How to Use F5 Anti-Bot in Android & iOS Apps
The F5 Anti-Bot SDK enables customers to detect and protect mobile applications from bot attacks. This Knowledge Base article describes how to add F5 Anti-Bot protection to Android & iOS apps and implement the SDK in less than 10 minutes – no code or coding required.
About Adding F5 Anti-Bot Protection using Appdome
Using Appdome, mobile applications will use the F5 Anti-Bot SDK to protect applications against bots, vulnerability scanners, content scraping, and other automated attack vectors as if the code was natively added to the application. Appdome for F5 Anti-Bot is compatible with mobile applications built in any development environment including Native Android and iOS apps, hybrid applications, and non-native applications built in platforms such as Xamarin, Cordova, React Native, and Ionic. This streamlines implementations, cuts development work, and ensures a guaranteed and consistent integration of Anti-Bot to any mobile application.
Appdome for F5 Anti-Bot enables you to protect multiple domains, either by providing a list of domains or with a ‘wildcard’ syntax (using a period instead of the subdomain, for example: .domain.com). Thus supporting use cases where the protected Virtual Server serves multiple protected subdomains.
Key Features of Appdome for F5 Anti-Bot Protection
Customers who want to increase the overall security of the application server, and ensure that only valid end-users can access the service, can achieve this by protecting the certificate Hash. As a result, the mobile app can only connect to their BIG-IP. Mobile Threat Control encrypts the F5 certificate Hash at the time of Fusion.
Host Custom Port
The F5 Anti-Bot SDK requires the use of a standard HTTP/HTTPS port. Some customers have configured their networks with non-standard or custom HTTP/HTTPS ports. In these cases, Host Custom Port bridges the gaps between the F5 Anti-Bot SDK and the customer’s network configuration, supporting the use of host custom ports.
Support Multiple Domains
Many customers want bot protection for more than one domain. Mobile Threat Control supports multiple domain protection, both for named domains and “wildcard” domains. All the protected domains have to resolve to the protected virtual server.
Mobile Threat Control – Appdome’s advanced features for F5 AntiBot
Appdome offers F5 Customers additional Mobile Threat Controls. These advanced features solve more complex or demanding deployments where the standard F5 anti-bot SDK isn’t sufficient. These features overcome obstacles inside apps, the infrastructure, authentication methods, and more that do not permit interaction between the app and external services.
Multiple Cookie Manager Mediation
Multiple Cookie Manager Mediation tackles one of the hardest problems in mobile threat defense. Mobile apps that are built with secure cookie management systems interfere with the cookie exchange required for external MTD services, like the F5 Anti-Bot SDK. When this occurs, apps are unable to efficiently utilize cookies from the F5 Anti-Bot SDK, and will not be able to connect to the protected host. Rather than rebuild the app, Multiple Cookie Manager Mediation securely and dynamically retrieves, reconciles, and manages cookie exchange on behalf of in-app cookie managers and frameworks. The new app is now able to mediate between multiple cookie managers to automatically resolve cookie exchange, inclusion, and removal across multiple cookie managers inside an app. It also includes features like, Dynamic Cookie Stickiness (For iOS apps), which ensures that F5 Anti-Bot cookies will remain sticky when possible across application transitions.
This feature ensures that no connections are blocked by the BIG-IP servers and provides anti-bot protection to all required connections.
This helps when F5 Anti-Bot takes several seconds to fully initialize and provide the mobile app that is trying to connect to the protected host with a valid cookie. Most mobile apps have connections to servers and external URLs other than the protected host. And as a result of the initialization delay, these connections may be blocked by the BIG-IP server. SMARTConnect waits for the valid cookie to be issued to the mobile app and thereby assures that no connections are blocked by the BIG-IP servers and protects all the required connections with Anti-Bot protection.
Prerequisites for using Appdome for F5 Anti-Bot
Using Appdome’s no code implementation of the F5 Anti-Bot SDK on Appdome requires:
- Appdome account – Ideal and above
- Mobile application (.ipa for iOS, or .apk or .aab for Android)
If you are using a Swift iOS application, verify that it has been compiled with a supported Swift version
- A server protected by F5’s BIG-IP
- Your BIG-IP certificate hash (optional) – if you configured your BIG-IP system to support certificate pinning. For additional details see: https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-1-0/43.html
- Signing Credentials (for example: signing certificates and provisioning profile)
3 Easy Steps to Add F5 Anti-Bot Protection to Android & iOS Apps
Follow these step-by-step instructions to add F5 Anti-Bot Protection to Android & iOS Apps
- Upload an Android or iOS App to Appdome’s no code security platform (.apk, .aab, or .ipa)
- In the Build tab, under Mobile Threat, Select F5 Anti-Bot (and your BIG IP server configurations and options)
- Click Build My App
BIG IP Server Configurations and Options
- Select F5 Anti-Bot
- Enter your Protected Host.
By default, the Anti-Bot SDK operates with SSL enabled. If you would like to disable SSL, please contact Appdome support to enable the feature.
Note: The FQDN (Fully Qualified Domain Name) specified here as the Protected Host will be protected by the F5 Anti-Bot solution. When the application attempts to connect to this FQDN, it will be connected to the IP of a Virtual Server defined on the BIG-IP platform. If you do not have a resolvable hostname and are using an IP address to access the host, with SSL implemented on the server-side, it is unlikely that the connection will succeed. In this case, the app might not trust the host. To mitigate this, you can use Appdome’s Auto-Pin Trusted Domainsfeature, in the Access tab, so the app will not fail on mismatching certificates. To upgrade your account with permission to the Access tab, please contact Appdome Support.
- Enter the verification pin you received from Appdome’s AntiBot Verification app.
- Support Multiple Domains – allow you to protect more than one domain. When adding multiple domains, you can add a domain or a “wildcard” domain that has a period instead of the sub-domain.
Note: All protected domains should resolve to the protected Virtual Server.
- SECUREcertificate pining – if certificate pinning is needed in your configuration, supply your F5 certificate Hash generated in the F5 Anti-Bot SDK Process.
- Host Custom Port – if your BIG-IP virtual server is using a non-standard HTTP/HTTPS port.
- Multiple Cookie Managers Mediation – Ensures that apps will be able to efficiently utilize cookies from the F5 Anti-Bot SDK and connect to protected hosts.
- SMARTConnectTM – dynamically reorder the app’s network and URL connections to align with the initialization of the AntiBot SDK.
- Click Build My App.
Note: if you are prompted with an error message stating that your application’s Swift version is incompatible with one of the supported SDK’s Swift version please read follow the steps for Matching Versions of Swift when Fusing F5 Anti-bot SDK
Congratulations! You now have a secured mobile F5 Anti-Bot Protection
How to Sign & Publish Secured Mobile Apps Built on Appdome
After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:
- Signing Secure iOS and Android apps
- Customizing, Configuring & Branding Secure Mobile Apps
- Deploying/Publishing Secure mobile apps to Public or Private app stores
Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.
More Mobile Threat Resources
To zoom out on this topic, visit the Mobile Threat section on our website, or Request a demo at any time.
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.
- How to Validate F5 BIG-IP Anti Bot Configuration
- Understanding ThreatScope Mobile XDR Threat-Views
- How to Provide Secure Offline Data Access for iOS & Android