Summary:
As mobile fraud grows more sophisticated, even what have been considered the strongest authentication methods—like CIAM, biometrics, and IDV—are being bypassed by attackers using AI, spoofing, and runtime manipulation. Customer Identity Protection (CIP) is a new defense category created by Appdome to safeguard the full lifecycle of customer identity inside mobile apps. By establishing a cryptographically bound chain of trust across app release, install, and runtime, CIP detects and stops impersonation, fake devices, and synthetic identity threats—ensuring the trustworthiness of every mobile session, even after login.
Appdome has introduced a critical new defense category for the mobile economy. It’s called Customer Identity Protection (CIP).
In the modern digital landscape, the way brands and enterprises create, validate, and manage customer identity is undergoing a seismic shift. For years, the conversation centered on biometric authentication, Customer Identity and Access Management (CIAM) and Identity Verification (IDV) as the foundation for customer identity. These systems provide the workflows users follow to register, authenticate, and gain access to digital services.
While initiatives like FIDO and NIST’s Digital Identity Guidelines focus on standardizing authentication and identity assurance frameworks, Customer Identity Protection (CIP) extends that trust into the mobile runtime—ensuring that the app, device, and session remain genuine and untampered throughout the mobile journey.
However, according to industry estimates, over 72% of mobile fraud cases in 2024 involved spoofed or synthetic identities that bypassed CIAM or biometric checks. New AI-based attack vectors now target how these systems work, including the signal source of identities created and used by them. The new question that brands are asking is not how we create and manage customer identity, but how we protect it.
What Is Customer Identity Protection?
Customer Identity Protection (CIP) is a perimeter defense layer for Customer Identity and Access Management (CIAM), Identity Verification (IDV), and other systems used in mobile applications.
The purpose of CIP is to detect when alternate, fake, impersonated, or manipulated devices, apps, and installations are used in identity assertions, as well as to identify threats in the mobile environment that could undermine the authenticity of customer identity used in mobile apps. To achieve this, CIP creates and maintains a cryptographically bound chain of trust that spans the publisher’s DevOps environment, app release, installation, app store publishing, and the mobile app’s runtime use. This chain covers the full range of interactions users perform during a session—such as authenticating, transacting, submitting documents, making withdrawals or payments, mobile check-out, and more—continuously monitoring for threats that could compromise customer identity, including hijacking, spoofing, or runtime identity replacement. Such compromises can occur through credential replay, session hijacking, token theft, click fraud, overlay attacks, keystroke injection, app tampering, and many other advanced threat methods—all of which CIP is designed to detect and stop.
Here are the six (6) key elements of a CIP solution:
- Perimeter Defense for Identity – a CIP solution must provide an independent perimeter defense layer to CIAM, IDV, and other identity-based services used in apps like Identity & Access Management (IAM) and Ad Attribution systems. It monitors for signs of device and signal spoofing, impersonation, and manipulation of the identity context throughout the lifecycle of an app. This is critical, as 41% of mobile session hijacks now occur after MFA or biometric authentication has completed.
- Multi-Level Identity Fingerprint – To detect different attack vectors, CIP’s must securely generate, maintain, and evaluate multiple fingerprints for each part of the source origin of the cCustomer iIdentity, including the mobile app build, release, install, and device used by each user.
- Immutable Mobile Binding – To use the fingerprints in application or device binding, each identifier must be: (1) protected against manipulation, exfiltration, and reuse, and (2) immutable, e.g., the fingerprints cannot be disabled or changed, even with reinstalls, factory resets, and modern hacking tools. Ephemeral device binding alone is not sufficient.
- Identity Evaluation with Threat Signals – CIP’s must actively monitor and deliver threat signals with each fingerprint payload to prevent deepfakes, social engineering, spyware, and similar threats.
- On-Device Identity Protection – a CIP Solution must securely record and maintain the true mobile device attributes and protect runtime customer data such as user IDs, session tokens, cookies, credentials, and account data, including any identity data on the mobile device, in memory, application state, or in-transit between the mobile client and backend.
- Granular Identifiers & Flexible Enforcement – CIPs must be able to create unique device fingerprints across multiple identical devices, and allow users to opt-out of advertising identifiers and update mobile operating systems without triggering alerts.
Before calling the CIAM, IDV, authentication, payment, or attribution system, the CIP lets the app or the identity service know if it’s safe to do so and, thereafter, stands watch, looking for threats that compromise the integrity of customer identity in the business. If any part of CIP’s chain of trust is broken, the brand or enterprise knows customer identity is at risk. CIP can also be used to ensure that the inputs that payment, loyalty, and attribution systems rely on, and the outputs they generate, remain real, valid, and unaltered in the mobile experience.
CIAM + CIP = Trusted Customer Identity
Mobile brands have learned the hard way that everything from the mobile app and device itself to the mobile identifiers available to advertisers, the camera, biometric, and authentication data, OTP and MFA data, device attributes, session tokens, and cookies, can all be spoofed, mimicked, or reused. There are literally 1,000s of ways to create, use, or replicate fake or modified identities in the mobile economy.
Now, think of CIAM, IDV, and IAM as a smart lock on the front and back doors of a home. CIP is the intrusion detection and prevention system, ensuring the system itself has not been compromised and monitoring the entire home with surveillance, alarms, and threat analysis to ensure that whoever opens the lock and enters the home belongs there. A CIP solution ensures the following three major attack vectors can be addressed easily:
- Identity Compromise – a CIP Solution can detect a customer identity being used on an alternate, fake or compromised device or application, as well as identity threats such as deepfakes, spyware, Trojan apps, ATS malware and more.
- On-Device & KYC Fraud – a CIP Solution can detect on-device fraud and KYC fraud from fake clicks and gestures, keystroke injection, and other fake inputs, as well as geolocation spoofing, social engineering scams, and loyalty or program abuse.
- Mobile Ad Fraud – a CIP Solution can identify when device attributes have been manipulated, as well as full-scale device spoofing, Advertiser ID (GAID/IDFA) cycling and other techniques used to bypass Android & iOS advertising models.
It should be no surprise that the rise of AI-generated and AI-enhanced fraud itself means that mobile businesses – and identity generally – can no longer look upon biometric authentication, CIAM, IDV, or even Identity & Access Management (IAM) as sufficient to protect the business. They are necessary, for sure. At the same time, these systems need protection themselves. All the elements of the mobile ecosystem that identity relies on for “truth” are at risk, and the future of digital trust demands a solution that sees beyond the gate – i.e., beyond access, authentication, MFA and credentials – and ensures true, valid and authentic customer identity at all times – pre- and post- access and login.
If you want to protect customer identity in your mobile apps, drop us a line at info@appdome.com or click the button below to request a live demo from one of our identity experts.
