How to Validate a Nonce Payload with Appdome's MOBILEBot™ Defense

Last updated November 29, 2023 by Appdome

Learn how to validate a Nonce in Payload in Mobile apps, in mobile CI/CD with a Data-Driven DevSecOps™ build system.

What is a Nonce Payload?

A Nonce Payload refers to a unique, one-time token that a mobile application generates during session initiation or at critical transaction points. This ‘nonce’ is a random string intended for a single use, making it a powerful tool against potential threat actors by preventing the replay of intercepted requests — a prevalent tactic in man-in-the-middle (MiTM) attacks and automated bot activities.

In the context of Appdome’s MOBILEBot™ Defense, the Nonce Payload is an integral component of the secure communication channel between the mobile application and the server. It is embedded within the Anti-Bot Payload, and securely transmitted to the server-side protection mechanisms, where it plays a crucial role in the authentication and validation of each request.

Why Use a Nonce Payload?

These unique, single-use tokens play a pivotal role in thwarting replay attacks, which involve malicious actors duplicating legitimate sessions or transactions between the app and its server. The Nonce Payload, by assigning a one-time identifier to each session, ensures the integrity and authenticity of user requests, making unauthorized attempts easily detectable and invalid. This level of security is crucial in high-stakes industries like finance and healthcare, where maintaining data confidentiality is mandatory for compliance with regulatory standards. It not only helps in securing the transactional data but also fortifies the overall defensive mechanisms of the application.

The integration of Nonce Payloads within Appdome’s MOBILEBot™ Defense solution forms a robust, multi-layered security framework. This comprehensive approach is vital in the current digital threat landscape, ensuring that mobile applications are not just secure but also reliable for users, enhancing trust, and ensuring smooth business operations.

Prerequisites to Using Nonce in Payload:

To use Appdome’s mobile app security build system to Validate Nonce in Payload , you’ll need:

Validate Nonce in Payload on Mobile apps using Appdome

On Appdome, follow these 3 simple steps to create self-defending Mobile Apps that Validate Nonce in Payload without an SDK or gateway:

  1. Upload the Mobile App to Appdome
    • Upload an app to Appdome’s Mobile App Security Build System
    • Upload Method: Appdome Console or DEV-API
    • Mobile App Formats: .ipa For iOS device or .apk or .aab
    • Nonce in Payload Compatible With: Obj-C, C+, Java, JS, C#, C++, Swift, Kotlin, Flutter, React Native, Unity, Xamarin, and more
  2.  Build the feature: Mobile AntiBot
    • Build Mobile Anti Bot using Appdome’s DEV-API:
    • Create and name the Fusion Set (security template) that will contain the Mobile Anti Bot feature as shown below:
      Mobile Anti Bot Create Fs
      Figure 1: Fusion Set that will contain the Mobile Anti Bot featureNote: Naming the Fusion Set to correspond to the protection(s) selected is for illustration purposes only (not required).
    • Follow the steps in Section, Building the Mobile Anti Bot feature via Appdome Console, to add the Mobile Anti Bot feature to this Fusion Set.
    • Open the Fusion Set Detail Summary by clicking the “…” symbol on the far-right corner of the Fusion Set, as shown in Figure 1 above, and get the Fusion Set ID from the Fusion Set Detail Summary (as shown below)
      Copy Fs Id
      Figure 2: Fusion Set Detail Summary

       Annotating the Fusion Set to identify the protection(s) selected is optional (not mandatory).
    • Follow the instructions below to use the Fusion Set ID inside any standard mobile DevOps or CI/CD toolkit such as Bitrise, App Center, Jenkins, Travis, Team City, Circle CI or other systems
    • Build an API for the app – for instructions, see the tasks under Appdome API Reference Guide
    • Look for sample APIs in Appdome’s GitHub Repository


Building the Mobile Anti Bot feature via Appdome Console

  1. To build the Mobile Anti Bot protection using Appdome Console, follow the instructions below:
  2. Where: Inside the Appdome Console, go to Build Anti Bot Tab > MOBILEBot™ Defense section
  3. How: Toggle (turn ON) Mobile Anti Bot, as shown below.
    Nonce In Payload Toggle
    Figure 3: Validate Mobile Anti BotWhen you select Mobile Anti Bot you’ll notice that your Fusion Set you created now bears the icon of the protection category that contains Mobile Anti BotMobile Anti Bot Applied Fs
    Figure 4: Fusion Set that displays the newly added Mobile Anti Bot protection
  4. Click Build My App at the bottom of the Build Workflow (shown in Figure 3).
  5. Certify the Mobile Anti Bot feature in Mobile Apps.

After building Mobile Anti Bot, Appdome generates a Certified Secure™ certificate to guarantee that the Mobile Anti Bot protection has been added and is protecting the app. To verify that the Mobile Anti Bot protection has been added to the mobile app, locate the protection in the Certified Secure™ certificate as shown below:

Myiosapp Certificate Sun Oct 22 2023
Figure 5: Certified Secure™ certificate

Each Certified Secure™ certificate provides DevOps and DevSecOps organizations the entire workflow summary, audit trail of each build, and proof of protection that Mobile Anti Bot has been added to each Mobile app. Certified Secure provides instant and in-line DevSecOps compliance certification that Mobile Anti Bot and other mobile app security features are in each build of the mobile appUsing Appdome, there are no development or coding prerequisites to build secured Mobile Apps using Mobile Anti Bot. There is no SDK and no library to code or implement in the app and no gateway to deploy in your network. All protections are built into each app and the resulting app is self-defending and self-protecting.

Releasing and Publishing Mobile Apps with Mobile Anti Bot

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:

All apps protected by Appdome are fully compatible with any public app store, including Apple App Store, Google Play, Huawei App Gallery and more.

Related Articles:

If you have any questions, please send them our way at or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.


let's solve it together

HilaMaking your security project a success!
By filling out this form, you opt-in to recieve emails from us.