We just released our new MobileBOT™ Defense offering. I wanted to take a moment to tell you why.
For years, bot defense has focused on blocking brute-force bot attacks and credential stuffing to defend the business against Account Takeovers (ATO). However, the modern-day attacker doesn’t really need to flood the backend just to guess a user’s credentials or carry out an ATO attack.
Today’s cyber attackers are armed with new malware and AI-powered tools that make large-scale credential stuffing techniques only one of an increasing array of attack methods targeting API endpoints. The new tools create successful API exploits with less noise and impressive (alarming) precision and effectiveness. To be clear, these are bot attacks. They simply are not brute force bot attacks.
The Rise of Session Risk in Mobile Bot Defense
Some bot defense products attempt to detect “device state” to identify a potential mobile bot attack. Several (if not all) mobile anti-bot products rely on open-source tools to look for the presence of jailbreak, root, and emulators. The problem with using “device state” is that it is a bad predictor of bot attacks and has no predictive value for ATO risk. For example, iOS jailbreak and Android root are data risks, not signals of bot attacks. This imprecision causes too many false positives and blocks connections from real users.
Network security professionals need deep inspection of the “session risk” with every API connection request. Session risk equals ATO risk and can identify a specific threat associated with the mobile device, operating system, application, network, user interface, as well as the presence or absence of user-level threats at the time of access and throughout the lifecycle of the mobile app. Deep inspection of the total session risk for each API endpoint gives network security professionals the control and high-fidelity defense needed to combat modern ATO attacks.
Using Session Risk to Detect ATO Attacks
Every web application firewall (WAF) has a rules engine, something that can be used to parse payloads to look for specific attack identifiers. Likewise, every mobile app connects to several APIs during an active session. Given these facts, let’s look at the unique set of risks that target the most common mobile APIs during an active session. Imagine receiving data at your WAF that tells you if these risks exist or not, before allowing a connection to each mobile API.
For example:
1. Sign-Up APIs. For Sign-Up APIs, imagine knowing if automated “bot” entries, such as fake clicks, gestures, and keystrokes, as well as fake or emulated devices and geolocation fraud, are being used to create fake accounts.
2. Login APIs. For Login APIs, imagine knowing if Deepfake Biometric Bypass attacks, overlay attacks, keylogging, and other spyware used to harvest user credentials are being used to break in or steal credentials of your users.
3. Password Reset APIs. For password and password reset APIs, imagine knowing if an attacker is using memory dumps, MiTM attacks, or social engineering scams like IT scams that encourage users to install remote desktop control apps or screen share with the attacker.
4. Payment APIs. At payment, checkout and purchase APIs, imagine knowing if data exploits, Remote Access Trojans, code injection attacks, hooking, patching, modding, Banking Trojans and ATS Malware are present at the time of purchase or payment.
5. Redemption APIs: For redemption APIs associated with synthetic currencies like loyalty points, votes, reviews, limited offers and the like, imagine knowing if memory editing and attacks, modding platforms and frameworks are being used.
Having a bot defense policy that detects threats throughout an active session and before each API response is huge. Armed with this, you can translate knowing and visibility into action and block (deny) for connection requests that contain these and other threats at any point in the lifecycle of the mobile app, even if these attack vectors are not a part of a brute force attack.
Combine Session Risk with Brute Force Bot Defense
Brute-force bot attacks aren’t likely to go away. Credential stuffing will remain a tool in the toolbox of attack vectors used against mobile and web APIs alike.
As part of Appdome’s MobileBOT™ defense solution, we give you the tools to stop brute force bot attacks by fingerprinting the real, legitimate application in the TLS handshake, avoiding vulnerable JWTs and Cookies that are sent in the clear. This fingerprinting allows you to block API requests from bot farms, scripts and other automated programs. We also give you the ability to shift rate limiting to the client device, meaning you can throttle connection requests to critical APIs from the end user’s device, eliminating the risk of weaponized mobile apps and emulation altogether.
But now imagine that you can get detailed telemetry data about the true nature of the attack, as well as the true location of the attack itself. No more “rough estimates” based on IP Address. Getting the true longitude and latitude of the attack as well as the specifics of the attack method itself.
Mobile Bot Defense 2.0 Needs to Take AI into Account
In the age of AI and mobile commerce, a bot defense strategy that is limited to brute force attacks is rapidly becoming obsolete. Stopping brute force attacks will remain important. However, the next wave in bot defense is about addressing the full spectrum of threats—from deepfakes to malware, overlay attacks to geo-fraud—with targeted policies that protect each API endpoint based on its unique vulnerabilities. By incorporating a deeper inspection of the total session risk into the WAF policy, network security professionals can provide a comprehensive defense against the growing threat of hyper-targeted Account Takeover and other attacks.
If you want to see how Appdome’s MobileBOT™ defense works, contact us or request a demo. We’d love to talk to you.
