In this blog, we’ll explore how Appdome’s new IDAnchor™ offering is the foundation of trusted customer identity for mobile applications everywhere.
Identity systems, like biometric authentication, Customer Identity and Access Management (CIAM), Identity Verification (IDV), and even Identity & Access Management (IAM) systems, are crucial for streamlining customer identity in mobile applications. These systems guide a user through account creation, credential management, and access and authentication policies. At runtime, these systems also handle user login, identity verification, multi-factor authentication (MFA), consent, and access control. They address which customer or user identity can access an application.
For all their promise, CIAM, IDV, and IAM can’t address whether the entity asserting the customer identity should access an application. These systems aren’t designed to detect if the customer identity is real, fake, stolen, or compromised. For example, they are blind to whether the identity assertion comes from a mobile app created by the publisher, installed from a trusted source, or from a real or intact mobile device. As long as the asserted identity matches a record in their system, the entity asserting the identity is allowed to access the application.
IDAnchor’s Foundation of Trust
Here’s the basic problem. Creating and using identities in the mobile ecosystem takes a lot for granted. For example, the biometric authentication process that sits at the heart of CIAM, IDV and IAM systems assumes the authenticity and integrity of the mobile application, its source, as well as the device, its distinguishing attributes, operating system, camera, etc. – all the elements used to create, use and validate customer identity.
IDAnchor, on the other hand, uses a chain of trust to detect if the asserted identity is coming from a different, fake, impersonated or manipulated device, install or application. If the camera or other device element is controlled by the attacker, or if the biometric data has been spoofed, altered, or replaced, IDAnchor notifies the application or the CIAM/IDV that the asserted identity is coming from a compromised source, state or origin. IDAnchor uses multi-layered, immutable, living fingerprints to evaluate identity risks across the mobile lifecycle, including before any biometric process is called or access is granted to registering engagement or processing payment in an app.
Immutability of IDAnchor’s Chain of Trust
Appdome runs in the mobile DevOps environment. And, IDAnchor uses this to create a multi-layered chain of trust for customer identity that extends from the point of origin for each application, all the way to each engagement in that mobile app. IDAnchor fingerprints the DevOps workspace, and each mobile app release, install, and mobile device using the IDAnchor-enabled app. This allows mobile brands to bind user’s to their authentic distribution chain, and know if any part of that distribution chain is broken, replaced, impersonated or changed in any way.
As part of each IDAnchor payload, brands can get a minimum of four (4) mobile IDs:
- Workspace ID – Fingerprints the team workspace in the CI/CD pipeline that created the app release
- Release ID – Fingerprints the exact build or version published to public app stores
- Install ID – Fingerprints the specific mobile app install or instance on a device
- Device ID – Fingerprints the specific mobile device on which the application is installed and records the true device attributes as a baseline.
Each IDAnchor fingerprint, including updates, is protected inside the Appdome Security Framework in Android & iOS apps. Fraudsters cannot opt-out. Even full device factory resets will produce the same IDAnchor IDs for the same mobile application, installation, and device. This means that even if an attacker spoofs device attributes and OS-level identifiers, IDAnchor will detect the differences and notify the application or identity service.
Mobile brands and developers can call IDAnchor at any or multiple point(s) in the runtime of a mobile application to retrieve the IDAnchor fingerprints, IDAnchor Comparison Score, threat signals, and the true device attributes.
IDAnchor Puts an End to Mobile Fraud
By delivering a multi-layered and immutable app, install, and device fingerprints all in one package, IDAnchor solves a wide range of abuse, impersonation, and fraud vectors, including:
- Account Takeover (ATO) Fraud – By binding a user to a specific mobile install and device, mobile brands can detect account login from different app instances and different devices, including fake devices and spoofed devices.
- Counterfeit Mobile Apps – By binding a user to the real application release from the publisher, mobile brands can detect user login from fake or counterfeit apps.
- Social Engineering Scams – By binding a user to the origination source of the mobile app release, mobile brands can detect when a victim downloads a Trojan version of the app through sideloading, phishing, IT scams and other attack vectors.
- Mobile Ad Fraud – IDAnchor provides mobile brands with immutable device and application IDs, making it easy to flag fake installs, re-installs, and emulator activity commonly used in CPI and attribution fraud schemes.
- Loyalty Program Abuse – Prevents attackers from farming promotions by binding rewards to persistent DeviceIDs and InstallIDs.
- Referral Fraud – Stops referral abuse by ensuring unique devices and installs per campaign instance.
- Promo Code Abuse – Ensures promotions are used only once per trusted device-install combination, eliminating multi-account promo exploitation.
What makes IDAnchor so powerful is that it can detect threats, substitutions and impersonations of the app, install, or device – not one element but all three. Ephemeral identifiers like GAID/IDFA, cookies, or session tokens can be reset by both the user and the attacker alike. Device binding accesses the same OS level APIs that attackers use to spoof identities. Moreover, the mobile device is only one aspect of the value chain. The device might be valid, but the application might be fake. In these scenarios, device binding will not detect the fraud or social engineering that led to the compromise.
Trusted Customer Identity Begins with IDAnchor
Fraudsters have adapted and created new exploits that target the way customer identity is created, validated, and used in mobile applications. To respond, we don’t have to change the way we create or manage customer identity. We have to protect it.
IDAnchor is the first and only solution that allows mobile brands to protect the source of customer identity and bind each mobile user to the entire mobile application lifecycle—from DevOps to device. Just as a person’s identity becomes clearer with every trusted interaction, IDAnchor also builds a resilient identity signature that strengthens with every app release, install, and session. If customer trust is your brand’s most valuable asset, IDAnchor is the foundation you want to build your mobile brand on.
To build a trusted customer identity framework in your mobile applications, drop us a line at info@appdome.com or click the button below to request a live demo from one of our identity experts.
