Skip to main content

How To Make A Config

What does a config file contain?

The masst_config.bm file is a configuration file required for integrating the Bugsmirror Defender into your mobile application. It contains unique settings for your application that are necessary to bind and initialize the Defender framework correctly.

Initially, when you integrate the Bugsmirror defender into your application, a config file is required. If you want to make changes in the features or any settings again then you can create a new config and if you do not want to make changes you can use the same old config every time you make a release. The config files you have made are available in the History tab.

note

It is highly recommended to generate a new config file on every release. This ensures that the latest security features are reflected and function.

How to make a config:

Step 1: Access Build Lab

  • Go to the Bugsmirror Defender tab.
  • Navigate to the Build Lab.
  • Select your Application.
  • Select the Framework.
  • Provide a Release Tag (Release tag is a unique name to the config. This is a helpful feature to recognize the config with specific security features enabled and this config can be used again if needed from the History tab).

Refer to: Add a New Application

Step 2: Select Mitigation

Mitigation refers to predefined actions used to reduce or neutralize threats.

1. For Android Apps

Choose one of the following:

  • App Shutdown (In case of any threat detection, the app will shutdown immediately).
  • Dialog and App Shutdown.
    • Show Encrypted Device Ids: Enabling this option displays the device ID to end users in an encrypted format. This helps organizations securely identify devices during whitelisting. If a genuine user reports an issue, they can share the encrypted device ID, which can be searched in the ThreatLens portal to locate and whitelist the corresponding device.
    • Show “how to fix” message: Enabling this option displays a guide link to users with compromised devices on how to resolve the issue. The message appears below the custom alert and helps users take the necessary steps to fix the problem.
    • You can also add a custom dialog message to be displayed when a threat is detected.
Documentation ImageDocumentation Image

2. For iOS Apps:

Choose one of the following:

  • Dialog: A dialog box will appear in the centre of the screen.
  • Bottom Sheet: A dialog box will appear at the bottom of the screen.
Documentation ImageDocumentation Image
  • Show Encrypted Device Ids: Enabling this option displays the device ID to end users in an encrypted format. This helps organizations securely identify devices during whitelisting. If a genuine user reports an issue, they can share the encrypted device ID, which can be searched in the ThreatLens portal to locate and whitelist the corresponding device.
  • Show “how to fix” message: Enabling this option displays a guide link to users with compromised devices on how to resolve the issue. The message appears below the custom alert and helps users take the necessary steps to fix the problem.
  • Custom Message: Add a custom dialog message to be displayed when a threat is detected.

Step 3: Build Version Details

1. For Android Device:

Documentation ImageDocumentation Image

Provide the following SDK configurations:

  • Target SDK Version.
  • Compile SDK Version.
  • Minimum SDK Version.

Find this information in your app’s build.gradle.

2. For iOS Device:

For the iOS applications, you can set a minimum iOS version supported, which defines the lowest iOS version on which the application will run.

Go to the next page.

Step 4: MASST Features Add-ons

Enable additional MASST features as required:

  • ThreatLens & OTA (Visible only with Cloud solution): ThreatLens provides real-time threat analytics and insights of your app. OTA updates provide continuous protection for your app.

    • Is Update Dialog Visible for OTA and Whitelisting: Enabling this feature completes the OTA and Whitelisting on user without triggering Dialogue and silently on app restart, disabling this feature would mean a dialog would trigger on on App whenever user is whitelisted or OTA is triggered.
  • Bugsmirror Shield: Bugsmirror Shield protects your app from Reverse engineering and IP Theft.

  • Enable Trust API binding: Implement Trust API Binding:
    Enabling this feature ensures every API request is verified at runtime using secure, short-lived tokens generated by RASP. It binds requests to a trusted app environment, preventing misuse from compromised or unauthorized devices and strengthening overall API security.

Step 5: Bugsmirror Shield Configuration

When Bugsmirror Shield is enabled, a configuration dashboard appears with the following options:

Shielded Packages

  • Specify package names that are critical and should be encrypted.

Excluded Packages

  • Specify package names to exclude from encryption.
  • Typically includes less critical files to:
    • Reduce build time.
    • Optimize application size.

⭐️ Note: For iOS and hybrid apps such as flutter and react native (with minimal or no native code), no such information is required.

Step 6: When enabling Trust API binding

Documentation ImageDocumentation Image
  • Client Side Implementation:
    • You can download the Jar file for Android and xcframework file for iOS.
      OR
    • Run the curl-L command in your terminal, Jar folder will download on your device.
Documentation ImageDocumentation Image
  • Server Side Implementation:

Download the required server-side modules and assets.

  • Backend Module: Backend integration module for Java and Go applications.
  • You can select the language module between Java and Go applications from the toggle button on the right.
Documentation ImageDocumentation Image
  • Revoked Serial IDs: JSON list of revoked device serial identifiers.
  • Root Certificate: This also integrates with the server side.

Download the Jar files or run curl-L command in your terminal, the folders will get downloaded on your device. Keep the Revoked Serial Ids and Root Certificates available in the server in-memory Docker. This approach is recommended.

Step 7: Guidelines Compliance Selection

Enable compliance guidelines based on your business and regulatory requirements:

Regulatory Compliance Settings

  • SEBI CSCRF: Security and Exchange Board of India-Cyber Security and Cyber Resilience Framework. A regulatory framework issued by SEBI for financial institutions (fintech apps, stockbrokers apps, etc.) to strengthen cybersecurity and ensure resilience against cyber threats. It suggests a few security checks which are important for companies to follow to protect their app’s and user’s data.

Why it’s important:

  • Protects sensitive financial and investor data.
  • Ensures strong risk management and incident response.
  • Mandates regular security audits and monitoring.

For mobile apps: Apps handling trading or investment data must implement secure coding, code encryption, access controls, continuous monitoring, etc.

  • RBI Guidelines: Reserve Bank of India Security Guidelines. RBI defines cybersecurity and IT framework guidelines for banks, NBFCs, and digital payment apps to ensure safe financial operations.

Why it’s important:

  • Prevents fraud, data breaches, and unauthorized transactions.
  • Enforces secure authentication (like MFA).
  • Requires secure API communication and data protection.

For mobile apps: Banking and fintech apps must follow secure authentication, encryption, session management, and fraud detection mechanisms.

  • NPCI Guidelines: National Payments Corporation of India. NPCI governs payments systems in India (like UPI, RuPay, IMPS) and defines strict security and compliance standards for apps using these systems.

Why it’s important:

  • Ensures secure digital payments.
  • Protects users from transaction fraud and data leaks.
  • Standardizes security across payment ecosystems

For mobile apps: Apps integrating UPI or payment gateways must follow strict encryption, device binding, secure APIs, transaction validation, etc. security measures.

Documentation ImageDocumentation Image

Step 8: Customize Configuration

Documentation ImageDocumentation Image
  • Enable or disable security features based on your business needs.

⭐️ When enabling certain security features, you may see two options: "Prevention", “Skip Mitigation” and “Detection Only”.

  • Prevention: When a threat is detected, the app takes strict action. The application will display a warning dialog and then automatically shut down within a few seconds, preventing further usage until the threat is resolved.
  • Skip Mitigation: When a threat is detected, a warning dialog is shown to the user with a skip button. The user can choose to skip the warning and continue using the app. However, the dialog will reappear each time the app is freshly reopened until the issue is resolved. This approach helps continuously remind users to fix the detected threat (e.g., prompting them to turn off developer mode).
  • Detection Only: While detection only is enabled, Defender will detect the threat internally and dump the data into ThreatLens without interfering user experience or application crash.
Documentation ImageDocumentation Image

⭐️ iOS Configuration Requirement for Unsecure Wi-Fi Detection
To enable unsecure Wi-Fi detection, the following capabilities must be added to your iOS project:

  • Location Permission
  • Access Wi-Fi Information Capability

Steps to configure: Go to Signing & Capabilities → Click + Capability → Add the required permissions.

⭐️ Note: These capabilities are mandatory for unsecure Wi-Fi detection to function correctly. Without them, the feature will not be able to detect insecure networks.

  • After enabling desired features, click Next(a blue button) at the bottom of the features box.
  • The features are categorised into 6 sections for iOS apps and 7 sections for Android apps.
  • After choosing desired security features, click submit and confirm on the last page of the features section.
  • For guidance, refer to the Defender Runtime Security Check-wise Recommendation file to understand:
    • Which features should be enabled.
    • Which features can be disabled based on risk score.

Refer: Bugsmirror Defender Runtime Security Check-wise Recommendations

Step 9: Confirm Configuration

Documentation ImageDocumentation Image
  • Review all selected configurations.
  • On enabling ThreatLens and OTA (a dialogue checkbox Check this to Publish will appear)(only admin). Check the box.
  • Confirm to proceed with the build setup.
tip

History Tab

  • Past configurations are available in the History tab of Bugsmirror Defender.
  • Within this tab, each past configuration file includes a Build Tool option. The Build Tool allows you to reopen a previous configuration directly in the Build Lab. This is useful if you do not want to create a new configuration file from scratch and only need to make minor changes, such as enabling one or two features.
  • By using this option, the selected past configuration is loaded into the Build Lab, where you can review and update it as needed and it will be created as a new config file.