How to Use Appdome MOBILEBot™ Defense

How Traditional Anti-Bot Offerings Work

Traditional anti-bot offerings have struggled to keep pace with the evolving diversity and sophistication of mobile applications, often trying to force-fit bot defense methods designed for web applications onto mobile frameworks. This mismatch often requires mobile app developers to change the mobile application network stack, remove valuable TLS-protecting network connections, or limit bot defense to singular hosts. The result, for the increasingly mobile app-driven economy, is that larger parts of the mobile infrastructure are left vulnerable to mobile bot attacks, fraud, ATOs, API abuse, credential stuffing and more.

What is Appdome MOBILEBot™ Defense?

The new MOBILEBot™ Defense solution offers mobile brands an unparalleled bot detection, comprehensive intelligence, and rapid defense against malicious bots, credential stuffing and ATOs in mobile app business lines.
Appdome’s MOBILEBot™ combines several defense methods to address these weaknesses and provide a robust solution for securing mobile apps against malicious bots. MOBILEBot™ offers full support for all mobile languages and frameworks, including Obj-C, C+, Java, JS, C#, C++, Swift, Kotlin, Flutter, React Native, Unity, Maui, Xamarin, Cordova, and more. Integration with your mobile apps is facilitated through a No-Code, No-SDK, and Fully Automated Delivery built to integrate seamlessly with mobile DevOps pipelines.

Prerequisites for using Appdome’s MobileBot Defense:

To use Appdome’s mobile app security build system for Mobile Bot Defense, you’ll need:

• Appdome account (create a free Appdome account here)
• A license for MOBILEBot™
• Mobile App (.ipa for iOS device or .apk or .aab for Android)
• Signing Credentials (see Signing Secure Android apps and Signing Secure iOS apps)
• A license for Threat-Event™ Meta-Data
• A license for ThreatScore™ Data

Overview of Appdome MOBILEBot™ Defense Features

MOBILEBot™ Defense

Protected Host
The Mobile AntiBot solution is configured to allow the addition of multiple protected hosts. Each host is individually fortified with several security features such as mTLS Pre-Authentication, Session Headers, and Secure Certificate Pinning.

Rate Limit Connections
Learn more about How to Enforce Rate Limiting in MOBILEBot™ Defense

mTLS Pre-Authentication
Appdome’s mTLS Pre-Authentication can be used as the fourth verification layer before the Anti-Bot payload is sent to the WAF using a P12 client certificate in the TLS handshake. mTLS Re-Authentication is a quick and easy way to identify good mobile app requests from bad ones.

Learn more about How to Sign Secured iOS Apps Using P12 Distribution Certificate 

Heartbeat Solution
The Heartbeat Solution is an advanced security framework by Appdome designed to safeguard application sessions. It comprises four main elements: Session Headers, Safe Sessions, At Risk Sessions, and a Payload Signing Key.

Note: The heartbeat solution does not include secure certificate pinning, rate limiting, or client certificates.

Session Headers
Appdome’s session headers employ a multi-layered approach with application fingerprinting to guarantee not only a tamper-proof payload but also to enhance the WAF’s ability to thwart session replay attacks. This structure offers the WAF insight into the security status of the device running the protected app. Moreover, the WAF can obtain data on threats identified by the protected app and can accurately differentiate between attacks coming from various devices.

To guarantee that the anti-bot signal cannot be spoofed by an attacker, Appdome protects all data in transit with pre-packaged and optional features like Secure Certificate Pinning to the (WAF), TLS Session hardening, active MiTM Defense, and optional WAF encryption for the Session Header Payload (over and above the RSA Key).

Note: Please be aware that Security Certificate Pinning and the Anti Bot Pin to Host are mutually exclusive. Implementing them together will result in a conflict within the engine. Ensure to use only one method at a time to avoid potential issues.

Note: All protections available under “Standard Device & Connection Risk” and “Advanced On-Device Bot Detection” are only accessible when the “Session Headers” feature is enabled.

Safe Session
Represents sessions that are determined to be safe or not at risk of any threat.

At Risk Session
Represents sessions that are potentially under threat or have detected anomalies.

Payload Signing Key
The public key that Appdome uses to encrypt the payload.

Payload Timestamp
Learn more about How to Use Payload Timestamps In Mobile Bot Defense

Appdome ThreatID™
Learn more about How to Use Appdome ThreatID™ In Mobile Bot Defense

Nonce in Payload
Learn more about How to Validate a Nonce Payload with Appdome MOBILEBot™ Defense

Appdome AppID™
Learn more about How to Use Appdome AppID In Mobile Bot Defense

Appdome Signed Payload
Ensures data integrity and security by verifying the digital signature of each payload before connection.

Pin to Host
Learn more about How to Secure Android & iOS Apps with Pin to Host

Anti-Bot Connection Hardening

To eliminate hijacking and replay attacks, Appdome’s MOBILEBot™ Defense solution protects all data-in-rest with pre-packaged features such as data-at-rest encryption for all Anti-Bot configurations, secrets, keys, IDs, etc. as well as a protected memory space for all Anti-Bot functions.

MiTM Attack Prevention enables the performance of mTLS pre-authentication, monitors connections for MiTM attacks, and safeguards connections and anti-bot payload in transit between the anti-bot solution and any industry standard WAF.
Protect Anti-Bot Config at Rest
Encrypts all Mobile Anti-Bot configurations, including host, keys, certificates, etc., at rest to prevent the harvesting.
Protect Anti-Bot Config in-Memory
Prevents attackers from harvesting Mobile Anti-Bot configurations, including host, keys, certificates, etc., in memory.
Prevent Session Replay Attack
Appdome detects and prohibits session replay attacks and reclaims SessionID for stale TLS sessions so that hackers cannot reuse them in their attacks.
Prevent Session Hijacking
Appdome detects, prohibits, and protects app connections from session hijacking by validating the server SSL certificate chain’s authenticity and providing authenticity proof to the server on behalf of the client.
Prevent Cookie Hijacking
Appdome detects, prohibits, and protects app connections against cookie hijacking by validating the server SSL certificate chain’s authenticity and providing authenticity proof to the server on behalf of the client.
Malicious Proxy Detection
Appdome detects any attempt to connect to or from unknown, untrusted, or malicious proxies or other intermediary devices.
Deep Proxy Detection
Appdome performs a deep inspection of proxies and proxy techniques, including header manipulation and redirects.

Mobile Device & Connection Risk

Mobile Anti-Bot Policy
This includes ThreatIDs for jailbreak, root, Magisk, Zygisk, the Jailbreak Bypass tool, Frida ToolKit, Emulators, and Simulator detection. When Anti-Bot is ON, Standard Risk Policy is ON by default.
Note: Please be aware that the MiTM Prevention and Mobile Anti Bot Policy features are mutually exclusive. Implementing them together will result in a conflict within the engine. To avoid potential issues, ensure that you use only one method at a time.
Advanced On-Device Bot Detection
On-Device Bot Detection is the ability to detect automated programs interacting with the mobile app such as auto-tapping, auto-clickers, memory editing, keystroke injection, emulators, etc. Advanced Bot Detection Intelligence allows payloads to include the Mobile Threat-ID™, detailed threat description, Threat-Score™, attack geolocation, and metadata such as DeviceID and more than two dozen other variables.

Threat Intelligence Policy
Threat Intelligence Policies go beyond Device State and ThreatID to include Threat-Event Meta data like OS, OS version, DeviceID, Threat-Scores and more. Choose the option(s) to be included in your Anti-Bot Payload.