Sealing Android apps


Article ID: 181696


Updated On:


Symantec Sealed




 The workflow described in this article is used to apply the Symantec Sealed Program Libraries and test assertion to an Android app. 

(For iOS apps, see Sealing iOS apps at )

Before you start

Save and export a clean, unsigned copy of your .APK.
Important note: Upon saving the .APK file, a message is displayed informing you that the unsigned package is stored at the location you specified in the previous step. The message also reminds you to sign the application and to run the ZipAlign utility on your signed app package. The Symantec Sealed Wrap Kit takes care of these tasks for you. You may close the message and proceed with the following steps.

Upload your Android app and download the Symantec Sealed Library and Test Assertion

  1. Log into your Symantec Sealed Program Partner Portal ("portal") and in the left pane, select Apps.
  2. At the top of the center pane, click Add App... and then click Browse...
  3. Select your unsigned .APK file.
    (Alternatively, you can drag and drop the file onto the App Upload icon.)
  4. In your Symantec Sealed Program Partner Portal, with your app selected in the middle pane, in the right pane, click the download icon for the Symantec Sealed Libraries. The WrapSDK file downloads to your default download location and the Download a Test Assertion panel appears.
  5. Download the Test Assertion. The file, entitlement.assertion downloads to your default download location.


Apply the Symantec Sealed Library and the Test Assertion to your Android app

Open a terminal session and change the terminal context to the directory containing the WrapSDK.ZIP and entitlement.assertion files. For the purposes of illustration, we'll assume the files are in a directory named Downloads.

Note: On Windows 7 and Windows 8, you must run CMD.EXE as Administrator or the sealing process will fail.

  1. Create a new directory- we'll call it AppWrap for this walk through- and change your terminal context to the new directory:
    Downloads: mkdr AppWrap
    Downloads: cd AppWrap

  2. Copy the files, WrapSDK.ZIP, entitlement.assertion, and your app's .APK file to the new directory
  3. Extract the contents of the WrapSDK archive to the directory you created in Step1.
  4. Run the Wrap.SDK.jar file with the following options and parameters (assuming the same directory name as above):

    AppWrap: java –jar WrapSDK.jar <app name>.apk entitlement.assertion

    For instance, if the original app name is TestApp.apk, the command is:

    AppWrap: java –jar WrapSDK.jar TestApp.apk entitlement.assertion

The wrap utility completes and places the wrapped Android app into the target directory with the file name, output.apk. 

You can also use the following command options:

-o <output file name>  to specify a name for the outputted .APK file.

To specify a java keystore (which allows your sealed app to be upgraded at a later date):

  • -k <keystore name>.jks  Note: Only .JKS format is supported.
  • -p <keystore password>
  • -a <keystore alias>
  1. In your portal, in the right pane, click Done!.

Upload the test version of your wrapped Android app to your portal

The final phase in the Android app sealing workflow is to add the Symantec Sealed version of your app to your Symantec Sealed Project Partner Portal.

  1. In your Symantec Sealed Program Partner Portal, in the left pane, click Apps and in the center pane, highlight your app. In the right pane click Browse… .
  2. Navigate to the directory containing your sealed app, and then click Open. Alternatively, you can drag and drop your sealed .APK file onto the app upload icon.

Your Symantec Sealed Android app is now ready for testing.

Uploading revised Android Apps

For the purpose of illustration, we’ll assume the same hypothetical directory structure as in the sealing instructions.

  1. Put your updated .APK file into the same directory as the other app-sealing files. (In the previous instructions, we called this directory, AppWrap.)
  2. If a new assertion is needed, at your Symantec Sealed Partner Portal, in the Admin console, click Apps > [your updated app] and at the top of the right pane, click Generate Assertion.
  3. Copy the new assertion to the directory containing the other app-sealing files.
  4. Run the command-line again.
  5. Back in your Symantec Sealed Partner Portal, go to Apps and highlight your app.
  6. In the right pane, in the app information area, click Upload new Test Version….
  7. Select and upload the new version of your app.
  8. Re-test your updated app and submit it again for validation.

Notes regarding the Android KeyStore and app signing

  • When an Android app is sealed, the original keystore used to sign the app should be used (this is a command line option). 
  • Android will only upgrade apps that are signed with the same certificate.  If an app is signed with a different certificate, the original app must be uninstalled so the new app can be installed.

Additional resources

More information and details regarding testing and submitting your app for validation are included in the Symantec Sealed Program Developer's Guide at