How to Use Appdome MOBILEBot™ Defense
How Traditional Anti-Bot Offerings Work
Traditional anti-bot offerings have struggled to keep pace with the evolving diversity and sophistication of mobile applications, often trying to force-fit bot defense methods designed for web applications onto mobile frameworks. This mismatch often requires mobile app developers to change the mobile application network stack, remove valuable TLS protecting network connections, or limit bot defense to singular hosts. The result, for the increasingly mobile app-driven economy, is that larger parts of the mobile infrastructure are left vulnerable to mobile bot attacks, fraud, ATOs, API abuse, credential stuffing and more.
What is Appdome MOBILEBot™ Defense?
The new MOBILEBot™ Defense solution offers mobile brands an unparalleled bot detection, comprehensive intelligence, and rapid defense against malicious bots, credential stuffing and ATOs in mobile app business lines.
Appdome’s MOBILEBot™ combines several defense methods to address these weaknesses and provide a robust solution for securing mobile apps against malicious bots. Appdome’s MOBILEBot™ offers full support for all mobile languages and frameworks, including Obj-C, C+, Java, JS, C#, C++, Swift, Kotlin, Flutter, React Native, Unity, Maui, Xamarin, Cordova and more. Integration with your mobile apps is facilitated through a No-Code, No-SDK, and Fully Automated Delivery, built to integrate seamlessly with mobile DevOps pipelines.
Prerequisites for using Appdome’s MobileBot Defense:
To use Appdome’s mobile app security build system for Mobile Bot Defense, you’ll need:
- Appdome account (create a free Appdome account here)
- A license for MOBILEBot™
- Mobile App (.ipa for iOS device or .apk or .aab for Android)
- Signing Credentials (see Signing Secure Android apps and Signing Secure iOS apps)
- A license for Threat-Event™ Meta-Data
- A license for ThreatScore™ Data
Overview of Appdome MOBILEBot™ Defense Features
The Mobile AntiBot solution, is configured to allow the addition of multiple protected hosts. Each host is individually fortified with several security features such as mTLS Pre-Authentication, Session Headers, and Secure Certificate Pinning.
Rate Limit Connections
Learn more about How to Enforce Rate Limiting in MOBILEBot™ Defense
Appdome’s mTLS Pre-Authentication can be used as fourth verification layer before the Anti-Bot payload is sent to the WAF using a P12 client certificate in the TLS handshake. mTLS Re-Authentication is a quick and easy way to identify good mobile app requests from bad.
Learn more about How to Sign Secured iOS Apps Using P12 Distribution Certificate
The Heartbeat Solution is an advanced security framework by Appdome, designed to safeguard application sessions. It comprises four main elements: Session Headers, Safe Session, At Risk Session, and Payload Signing Key.
Note: The heartbeat solution does not include secure certificate pinning, rate limiting or client certificates.
Appdome’s session headers employs a multi-layered approach with application fingerprinting to guarantee not only a tamper-proof payload but also to enhance the WAF’s ability to thwart session replay attacks. This structure offers the WAF insight into the security status of the device running the protected app. Moreover, the WAF can obtain data on threats identified by the protected app and can accurately differentiate between attacks coming from various devices.
To guarantee that the anti-bot signal cannot be spoofed by an attacker, Appdome protects all data-in-transit with pre-packaged and optional features like Secure Certificate Pinning to the (WAF), TLS Session hardening, active MiTM Defense, as well as optional WAF encryption for the Session Header Payload (over and above the RSA Key).
Note: Please be aware that Security Certificate Pinning and the Anti Bot Secure Certificate Pinning are mutually exclusive. Implementing them together will result in a conflict within the engine. Ensure to use only one method at a time to avoid potential issues.
Note: All protections available under “Standard Device & Connection Risk” and “Advanced On-Device Bot Detection” are only accessible when the “Session Headers” feature is enabled.
Represents sessions that are determined to be safe or not at risk of any threat.
At Risk Session
Represents sessions that are potentially under threat or have detected anomalies.
Payload Signing Key
The public key that Appdome uses to encrypt the payload.
Learn more about How to Use Payload Timestamps In Mobile Bot Defense
Learn more about How to Use Appdome ThreatID™ In Mobile Bot Defense
Nonce in Payload
Learn more about How to Validate a Nonce Payload with Appdome MOBILEBot™ Defense
Learn more about How to Use Appdome AppID In Mobile Bot Defense
Secure Certificate Pinning
Learn more about How to use Secure Certificate Pinning in Android & iOS Apps
Anti-Bot Connection Hardening
To eliminate hijacking and replay attacks, Appdome MOBILEBot™ Defense solution protects all data-in-rest with pre-packaged features such as data-at-rest encryption for all Anti-Bot configurations, secrets, keys, IDs, etc. as well as a protected memory space for all Anti-Bot functions.
MiTM Attack Prevention enables the performance of mTLS pre-authentication, monitors connections for MiTM attacks, and safeguards connections and anti-bot payload in transit between the anti-bot solution and any industry standard WAF.
Protect Anti-Bot Config at Rest
Encrypts all Mobile Anti-Bot configurations, including host, keys, certificates, etc., at rest to prevent the harvesting.
Protect Anti-Bot Config in-Memory
Prevents attackers from harvesting Mobile Anti-Bot configurations, including host, keys, certificates, etc., in memory.
Prevent Session Replay Attack
Appdome detects and prohibits session replay attacks and reclaims SessionID for stale TLS sessions so that hackers cannot reuse them in their attacks.
Prevent Session Hijacking
Appdome detects, prohibits, and protects app connections from session hijacking by validating the server SSL certificate chain’s authenticity and providing authenticity proof to the server on behalf of the client.
Prevent Cookie Hijacking
Appdome detects, prohibits, and protects app connections against cookie hijacking by validating the server SSL certificate chain’s authenticity and providing authenticity proof to the server on behalf of the client.
Malicious Proxy Detection
Appdome detects any attempt to connect to or from unknown, untrusted, or malicious proxies or other intermediary devices.
Deep Proxy Detection
Appdome performs a deep inspection of proxies and proxy techniques, including header manipulation and redirects.
Mobile Device & Connection Risk
Mobile Anti Bot Policy
Includes ThreatIDs for jailbreak, root, Magisk, Zygisk, Jailbreak Bypass tool, Frida ToolKit, Emulators and Simulator detection. Standard Risk Policy is ON by default when Anti-Bot is ON.
Note: Please be aware that MiTM Prevention and Mobile Anti Bot Policy features are mutually exclusive. Implementing them together will result in a conflict within the engine. Ensure to use only one method at a time to avoid potential issues.
Advanced On-Device Bot Detection
On-Device Bot Detection is the ability to detect automated programs interacting with the mobile app such as auto-tapping, auto-clickers, memory editing, keystroke injection, emulators, etc. Advanced Bot Detection Intelligence allows payloads to include the Mobile Threat-ID™, detailed threat description, Threat-Score™, attack geolocation, and meta data such as DeviceID and more than two dozen other variables.
Threat Intelligence Policy
Threat Intelligence Policies go beyond Device State and ThreatID to include Threat-Event Meta data like OS, OS version, DeviceID, Threat-Scores and more. Choose the option(s) to be included in your Anti-Bot Payload.
- Mobile Jailbreak and Root Attacks Explained
- Understanding ThreatScope Mobile XDR Threat-Views
- How to Provide Secure Offline Data Access for iOS & Android
If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.