Basic Configuration
DoveRunner Mobile App Security CLI tool is jar file which can upload your APK/AAB and download it with DoveRunner Mobile App Security module installed. You can use all configuration via command line which was visible in web console.
CLI tool Options (for v3) NEW
Section titled “CLI tool Options (for v3) ”This is the list of the available options when using sealing.jar file for Appsecurity version 3.0.0.0 or higher.
In 3.0.0.0 version, we replaced options to protect Dex files.
In 3.2.0.0 version, dex_encrypt / select_dex_encrypt options were re-introduced (partial encryption only), and new options use_callback_feature, disable_file_integrity_check, and enable_signing_certificate_identity_check were added.
WARNING If you are looking for options for version lower than 3.0.0.0, please refer this link.
3.0.0.0 is not supporting Hybrid frameworks yet. (Dec/2025)
| Option | Description | Available Values | Required | Default Value |
|---|---|---|---|---|
| ‑url | Sealing API URL — select the endpoint for your region (see table above) | Regional URL | Required | |
| ‑authkey | Your account`s auth key. You can find this key at the CLI tool download page. | Provided separately | Required | |
| ‑srcapk | Source APK or App Bundle file which you need protect | file path of created APK or AAB | Required | |
| ‑sealedapk | Destination path including sealed file`s name which you need to download | file path of sealed APK or AAB | Required | |
| ‑service_type | DoveRunner Mobile App Security Hybrid has different version management, so if you are uploading Hybrid app such as ReactNative, Ionic, Cordova, you should put HYBRID_AOS here. | NATIVE_AOS, HYBRID_AOS | Optional | NATIVE_AOS |
| ‑framework | This option is required when you are uploading HYBRID_AOS app. | REACT_NATIVE, IONIC, CORDOVA | Optional | |
| ‑service_version | DoveRunner Mobile App Security service version | latest or specific version like 3.0.0.0 | Optional | latest |
| ‑deploymode | Test mode will show DoveRunner Mobile App Security watermark but you can test without any limit. Release mode will remove watermark, but it’s MAD will be calculated as payed usage. | test, release | Optional | test |
| ‑so_encrypt From 3.1.0.0 | Doverunner server will automatically encrypt available SO fils under app’s lib folder. - It does not encrypt SO files from the known 3rd party libraries, which can conflict with Doverunner. | yes, no | Optional | yes |
| ‑select_so_encrypt From 3.1.0.0 | Doverunner server will encrypt your SO files based on your parameter. - selective_so parameter must have values to use this option. - This option works only when so_encrypt is yes. | yes, no | Optional | no |
| ‑selective_so From 3.1.0.0 | You can specify your SO files under lib folder of your app. Each SO file is separated by commas (,). - This option works only when so_encrypt and select_so_encrypt are both yes. | "libAAA.so,libCC.so,...libZZZ.so" | Optional | |
| ‑dex_string_obfuscation | It obfuscate Strings in classes.dex. Only applied to app’s main packages. - selective: Only obfuscates strings in the class/package registered in App Configuration on the console. Register the target class/package in the console before using this value. From 3.2.0.0 | disable, fast, balance, maximum, selective | Optional | balance |
| ‑dex_call_hiding | It obfuscates Method call flows in classes.dex. Only applied to app’s main packages. | disable, fast, balance, maximum | Optional | balance |
| ‑dex_encrypt From 3.2.0.0 | Re-introduced in 3.2.0.0. Enables DEX encryption. Only partial (selective) encryption is supported — setting dex_encrypt=yes with select_dex_encrypt=no is ignored and no encryption is applied. | yes, no | Optional | no |
| ‑select_dex_encrypt From 3.2.0.0 | Enables partial DEX encryption. Must be used together with dex_encrypt=yes. Before using this option, register the target class/package in App Configuration on the console. | yes, no | Optional | no |
| ‑block_environment | You can block Rooting or Emulator environement at this option. You can use multiple options with comma. | rooting, emulator | Optional | |
| ‑allow_emulator | You can allow specific emulators after blocking emulators at above option. You can use multiple options with comma. | LDPlayer, BlueStacks, Nox | Optional | |
| ‑block_work_profile | You can block app launch from work profile environment such as Secure Folder | yes, no | Optional | yes |
| ‑allow_work_profiles | You can allow exeptional work profiles when above option is set yes | Samsung SecureFolder | Optional | |
| ‑use_query_all_packages | With this permission, DoveRunner Mobile App Security can detect cheat tools which change their package_name, but need to submit a form to Google Play Console and get approved to upload the app on Google Play Console. To check the details, please visit our help center page. Read Help center guide | yes, no | Optional | no |
| ‑block_keylogger | You can block keylogger apps which hide on end‑user smartphone and capture the key log information. | yes, no | Optional | no |
| ‑hide_overlay_windows | You can block external app’s UI overlay on your application to avoid unexpected manipulation. This option will work from Android 12 devices. | yes, no | Optional | no |
| ‑block_screen_capture | When any screen mirroring or capturing app is trying to hijack an app’s screen, it will only get a black screen. But this will not send any hacking detection report, and will not quit the app. | yes, no | Optional | no |
| ‑allow_external_tool | Macro(Auto clicker) and Packet attack tools are blocked by default. You can allow these tool by using this option. You can use multiple options with comma. | macro, sniff | Optional | |
| ‑block_developer_options | You can block app execution from a smartphone with Developer options enabled. | yes, no | Optional | no |
| ‑block_usb_debugging | You can block app execution form a smartphone with USB Debugging enabled | yes, no | Optional | yes |
| ‑wifi_security_protocol | You can collect smartphone’s current Wi-Fi security protocol information such as WEP,WPA. When you enable this option, android.permission.ACCESS_WIFI_STATE is added to your application | collect, disable | Optional | disable |
| ‑app_signing | After DoveRunner Mobile App Security, app’s signature is disabled. To install sealed app on smartphone, you need to sign your sealed APK or AAB manually or using this option. You can use registered_key option after register your keystore on DoveRunner Mobile App Security console. - appsealing_key: signs with a test (debug) key. Available for APK only — for AAB it is ignored and the app is left unsigned (same as none). | none, appsealing_key, registered_key | Optional | none |
| ‑use_callback_feature From 3.2.0.0 | When true, the app is not terminated upon threat detection (except hooking). Instead, a detection report is sent to the app security server and a broadcast is triggered — allowing the app developer to receive the result via a receiver and decide app behavior (e.g., terminate or collect additional info). This feature may become enterprise-only in a future release. For callback integration documentation, please contact the Help Center. | true, false | Optional | false |
| ‑disable_file_integrity_check From 3.2.0.0 | Disables file integrity verification. | true, false | Optional | false |
| ‑enable_signing_certificate_identity_check From 3.2.0.0 | Enables app signing certificate verification. Before setting to true, register the SHA256 signing hash in the console — go to the app’s settings page and find Signing Verification Management. | true, false | Optional | false |
| ‑sealing_preset_name | Assigns a preset name created in the console. If managing individual options is cumbersome, you can configure a preset in the console and apply all settings collectively using this option. Some configurations (e.g., threat response message customization) are only available through a preset and cannot be set directly via CLI. | Preset name string | Optional |
Example usage with simple options
Section titled “Example usage with simple options”Example command line when you apply DoveRunner Mobile App Security with only required options. All other options will be applied as default values.
Using a preset (Recommended): Configure protection settings in the DoveRunner console as a preset, then reference the preset name. All protection options are managed from the console.
$ java -jar sealing.jar -url https://api.appsealing.com/covault/gw -authkey 123456789ABCDE -srcapk app-release.aab -sealedapk app-release-sealed.aab -sealing_preset_name my-preset-nameWithout preset: All protection options use their default values.
$ java -jar sealing.jar -url https://api.appsealing.com/covault/gw -authkey 123456789ABCDE -srcapk app-release.aab -sealedapk app-release-sealed.aabExample usage with enabling all options
Section titled “Example usage with enabling all options”Example command line When you apply DoveRunner Mobile App Security on your App bundle with only using required options.
$ java -jar sealing.jar -url https://api.appsealing.com/covault/gw -authkey 123456789ABCDE -srcapk app-release.aab -sealedapk app-release-sealed.aab -service_type NATIVE_AOS -service_version latest -deploymode release -dex_string_obfuscation balance -dex_call_hiding balance -dex_encrypt yes -select_dex_encrypt yes -so_encrypt yes -block_environment rooting,emulator -allow_emulator LDPlayer,BlueStacks,Nox -block_work_profile yes -allow_work_profiles 'Samsung SecureFolder' -block_developer_options yes -block_usb_debugging yes -block_keylogger yes -block_screen_capture yes -hide_overlay_windows yes -allow_external_tool macro,sniff -wifi_security_protocol collect -use_query_all_packages no -use_callback_feature false -disable_file_integrity_check false -enable_signing_certificate_identity_check false -app_signing registered_keyRun sealing.jar using the config.txt file
Section titled “Run sealing.jar using the config.txt file”You can run CLI tool file with below option, and can manage all options at config.txt file.
$ java -jar sealing.jar -config ./config.txtconfig.txt file
Section titled “config.txt file”# DoveRunner AppSecurity CLI Tool - Configuration File# Usage example: java -jar sealing.jar -config ./config.txt## This file is based on AppSecurity 3.0.0.0 or higher.# For older versions (2.x), refer to the example files in the examples/ folder.
# Sealing API URL (Region-specific URLs: https://docs.doverunner.com/mobile-app-security/android/cicd/basic-configuration/)url=https://api.appsealing.com/covault/gw
# Authentication Key (available in DoveRunner Developer Console)authkey=
# Original APK/AAB file pathsrcapk=
# Sealed APK/AAB output pathsealedapk=
# App signing option { none | registered_key }# none : AppSecurity applied but not signed. Developer must sign before installing or distributing.# registered_key : Signed with a key pre-registered in the DoveRunner Developer Console (https://console.doverunner.com).app_signing=
# Sealing preset option. When set, security options below can be controlled from the console.sealing_preset_name=
# App service type { NATIVE_AOS | HYBRID_AOS }service_type=
# Hybrid app framework { REACT_NATIVE | IONIC | CORDOVA }framework=
# Service versionservice_version=
# Deploy mode { release | test }deploymode=
# Dex protection options (3.0.0.0+) - replaces legacy Dex encryption options.# CAUTION: Both options cannot be set to 'disable' at the same time.
# Obfuscate strings in classes.dex { disable | fast | balance | maximum | selective } (default: balance)dex_string_obfuscation=
# Obfuscate method call flows in classes.dex { disable | fast | balance | maximum } (default: balance)dex_call_hiding=
# Dex encryption (3.2.0.0+) { no | yes }# CAUTION: dex_encrypt and select_dex_encrypt must be set to the same value. (yes/yes or no/no)dex_encrypt=
# Selective Dex encryption (3.2.0.0+) (only applies when dex_encrypt=yes) { no | yes }select_dex_encrypt=
# SO file encryption (3.1.0.0+) { yes | no }so_encrypt=
# Selective SO file encryption (3.1.0.0+) { yes | no }select_so_encrypt=
# Disable file integrity check { true | false } (default: false (integrity check enabled))# When set to true, file integrity check will not be performed.# Typically used for Play Protection, SideKick and similar scenarios where files are modified by Google before distribution.# Ensure an alternative integrity mechanism is in place before deploying to production.disable_file_integrity_check=
# Enable signing certificate identity check { true | false } (default: false (disabled))# IMPORTANT: SHA-256 certificate fingerprints must be registered in the DoveRunner Developer Console before enabling this option.# Enabling without prior registration will not work correctly.enable_signing_certificate_identity_check=
# Block emulator and/or rooted device { emulator, rooting }block_environment=
# Allow specific emulators when emulator blocking is enabled { BlueStacks, Nox, LDPlayer }allow_emulator=
# Block work profile environment { yes | no }block_work_profile=
# Allow specific work profile apps { Samsung SecureFolder }allow_work_profiles=
# Block app on Developer Options enabled devices { yes | no }block_developer_options=
# Block app on USB debugging enabled devices { yes | no }block_usb_debugging=
# Allow macro or network sniffing tools { macro, sniff }allow_external_tool=
# Block app in keylogger installed environment { yes | no }block_keylogger=
# Block screen capture and mirroring { yes | no }block_screen_capture=
# Block overlay windows from other apps (Android 12+) { yes | no }hide_overlay_windows=
# Collect Wi-Fi security protocol information { collect | disable }wifi_security_protocol=
# Use QUERY_ALL_PACKAGES permission { yes | no }use_query_all_packages=
# Don't force-close app, and use callback feature for threat handling { true | false } (default: false)use_callback_feature=Example of config.txt for Native DoveRunner Mobile App Security
Section titled “Example of config.txt for Native DoveRunner Mobile App Security”Native app: App build with general Android Studio, Flutter, Unity, or Unreal engine. Ex) Using execution script only for srcapk and sealedapk parameter and the rest for configuration file in Windows,
java -jar sealing.jar -config config.txt -srcapk app-release.apk -sealedapk app-release-sealed.apkEx) Settings in Config.txt
url=https://api.appsealing.com/covault/gwauthkey=123456789ABCDEdeploymode=releaseblock_environment=emulator, rootingallow_emulator=BlueStacks, Nox, LDPlayerblock_work_profile=yesallow_work_profiles=Samsung SecureFolderblock_keylogger=noallow_external_tool=macro, sniffdex_encrypt=noselect_dex_encrypt=noservice_version=latestapp_signing=noneNotice: For Windows Platform, double file separator must be used in path configuration with config.txt. Ex) D:\DoveRunner Mobile App Security\sealing.jar
Example of config.txt for Hybrid DoveRunner Mobile App Security
Section titled “Example of config.txt for Hybrid DoveRunner Mobile App Security”Hybrid app: App built with ReactNative, Ionic or Cordova.
Ex) Using execution script only for srcapk and sealedapk parameter and the rest for configuration file in Windows, for ReactNative app.
java -jar sealing.jar -config config.txt -srcapk app-release.apk -sealedapk app-release-sealed.apkEx) Settings in Config.txt
url=https://api.appsealing.com/covault/gwauthkey=123456789ABCDEservice_type=HYBRID_AOSframework=REACT_NATIVEdeploymode=releaseblock_environment=emulator, rootingallow_emulator=BlueStacks, Nox, LDPlayerblock_work_profile=noblock_keylogger=noallow_external_tool=macro, sniffdex_encrypt=noselect_dex_encrypt=noservice_version=latestapp_signing=noneNotice: For Windows Platform, double file separator must be used in path configuration. Ex) D:\DoveRunner Mobile App Security\sealing.jar
CLI tool Options (for v2.x and Hybrid) Deprecated
Section titled “CLI tool Options (for v2.x and Hybrid) ”This is the list of the available options when using sealing.jar file for Android AppSecurity version 2.x or Hybrid security 1.x.
| Option | Description | Available Values | Required | Default Value |
|---|---|---|---|---|
| ‑url | Sealing API URL — select the endpoint for your region (see region table above) | Regional URL | Required | |
| ‑authkey | Your account`s auth key. You can find this key at the CLI tool download page. | Provided separately | Required | |
| ‑srcapk | Source APK or App Bundle file which you need protect | file path of created APK or AAB | Required | |
| ‑sealedapk | Destination path including sealed file`s name which you need to download | file path of sealed APK or AAB | Required | |
| ‑app_type | Your app’s type for optimized sealing | GAME, NON_GAME | Optional | GAME |
| ‑service_type | DoveRunner Mobile App Security Hybrid has different version management, so if you are uploading Hybrid app such as ReactNative, Ionic, Cordova, you should put HYBRID_AOS here. | NATIVE_AOS, HYBRID_AOS | Optional | NATIVE_AOS |
| ‑framework | This option is required when you are uploading HYBRID_AOS app. | REACT_NATIVE, IONIC, CORDOVA | Optional | |
| ‑service_version | DoveRunner Mobile App Security service version | latest or specific version like 2.31.0.0 | Optional | latest |
| ‑deploymode | Test mode will show DoveRunner Mobile App Security watermark but you can test without any limit. Release mode will remove watermark, but it’s MAD will be calculated as payed usage. | test, release | Optional | test |
| ‑so_encrypt From 3.1.0.0 | Doverunner server will automatically encrypt available SO fils under app’s lib folder. - It does not encrypt SO files from the known 3rd party libraries, which can conflict with Doverunner. | yes, no | Optional | yes |
| ‑select_so_encrypt From 3.1.0.0 | Doverunner server will encrypt your SO files based on your parameter. - selective_so parameter must have values to use this option. - This option works only when so_encrypt is yes. | yes, no | Optional | no |
| ‑selective_so From 3.1.0.0 | You can specify your SO files under lib folder of your app. Each SO file is separated by commas (,). - This option works only when so_encrypt and select_so_encrypt are both yes. | "libAAA.so,libCC.so,...libZZZ.so" | Optional | |
| ‑dex_encrypt | You can encrypt classes.dex files. | yes, no | Optional | no |
| ‑select_dex_encrypt | After set yes for ‑dex_encrypt option, you can enable this option to yes. Before use this option, you need to register class or package of your Android code at DoveRunner Mobile App Security console. | yes, no | Optional | no |
| ‑block_environment | You can block Rooting or Emulator environement at this option. You can use multiple options with comma. | rooting, emulator | Optional | |
| ‑allow_emulator | You can allow specific emulators after blocking emulators at above option. You can use multiple options with comma. | LDPlayer, BlueStacks, Nox | Optional | |
| ‑block_work_profile | You can block app launch from work profile environment such as Secure Folder | yes, no | Optional | yes |
| ‑allow_work_profiles | You can allow exeptional work profiles when above option is set yes | Samsung SecureFolder | Optional | |
| ‑use_query_all_packages | With this permission, DoveRunner Mobile App Security can detect cheat tools which change their package_name, but need to submit a form to Google Play Console and get approved to upload the app on Google Play Console. To check the details, please visit our help center page. Read Help center guide | yes, no | Optional | no |
| ‑block_keylogger | You can block keylogger apps which hide on end‑user smartphone and capture the key log information. | yes, no | Optional | no |
| ‑hide_overlay_windows | You can block external app’s UI overlay on your application to avoid unexpected manipulation. This option will work from Android 12 devices. | yes, no | Optional | no |
| ‑block_screen_capture | When any screen mirroring or capturing app is trying to hijack an app’s screen, it will only get a black screen. But this will not send any hacking detection report, and will not quit the app. | yes, no | Optional | no |
| ‑allow_external_tool | Macro(Auto clicker) and Packet attack tools are blocked by default. You can allow these tool by using this option. You can use multiple options with comma. | macro, sniff | Optional | |
| ‑block_developer_options | You can block app execution from a smartphone with Developer options enabled. | yes, no | Optional | no |
| ‑block_usb_debugging | You can block app execution form a smartphone with USB Debugging enabled | yes, no | Optional | yes |
| ‑wifi_security_protocol | You can collect smartphone’s current Wi-Fi security protocol information such as WEP,WPA. When you enable this option, android.permission.ACCESS_WIFI_STATE is added to your application | collect, disable | Optional | disable |
| ‑app_signing | After DoveRunner Mobile App Security, app’s signature is disabled. To install sealed app on smartphone, you need to sign your sealed APK or AAB manually or using this option. You can use registered_key option after register your keystore on DoveRunner Mobile App Security console | none, appsealing_key, registered_key | Optional | none |