_profiles=

# Block app on Developer Options enabled devices { yes | no }
block_developer_options=

# Block app on USB debugging enabled devices { yes | no }
block_usb_debugging=

# Allow macro or network sniffing tools { macro, sniff }
allow_external_tool=

# Block app in keylogger installed environment { yes | no }
block_keylogger=

# Block screen capture and mirroring { yes | no }
block_screen_capture=

# Block overlay windows from other apps (Android 12+) { yes | no }
hide_overlay_windows=

# Collect Wi-Fi security protocol information { collect | disable }
wifi_security_protocol=

# Use QUERY_ALL_PACKAGES permission { yes | no }
use_query_all_packages=

# Don't force-close app, and use callback feature for threat handling { true | false } (default: false)
use_callback_feature=
```

### Example of config.txt for Native DoveRunner Mobile App Security
Native app: App build with general Android Studio, Flutter, Unity, or Unreal engine.
Ex) Using execution script only for srcapk and sealedapk parameter and the rest for configuration file in Windows,

```bash
java -jar sealing.jar -config config.txt -srcapk app-release.apk -sealedapk app-release-sealed.apk
```
Ex) Settings in Config.txt
```
url=https://api.appsealing.com/covault/gw
authkey=123456789ABCDE
deploymode=release
block_environment=emulator, rooting
allow_emulator=BlueStacks, Nox, LDPlayer
block_work_profile=yes
allow_work_profiles=Samsung SecureFolder
block_keylogger=no
allow_external_tool=macro, sniff
dex_encrypt=no
select_dex_encrypt=no
service_version=latest
app_signing=none

```
Notice: 
For Windows Platform, double file separator must be used in path configuration with config.txt.
Ex) D:\\DoveRunner Mobile App Security\\sealing.jar

### Example of config.txt for Hybrid DoveRunner Mobile App Security

Hybrid app: App built with ReactNative, Ionic or Cordova.

Ex) Using execution script only for srcapk and sealedapk parameter and the rest for configuration file in Windows, for ReactNative app.
```bash
java -jar sealing.jar -config config.txt -srcapk app-release.apk -sealedapk app-release-sealed.apk
```
Ex) Settings in Config.txt
```
url=https://api.appsealing.com/covault/gw
authkey=123456789ABCDE
service_type=HYBRID_AOS
framework=REACT_NATIVE
deploymode=release
block_environment=emulator, rooting
allow_emulator=BlueStacks, Nox, LDPlayer
block_work_profile=no
block_keylogger=no
allow_external_tool=macro, sniff
dex_encrypt=no
select_dex_encrypt=no
service_version=latest
app_signing=none
```

Notice: 
For Windows Platform, double file separator must be used in path configuration.
Ex) D:\\DoveRunner Mobile App Security\\sealing.jar




## CLI tool Options (for v2.x and Hybrid) <Badge text="Deprecated" variant="danger" />

This is the list of the available options when using sealing.jar file for Android AppSecurity version 2.x or Hybrid security 1.x.

|Option|Description|Available Values|Required|Default Value|
|------|-----------|----------------|--------|-------------|
|&#x2011;url|Sealing API URL — select the endpoint for your region (see [region table above](#cli-tool-options-for-v3-))|Regional URL|Required||
|&#x2011;authkey|Your account`s auth key. You can find this key at the CLI tool download page.| Provided separately|Required||
|&#x2011;srcapk|Source APK or App Bundle file which you need protect|file path of created APK or AAB|Required||
|&#x2011;sealedapk|Destination path including sealed file`s name which you need to download |file path of sealed APK or AAB|Required||
|&#x2011;app_type|Your app's type for optimized sealing|`GAME`, `NON_GAME`|Optional|`GAME`| 
|&#x2011;service_type|DoveRunner Mobile App Security Hybrid has different version management, so if you are uploading Hybrid app such as ReactNative, Ionic, Cordova, you should put HYBRID_AOS here.|`NATIVE_AOS`, `HYBRID_AOS`|Optional|`NATIVE_AOS`|
|&#x2011;framework|This option is required when you are uploading HYBRID_AOS app.|`REACT_NATIVE`, `IONIC`, `CORDOVA`|Optional||
|&#x2011;service_version|DoveRunner Mobile App Security service version|`latest` or specific version like `2.31.0.0`|Optional|`latest`|
|&#x2011;deploymode|Test mode will show DoveRunner Mobile App Security watermark but you can test without any limit. Release mode will remove watermark, but it's MAD will be calculated as payed usage.|`test`, `release`|Optional|`test`|
|&#x2011;so_encrypt <Badge text="From 3.1.0.0" variant="note" />|Doverunner server will automatically encrypt available SO fils under app's lib folder.<br />**- It does not encrypt SO files from the known 3rd party libraries, which can conflict with Doverunner.**|`yes`, `no`|Optional|`yes`|
|&#x2011;select_so_encrypt <Badge text="From 3.1.0.0" variant="note" />|Doverunner server will encrypt your SO files based on your parameter.<br /> - `selective_so` parameter must have values to use this option. <br /> **- This option works only when `so_encrypt` is `yes`.**|`yes`, `no`|Optional|`no`|
|&#x2011;selective_so <Badge text="From 3.1.0.0" variant="note" />|You can specify your SO files under lib folder of your app. Each SO file is separated by commas (,). <br />**- This option works only when `so_encrypt` and `select_so_encrypt` are both `yes`.**|`"libAAA.so,libCC.so,...libZZZ.so"`|Optional||
|&#x2011;dex_encrypt|You can encrypt classes.dex files.|`yes`, `no`|Optional|`no`|
|&#x2011;select_dex_encrypt|After set `yes` for &#x2011;dex_encrypt option, you can enable this option to `yes`. Before use this option, you need to register class or package of your Android code at DoveRunner Mobile App Security console.|`yes`, `no`|Optional|`no`|
|&#x2011;block_environment|You can block Rooting or Emulator environement at this option. <br />**You can use multiple options with comma.**|`rooting`, `emulator`|Optional||
|&#x2011;allow_emulator|You can allow specific emulators after blocking emulators at above option. <br />**You can use multiple options with comma.** |`LDPlayer`, `BlueStacks`, `Nox`|Optional||
|&#x2011;block_work_profile|You can block app launch from work profile environment such as Secure Folder|`yes`, `no`|Optional|`yes`|
|&#x2011;allow_work_profiles|You can allow exeptional work profiles when above option is set `yes`|`Samsung SecureFolder`|Optional||
|&#x2011;use_query_all_packages|With this permission, DoveRunner Mobile App Security can detect cheat tools which change their package_name, but need to submit a form to Google Play Console and get approved to upload the app on Google Play Console. To check the details, please visit our help center page. [Read Help center guide](https://support.doverunner.com/hc/en-us/articles/12554252246937-What-is-QUERY-ALL-PACKAGES-permission)|`yes`, `no`|Optional|`no`|
|&#x2011;block_keylogger|You can block keylogger apps which hide on end&#x2011;user smartphone and capture the key log information.|`yes`, `no`|Optional|`no`|
|&#x2011;hide_overlay_windows|You can block external app's UI overlay on your application to avoid unexpected manipulation. This option will work from Android 12 devices.|`yes`, `no`|Optional|`no`|
|&#x2011;block_screen_capture|When any screen mirroring or capturing app is trying to hijack an app's screen, it will only get a black screen. But this will not send any hacking detection report, and will not quit the app.|`yes`, `no`|Optional|`no`|
|&#x2011;allow_external_tool|Macro(Auto clicker) and Packet attack tools are blocked by default. You can allow these tool by using this option. <br />**You can use multiple options with comma.**|`macro`, `sniff`|Optional||
|&#x2011;block_developer_options|You can block app execution from a smartphone with Developer options enabled.|`yes`, `no`|Optional|`no`|
|&#x2011;block_usb_debugging|You can block app execution form a smartphone with USB Debugging enabled|`yes`, `no`|Optional|`yes`|
|&#x2011;wifi_security_protocol|You can collect smartphone's current Wi-Fi security protocol information such as `WEP`,`WPA`. When you enable this option, `android.permission.ACCESS_WIFI_STATE` is added to your application|`collect`, `disable`|Optional|`disable`|
|&#x2011;app_signing|After DoveRunner Mobile App Security, app's signature is disabled. To install sealed app on smartphone, you need to sign your sealed APK or AAB manually or using this option. You can use registered_key option after register your keystore on DoveRunner Mobile App Security console|`none`, `appsealing_key`, `registered_key`|Optional|`none`|