Bots—computer programs that work automatically—have long been a part of the internet. Good bots are often deployed to improve the user experience, as is the case with customer support chat bots, search engine crawlers and any number of one-dimensional task bots. But the utility of these programs has also been employed for more nefarious uses, such as infecting user devices or IoT systems to take control of their associated resources, stealing identity information to take over accounts, or even outright theft of digital content and intellectual property.
As a result, if you don’t take precautions, your back-end mobile API components can be exposed to automated attacks such as content scraping, denial of service (DOS), credential stuffing, fake account creation and a host of other problems (see table).
Table 1: How do bots attack the app layer?
|Account Takeover||Credential Stuffing||Mass log-in attempts used to verify the validity of stolen username/password pairs|
|Credential Cracking||Identify valid login credentials by trying different values for usernames and/or passwords|
|Account Aggregation||Used by an intermediary application that aggregates multiple accounts and interacts on their behalf|
|Payment Card Data||Card Cracking||Identify missing start/expiry dates and security codes for stolen payment card data by trying different values|
|Card Cracking||Identify missing start/expiry dates and security codes for stolen payment card data by trying different values|
|Cashing Out||Buy goods or obtain cash utilizing validated stolen payment card or other user account data|
|Vulnerability Scanning||Footprinting||Probe and explore application to identify its constituents and properties|
|Vulnerability Scanning||Crawl and fuzz application to identify weaknesses and possible vulnerabilities|
|Fingerprinting||Elicit information about the supporting software and framework types and versions|
|Denial of Service / Resource Hoarding||Scalping||Obtain limited-availability and/or preferred goods/services by unfair methods|
|Denial of Inventory||Deplete goods or services stock without ever completing the purchase or committing to the transaction|
|Denial of Service (DoS)||Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS)|
|Sniping||Last-minute bid or offer for goods or services|
|Expediting||Perform actions to hasten progress of usually slow, tedious or time-consuming actions|
|Content Theft||Scraping||Collect application content and/or other data for use elsewhere|
|Other||Ad Fraud||False clicks and fraudulent display of web-placed advertisements|
|CAPTCHA Defeat||Solve anti-automation tests|
|Skewing||Repeated link clicks, page requests or form submissions intended to alter some metric|
|Spamming||Malicious or questionable information that appears in public or private content, databases or user messages|
Battling mobile bots is precisely why we created the F5 Anti-Bot Mobile SDK, which extends the robust bot-protection capabilities of F5® Advanced Web Application Firewall™ (WAF) solutions to mobile applications to defend against bots, vulnerability scanners, content scraping and other automated attack vectors.
Our close partnership with Appdome is an important part of a comprehensive, mobile anti-bot solution. F5 Advanced WAF integration with Appdome extends bot protection to mobile apps with application whitelisting, behavioral analysis, secure cookie validation and advanced app hardening. Appdome also provides the means for fast and easy integration so that developers and non-developers alike can implement the full functionality of F5® Anti-Bot Mobile SDK using a simple “click to implement” interface.
Mobile apps don’t come with native compatibility to F5 Anti-Bot Mobile SDK, which means mobile developers are required to modify the source code of mobile apps in order to discover, connect to and authenticate to F5 services. In the past, this has posed a significant challenge to enterprises that wanted to leverage F5 services for mobile app access, often causing them to abandon projects or choose not to initiate mobile projects at all.
Now, through close partnership with Appdome, integration could not be easier. Appdome offers a patented integration platform-as-a-service (IPaaS) solution that can add the F5 Anti-Bot Mobile SDK (or any mobile security service) to any mobile app (Android or iOS) in minutes without coding. Appdome delivers a faster, easier, and more efficient alternative to manual coding to add new capabilities to applications and can protect a mobile application from bots and automated attacks in three steps:
Figure 2: Protect a mobile application from bots and automated attacks in 3 easy steps.
A new app binary with all the features of F5 Anti-Bot Mobile SDK will be generated in minutes. Simply sign the new app and deploy it using existing workflows.
Appdome is the industry’s first no-code mobile integration platform. The company’s patented Fusion technology and its AI-Digital Developer™, known as AMI, powers a self-service platform. This platform allows anyone to complete the integration of thousands of mobile services, standards, vendors, SDKs and APIs in security, authentication, access, mobility, mobile threats, analytics and more, adding these services to any mobile app instantly.
This no-code mobile integration platform enables customers to implement F5 Anti-Bot Mobile SDK to any mobile app. For F5 customers, this means you can leverage your existing F5 investment to manage access to enterprise resources from all Android and iOS apps. This includes native, hybrid and non-native apps, as well as third-party apps and apps developed in any framework out of the box.
In addition, Appdome eliminates dependencies on in-app standards, freeing app developers from having to manually code these into their apps. Customers can leverage modern authentication for any app without a dependency on third-party app maker roadmaps.
As hostile bots become ever more pervasive with their attacks on mobile applications, organizations need a way to quickly and effectively apply powerful, protective F5 Advanced WAF capabilities to their mobile assets. Appdome offers an IPaaS solution that enables users to easily add the F5 Anti-Bot Mobile SDK to any mobile app in minutes, without coding.
For more information about the F5 and Appdome partnership and solution integration, visit F5 Web App and API Protection.