Use Case

Advanced Anti-Bot Protection for Mobile Apps

alt text


  • Bots are actively leveraged for a variety of nefarious uses such as taking control of user devices or IoT systems, stealing identity information, and misappropriating intellectual property.
  • As online usage shifts to mobile devices, the bots shift to mobile targets.
  • Many techniques used by traditional bot-defense solutions rely on JavaScript, which is not supported by native mobile apps.


  • Secure your most valued assets, your applications and sensitive data, from bots, automated attacks, web scrapers, and exploits aimed at mobile apps.
  • Implement rapid deployment of advanced mobile security solutions without augmenting existing application development processes.
  • Add protection to iOS and Android apps without additional effort and with a consistent experience across platforms.
  • Implement multiple services or SDKs simultaneously to the same app.

The Problem

Bots—computer programs that work automatically—have long been a part of the internet. Good bots are often deployed to improve the user experience, as is the case with customer support chat bots, search engine crawlers, and any number of one-dimensional task bots. But the utility of these programs has also been employed for more nefarious uses, such as infecting user devices or IoT systems to take control of their associated resources, stealing identity information to take over accounts, or even outright theft of digital content and intellectual property.

As our online lives  play out on mobile devices, bad actors are deploying their malicious bots against mobile apps. Unfortunately for mobile app developers, many techniques used by traditional bot-defense solutions rely on JavaScript, which is not supported by native mobile apps. 


Figure 1: JavaScript is not supported by native mobile apps.

As a result, if you don’t take precautions, your back-end mobile API components can be exposed to automated attacks such as content scraping, denial of service (DOS), credential stuffing, fake account creation, and a host of other problems (see table).

Table 1: How do bots attack the app layer?

Account Takeover Credential Stuffing Mass login attempts are used to verify the validity of stolen username/password pairs
Credential Cracking Identify valid login credentials by trying different values for usernames and/or passwords
Account Aggregation Used by an intermediary application that aggregates multiple accounts and interacts on their behalf
Payment Card Data Card Cracking Identify missing start/expiry dates and security codes for stolen payment card data by trying different values
Cashing Out Buy goods or obtain cash utilizing validated stolen payment card or other user account data
Vulnerability Scanning Footprinting Probe and explore the application to identify its constituents and properties
Vulnerability Scanning Crawl and fuzz the application to identify weaknesses and possible vulnerabilities
Fingerprinting Elicit information about the supporting software and framework types and versions
Denial of Service / Resource Hoarding Scalping Obtain limited-availability and/or preferred goods/services by unfair methods
Denial of Inventory Deplete goods or services stock without ever completing the purchase or committing to the transaction
Denial of Service (DoS) Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS)
Sniping Make a last-minute bid or offer for goods or services
Expediting Perform actions to hasten progress of usually slow, tedious, or time-consuming actions
Content Theft Scraping Collect application content, and/or other data for use elsewhere
Other Ad Fraud False clicks and fraudulent display of web-placed advertisements
CAPTCHA Defeat Solve anti-automation tests
Skewing Repeated link clicks, page requests, or form submissions intended to alter some metric
Spamming Malicious or questionable information that appears in public or private content, databases, or user messages

The Solution

Battling mobile bots is precisely why we created the F5 Anti-Bot Mobile SDK, which extends the robust bot-protection capabilities of F5® Advanced Web Application Firewall™ (WAF) solutions to mobile applications to defend against bots, vulnerability scanners, content scraping, and other automated attack vectors.

Our close partnership with Appdome is an important part of a comprehensive, mobile anti-bot solution. F5 Advanced WAF integration with Appdome extends bot protection to mobile apps with application allowlisting, behavioral analysis, secure cookie validation, and advanced app hardening. Appdome also provides the means for fast and easy integration, so that developers and non-developers alike can implement the full functionality of F5® Anti-Bot Mobile SDK using a simple click-to-implement interface.

F5 Networks and Appdome Partnership

Mobile apps don’t come with native compatibility to F5 Anti-Bot Mobile SDK. Until now, mobile developers were required to modify the source code of mobile apps to discover, connect to, and authenticate F5 services. In the past, this posed a significant challenge to enterprises that wanted to leverage F5 services for mobile app access, often causing them to abandon projects or choose not to initiate mobile projects at all.

Now, through close partnership with Appdome, integration could not be easier. Appdome offers a patented integration platform-as-a-service (IPaaS) solution that can add the F5 Anti-Bot Mobile SDK (or any mobile security service) to any mobile app (Android or iOS) in minutes, without coding. Appdome delivers a faster, easier, and more efficient alternative to manual coding for adding new capabilities to applications. Appdome protects  mobile applications from bots and automated attacks in three steps:

Figure 2: Protect a mobile application from bots and automated attacks in 3 easy steps.


  1. Upload an Android or iOS binary to Appdome
  2. In the Mobile Threat Category, Select “F5 Anti-Bot”
  3. Add the protected host information and other optional selections and click the Build My App button

A new app binary with all the features of F5 Anti-Bot Mobile SDK will be generated in minutes. Simply sign the new app and deploy it using existing workflows.

How It Works

Appdome is the industry’s first no-code mobile integration platform. The company’s patented Fusion technology and its AI-Digital Developer™, known as AMI, powers a self-service platform. This platform allows anyone to complete the integration of thousands of mobile services, standards, vendors, SDKs, and APIs in security, authentication, access, mobility, mobile threats, analytics, and more, adding these services to any mobile app instantly.

This no-code mobile integration platform enables customers to add F5 Anti-Bot Mobile SDK to any mobile app. For F5 customers, this means you can leverage your existing F5 investment to manage access to enterprise resources from all Android and iOS apps. This includes native, hybrid, and non-native apps as well as third-party apps and apps developed in any framework out of the box.

In addition, Appdome eliminates dependencies on in-app standards, freeing app developers from manually coding these into their apps. Customers can leverage modern authentication for any app without a dependency on third-party app-maker roadmaps.


As hostile bots become ever more pervasive with their attacks on mobile applications, organizations need a way to quickly and effectively apply powerful, protective F5 Advanced WAF capabilities to their mobile assets. Appdome offers an IPaaS solution that enables users to easily add the F5 Anti-Bot Mobile SDK to any mobile app in minutes, without coding.

F5 and Appdome Features

  • Protect what’s important: F5 secures your most valued assets, your applications and sensitive data, from bots, automated attacks, web scrapers, and exploits. Integration with Appdome extends bot protection to mobile apps through application allowlisting, behavioral analysis, secure cookie validation, and advanced app hardening.
  • Rapidly deliver in-depth mobile bot detection: Enterprise mobile security and e-commerce departments can implement critical solutions without taxing scarce mobile development resources. Because Appdome is simple to use and doesn’t involve coding, enterprises can fast-track their bot protection initiatives by implementing F5 Anti-Bot Mobile SDK instantly, enabling rapid deployment of advanced mobile security solutions without a complex development or installation process.
  • Simplify POCs: Streamline your evaluation process and conduct proof of concepts (POCs) without draining resources or installing any hardware or software. All POCs are instant with Appdome.
  • Enjoy a consistent experience across platforms: Appdome is cross-platform and framework independent. Bot protection can be added to iOS and Android apps without additional effort and with a consistent experience across platforms. It works with any app created in any framework with no modifications or plugins.
  • Take advantage of multi-service implementations: With Appdome, users can implement multiple security services to the same app. This enables you to implement layered defenses covering a comprehensive array of mobile attack vectors. For example: add F5 Anti-Bot Mobile SDK with Appdome TOTALData Encryption and TOTALCode Obfuscation to achieve a comprehensive mobile security solution in minutes.

For more information about the F5 and Appdome partnership and solution integration, visit F5 Web App and API Protection.

Learn more:


Appdome Mobile Threat Defense

Conquer Your Cloud Security Concerns with F5 Advanced WAF on AWS and Azure

Application Security Webinars

Get the latest threat intel