How to Use Payload Timestamps In Mobile Bot Defense

What is a Payload Timestamp?

A payload timestamp is a critical component within the data packet transmitted over a network, commonly known as the payload, which marks the specific time at which the payload was created or sent. This might include anything from files being transferred, commands being sent, or other transactional data.

Why is a Payload Timestamp Important?

The payload timestamp serves as a temporal marker, ensuring that every piece of transmitted data can be traced back to the exact moment of its initiation or transmission, thereby establishing a timeline of data exchange. Implementing payload timestamp allows systems to detect and reject data packets that don’t belong within the current timeframe, thereby ensuring the prevention of replay attacks. Malicious actors use replay attacks to capture and resend data packets to mimic or disrupt a legitimate communication or transaction. Furthermore, timestamps establish order, which is crucial for synchronizing data exchanges and ensuring the proper sequence and context for receiving data. This aspect is especially vital in complex systems where timing might influence operational logic or decision-making processes.

Prerequisites for using Appdome’s MobileBot Payload Timestamp:

To use Appdome’s mobile app security build system to validate a Payload Timestamp, you’ll need:

• Appdome account (create a free Appdome account here)
• A license for MOBILEBot™
• Mobile App (.ipa For iOS device or .apk or .aab for Android)
• Signing Credentials (see Signing Secure Android apps and Signing Secure iOS apps)

Note: The “Payload Timestamp” is integrated within the “Session Headers” feature. For your convenience, there’s no need to construct separate fusion sets—simply build one comprehensive set for “Session Headers” to include the payload timestamp functionality.

How to Setup the Payload Timestamp on Mobile apps using Appdome

On Appdome, follow these 3 simple steps to create self-defending Mobile Apps that validate a Payload Timestamp without an SDK or gateway:

1. Upload the Mobile App to Appdome
   • Upload an app to Appdome’s Mobile App Security Build System
   • Upload Method: Appdome Console or DEV-API
   • Mobile App Formats: .ipa for an iOS device or .apk or .aab for Android
   • Payload Timestamp Compatible With: Obj-C, C+, Java, JS, C#, C++, Swift, Kotlin, Flutter, React Native, Unity, Maui, Xamarin, and more
2.  Build the feature: Session Headers
   • Build Session Headers using Appdome’s DEV-API:
   • Create and name the Fusion Set (security template) that will contain the Session Header feature as shown below:
     
     Figure 1: Fusion Set that will contain the Session Headers feature
     Note: Naming the Fusion Set to correspond to the protection(s) selected is for illustration purposes only (not required).
   • Open the Fusion Set Detail Summary by clicking the “…” symbol on the far-right corner of the Fusion Set, as shown in Figure 1 above, and get the Fusion Set ID from the Fusion Set Detail Summary (as shown below)
     
     Figure 2: Fusion Set Detail Summary
     
     Note: Annotating the Fusion Set to identify the protection(s) selected is optional (not mandatory).
     
   • Follow the instructions below to use the Fusion Set ID inside any standard mobile DevOps or CI/CD toolkit such as Bitrise, App Center, Jenkins, Travis, Team City, Circle CI or other systems
   • Build an API for the app – for instructions, see the tasks under Appdome API Reference Guide
   • Look for sample APIs in Appdome’s GitHub Repository

Building the Payload Timestamp feature via Appdome Console

1. To build the Payload Timestamp protection using Appdome Console, follow the instructions below:
2. Where: Inside the Appdome Console, go to Build > Anti Bot Tab > MOBILEBot™ Defense section
3. How: Toggle (turn ON) Session Headers, as shown below.
   
   Figure 3: Validate Session Headers
   When you select Session Headers you’ll notice that the Fusion Set you created now bears the icon of the protection category that contains Anti Bot defense.
   Figure 4: Fusion Set that displays the newly added Session Headers protection
4. Click Build My App at the bottom of the Build Workflow (shown in Figure 3).
5. Certify the Session Headers feature in Mobile Apps.

After building Session Headers, Appdome generates a Certified Secure™ certificate to guarantee that the Session Headers protection has been added and is protecting the app.
To verify that the Session Headers protection has been added to the mobile app, locate the protection in the Certified Secure™ certificate as shown below:

Figure 5: Certified Secure™ certificate

Each Certified Secure™ certificate provides DevOps and DevSecOps organizations the entire workflow summary, audit trail of each build, and proof of protection that Session Headers have been added to each Mobile app. Certified Secure provides instant and in-line DevSecOps compliance certification that Session Headers and other mobile app security features are in each build of the mobile app.

Using Appdome, there are no development or coding prerequisites to build secured Mobile Apps using Session Headers. There is no SDK and no library to code or implement in the app and no gateway to deploy in your network. All protections are built into each app and the resulting app is self-defending and self-protecting.

Releasing and Publishing Mobile Apps with Session Headers

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:

• Customizing, Configuring & Branding Secure Mobile Apps
• Deploying/Publishing Secure mobile apps to Public or Private app stores
• Releasing Secured Android & iOS Apps built on Appdome.