As AI-driven attacks become more sophisticated and common, developers and organizations must keep up. With AI agents, liveness and voice recognition checks no longer matter. That means app makers need to use AI to fight their attackers and protect their users and their data. It’s not fast enough or possible to manually code all the security features needed now and tomorrow. By integrating CI/CD and AI-based security and testing platforms, organizations have an automated, end-to-end solution for ensuring mobile apps are safe throughout development and deployment.
In this series, I’ll go through different AI-driven mobile attacks and how to automate prevention and defense throughout development and deployment. If you’re more interested in operationalizing automated prevention/defense in your CI/CD, skip to the “Operational Approach” section.
Examples of AI-Driven Scams and Tampering’s Role
AI is being used to make scams more convincing and harder to detect. When an app is tampered with, it becomes an ideal entry point for scams. Here are some examples of how tampering enables or amplifies AI-driven scams:
- Phishing and Social Engineering Attacks: Once an app has been tampered with to disable authentication or security checks, attackers can more easily access sensitive user data (e.g., contact lists, location, email addresses). This data can then be fed into AI models to create highly targeted phishing messages more likely to deceive users. Tampering with an app can allow attackers to intercept in-app notifications or pop-ups, replacing them with phishing links. AI-driven models can further personalize these fake notifications to make them seem legitimate.
- Fake Investment and Financial Fraud: In financial or trading apps, tampering can disable integrity checks that prevent unauthorized transactions or modifications. With this level of access, attackers might use AI to automatically generate fraudulent investment opportunities that look realistic. For example: By tampering with a trading app, attackers can simulate portfolio performance, luring users into investing more money. AI can help adjust the simulated results, making the scam seem legitimate. Attackers can leverage compromised apps to create fake “advisors” using generative AI, where the AI-powered bot appears to offer trading advice or customer support but is designed to siphon funds into attacker-controlled accounts.
- Malicious Customer Support Chatbots: After tampering with an app, attackers may replace legitimate in-app support bots with malicious, AI-driven versions that deceive users into sharing sensitive information. For instance: In a tampered banking app or digital wallet, a fake support chatbot can impersonate a real representative, asking users for account credentials under the pretense of “verifying” identity. AI-powered chatbots can simulate empathy and adapt responses based on user inputs, making these interactions more persuasive and harder to identify as fraudulent.
- AI-Powered Ad Fraud and Click Manipulation: Tampered apps can be modified to show fraudulent ads that AI tailors based on a user’s behavior, location, and history. For example: In a tampered shopping app, the attacker could replace legitimate ads with malicious ones that lead users to phishing sites. An AI model can help refine these ad placements, ensuring they appear at times or in ways that maximize user interaction.
Operational Approach: End-to-End, Automated Solution
Anti-tampering protections significantly reduce the risk of AI-driven scams by preventing unauthorized modifications to apps and are foundational components of OWASP, MITRE and other widely adopted security standards. But how do app developers build, test and deploy those protections for every app and release at the same time they have so many other features to build and release?
As attackers use AI to launch attacks, app developers need to use AI to fight them. By integrating CI/CD and AI-based security and testing platforms, organizations have an automated, end-to-end solution for ensuring mobile apps are secure from development to deployment. As an example, below are steps for automating building, securing, and testing mobile apps with Appdome, Kobiton and Bitrise.
1. Automate Secure App Builds
In this age of AI-driven attacks, developers don’t have time to manually code all the protections that are needed. They need automation. Appdome provides that automation with a no-code, no-SDK platform with over 300 protections that are continuously updated by a team that is constantly identifying new threat vectors and building protections against them. Instead of coding security features, App developers can add Appdome protections in minutes, without having to code.
How Appdome Helps
- Block tampering and prevent AI-driven scams: One of the key areas in OWASP MASVS is app resilience. By providing app resilience and preventing app tampering, developers block attempts to modify an app’s code. This eliminates the opportunity for attackers to compromise the app’s integrity, which is often the first step in enabling AI-driven scams.
- Build and Secure Continuously: Through Appdome’s platform, you can automate security into every build of an app. That means in every CI/CD pipeline, you can automate the addition of security features without changing your source code—within minutes.
- Build2Test: Automated testing services can use methods and tools that violate cybersecurity policies and methods. These methods and tools include emulators, virtualization, resigning, debugging, dual spaces, and Magisk. That means security features in protected apps will detect these methods and tools, and the resulting cyber defense may prevent testers from using the automated testing services. Appdome Build2Test enables Appdome-protected mobile apps to recognize the testing service and securely complete testing runs without interruption.
- Control UX and Notification of Security Event: Using Appdome’s Threat Events, you can configure the notification that is displayed to the user and data that is sent to the app, developer and other systems. See below for an example of a how you can configure a notification.
- Automated Builds of Secure Apps in CI/CD: Through an API or plugins, developers can integrate builds of secure apps on Appdome in any CI/CD platform.
- Monitor Live Attacks in Deployed Apps: See live, dynamic attacks on your apps, including fraud, social engineering, geo-compliance, and bots. For example, keylogging is a common attack as hackers track keystrokes to capture your credentials or other valuable information.
2. Automate Testing
Once the app is built and secured, it’s crucial to ensure that it functions as intended across multiple devices and scenarios. Kobiton provides a robust platform for device and functional testing, enabling developers to keep up with the testing needed for new features and changing testing requirements.
How Kobiton Helps
- Real Device Testing: Test your app on real devices under real conditions. This ensures that your app-sharing functionalities are robust and work as intended on different OS versions and devices.
- No code testing: No-Code testing allows manual testers to re-run their manual test sessions across device configurations. See below for a Kobiton test of an Appdome protected app. In this test, you see that Appdome anti-tampering has successfully triggered as the notification “Security Threat Detected by App” appears.
- Appium script generation: Generate Appium scripts from a manual session with a click, making your automation experts more productive
- Scriptless Automation: Kobiton offers AI-enhanced, scriptless test automation so you don’t need to write complex scripts to test the app-sharing features—Kobiton’s AI takes care of that.
- Elimination of Flaky scripts: Kobiton’s AI engine provides self-healing script execution so scripts don’t flake out.
- CI/CD Integration: You can configure CI/CD platforms like Bitrise to push the secured app build from Appdome to Kobiton for testing, ensuring that both security and functionality are evaluated in a seamless flow.
3. Build, Secure, Test in CI/CD
CI/CD platforms automate the process from development to deployment. These platforms provide a workflow you can configure and add steps for app building and signing. Appdome and Kobiton provide integrations to these platforms so you can also add steps for adding securing features (without manual coding) and automated testing.
Bitrise provides a CI/CD platform designed for mobile developers. It also has an extensive library of pre-built steps and integrations that allow teams to build secure apps and test them.
How Bitrise Helps
- Reduce Downtime and Faster Development Cycles: By automating the process, BItrise reduces the need for manual intervention, which can lead to faster code releases and less downtime.
- Automate Secure App Builds: Use the Appdome step for Bitrise (iOS and Android) so Appdome can automatically add desired protections based on the app sharing security template. In the configuration of the step, input the fusion set id that contains the protections to be added to all builds going through the associated Bitrise workflow.
- Automated Testing: Use the Kobiton step for Bitrise to do functional testing. Once the app is secured via Appdome, Bitrise can trigger functional tests in Kobiton, automating the testing of secured apps.
In the Bitrise workflow below, you’ll see the steps to build, secure, test and deploy an app.
Conclusion
By integrating Bitrise, Appdome, and Kobiton, you can automate your mobile app’s entire development lifecycle—from building and securing to functionally testing the app. The above was one example, and you can use the same infrastructure to scalably build, protect and test your app against countless other AI-driven attacks.
As attackers use AI to launch attacks, app developers need to use AI to fight them. By integrating CI/CD and AI-based security and testing platforms, organizations have an automated, end-to-end solution for ensuring mobile apps are secure from development to deployment.