How to Validate a Nonce Payload with Appdome's MobileBOT™ Defense

Last updated May 20, 2024 by Appdome

Learn how to validate a Nonce in Payload in Mobile apps, in mobile CI/CD with a Data-Driven DevSecOps™ build system.

What is a Nonce Payload?

A Nonce Payload refers to a unique, one-time token that a mobile application generates during session initiation or at critical transaction points. This ‘nonce’ is a random string intended for a single use, making it a powerful tool against potential threat actors by preventing the replay of intercepted requests — a prevalent tactic in man-in-the-middle (MiTM) attacks and automated bot activities.

In the context of Appdome’s MobileBOT™ Defense, the Nonce Payload is an integral component of the secure communication channel between the mobile application and the server. It is embedded within the Anti-Bot Payload, and securely transmitted to the server-side protection mechanisms, where it plays a crucial role in the authentication and validation of each request.

Why Use a Nonce Payload?

These unique, single-use tokens play a pivotal role in thwarting replay attacks, which involve malicious actors duplicating legitimate sessions or transactions between the app and its server. The Nonce Payload, by assigning a one-time identifier to each session, ensures the integrity and authenticity of user requests, making unauthorized attempts easily detectable and invalid. This level of security is crucial in high-stakes industries like finance and healthcare, where maintaining data confidentiality is mandatory for compliance with regulatory standards. It not only helps in securing the transactional data but also fortifies the overall defensive mechanisms of the application.

The integration of Nonce Payloads within Appdome’s MobileBOT™ Defense solution forms a robust, multi-layered security framework. This comprehensive approach is vital in the current digital threat landscape, ensuring that mobile applications are not just secure but also reliable for users, enhancing trust, and ensuring smooth business operations.

Prerequisites to Using Nonce in Payload:

To use Appdome’s mobile app security build system to Validate Nonce in Payload , you’ll need:

  • Appdome account (create a free Appdome account here)
  • A license for MobileBOT™
  • Mobile App (.ipa For iOS device or .apk or .aab For Mobile)
  • Signing Credentials (see Signing Secure Android apps and Signing Secure iOS apps)
  • A WAF capable of storing and referencing a table of used nonces.

    Note: The “Nonce in Payload” is integrated within the “Session Headers” feature. For your convenience, there’s no need to construct separate fusion sets—simply build one comprehensive set for “Session Headers” to include the payload timestamp functionality.

Validate Nonce in Payload on Mobile apps using Appdome

On Appdome, follow these 3 simple steps to create self-defending Mobile Apps that Validate Nonce in Payload without an SDK or gateway:

  1. Upload the Mobile App to Appdome
    • Upload an app to Appdome’s Mobile App Security Build System
    • Upload Method: Appdome Console or DEV-API
    • Mobile App Formats: .ipa For iOS device or .apk or .aab
    • Nonce in Payload Compatible With: Obj-C, Java, JS, C#, C++, Swift, Kotlin, Flutter, React Native, Unity, Maui, Xamarin, and more
  2.  Build the feature: Session Headers
    • Build Session Headers using Appdome’s DEV-API:
    • Create and name the Fusion Set (security template) that will contain the Session Headers feature as shown below:
      Session Headers Create Fs
      Figure 1: Fusion Set that will contain the Session Headers feature
      Note: Naming the Fusion Set to correspond to the protection(s) selected is for illustration purposes only (not required).
    • To add the Session Headers feature to this Fusion Set, follow the steps in Section, Building the Mobile Anti Bot feature via Appdome Console.
    • Open the Fusion Set Detail Summary by clicking the “…” symbol on the far-right corner of the Fusion Set, as shown in Figure 1 above, and get the Fusion Set ID from the Fusion Set Detail Summary (as shown below)
      Copy Fs Id
      Figure 2: Fusion Set Detail Summary

       Annotating the Fusion Set to identify the protection(s) selected is optional (not mandatory).
    • Follow the instructions below to use the Fusion Set ID inside any standard mobile DevOps or CI/CD toolkit such as Bitrise, App Center, Jenkins, Travis, Team City, Circle CI or other systems.
    • Build an API for the app – for instructions, see the tasks under Appdome API Reference Guide
    • Look for sample APIs in Appdome’s GitHub Repository.


Building the Mobile Anti Bot feature via Appdome Console

  1. To build the Mobile Anti-Bot protection using Appdome Console, follow the instructions below:
  2. Where: Inside the Appdome Console, go to Build Anti Bot Tab > MobileBOT™ Defense section
  3. How: Toggle (turn ON) Session Headers, as shown below.
    Mobilebot Payload Nonce
    Figure 3: Validate Session Headers
    When you select Session Headers, you’ll notice that the Fusion Set you created now bears the icon of the protection category that contains Session HeadersSession Headers Fs Applied8.
    Figure 4: Fusion Set that displays the newly added Session Headers protection
  4. Click Build My App at the bottom of the Build Workflow (shown in Figure 3).
  5. Certify the Mobile Anti Bot feature in Mobile Apps.

After building Mobile Anti Bot, Appdome generates a Certified Secure™ certificate to guarantee that the Session Headers protection has been added and is protecting the app. To verify that the Session Headers protection has been added to the mobile app, locate the protection in the Certified Secure™ certificate as shown below:

Session Headers Cert
Figure 5: Certified Secure™ certificate

Each Certified Secure™ certificate provides DevOps and DevSecOps organizations the entire workflow summary, audit trail of each build, and proof of protection that Mobile Anti Bot has been added to each Mobile app. Certified Secure provides instant and in-line DevSecOps compliance certification that Session Headers and other mobile app security features are in each build of the mobile app.
Using Appdome, there are no development or coding prerequisites to build secured Mobile Apps using Session Headers. There is no SDK and no library to code or implement in the app and no gateway to deploy in your network. All protections are built into each app and the resulting app is self-defending and self-protecting.

Releasing and Publishing Mobile Apps with Session Headers

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:

Related Articles:

If you have any questions, please send them our way at or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.


Want a Demo?

Mobile Bot Defense

GilWe're here to help
We'll get back to you in 24 hours to schedule your demo.