If you’re using an email service like Postmark, you’ll have to handle your own list management except unsubscribes and suppression (e.g. from hard bounces). To do this, a little web app will be needed if you want to do things like double opt-in (good idea). You’ll likely then want more features like profile management but the goal of this howto is getting a simple and hopefully secure webapp in place for /subscribe and /confirm (you can get unsubscribes/suppressions from Postmark via web-hooks or an API call).
If you’d like to generate an Android SBOM every time you build your app, you can combine previous techniques discussed on this blog to achieve this with GitHub Actions + NowSecure. If you’re not a NowSecure customer, first sign up for 10 free SBOMs so you can follow along in the tutorial.
To brush up on the previous techniques, check out my blog+video on how to generate an Android SBOM in CycloneDX format.
Let’s walk through the steps on how to generate a mobile SBOM for an Android app and compare the results from a source code vs. binary analysis.
So that everyone can follow along, I decided to use the excellent open source note-taking app Joplin. The source code is available of GitHub and there are multiple flavors of the app including Android and iOS apps. The project also has a great article on building the Joplin applications which you can follow instead of the below directions if you prefer.
Generating a SBOM can sometimes be very simple and other times a royal pain. For this first SBOM tutorial, I’m going down the very simple path! :-)
Using the open source ios-triage app, the following steps will build a CycloneDX SBOM in json format. As I’m hoping this blog is useful for folks new to security and/or programming, I’m going to provide a step-by-step approach.
Note: these commands were run on macOS but can be easily adapted for Linux or Windows