Mobile devices have become necessary in everyday life for millions of people. They are essential tools for communication, working from home, entertainment, carrying out essential activities like managing finances, booking appointments, learning, and much more. With the advent of smartphones and tablets — thanks to Apple and Android — mobile applications are on the rise in all sectors. However, with the adoption of native mobile applications, cyber attackers using bots have found another attack surface to exploit, preying on business-critical data, customers’ personal identifiable information (PII), credentials and payment card details.
These bots change their identity, behavior and IP address to operate under permissible limits of conventional security measures. Additionally, native mobile traffic characteristics are less predictable than web browser traffic. Tackling such sophisticated bots requires an advanced approach that improves its logic faster than continuously evolving bot patterns.
To respond to the need for mobile application protection, Radware has enhanced its mobile SDK (software development kit) feature to protect applications from bot actions on mobile devices and applications.
How Radware Mobile Bot Protection Works
As covered in the Radware blog Enhanced Bot Protection on Single-page Applications (SPAs), the first step in bot protection is bad bot identification in mobile platforms. This means identifying the source of the request. In other words, from where did it originate?
There are a select few mobile platforms (primarily Apple and Google) that provide virtual devices (emulators/simulators) for mobile operating systems and mobile device models. They provide these for testing and development purposes. This makes it easy for bots to run bot actions from virtual devices on a larger scale. So, if a bot protection module can identify the traffic not originating from a legitimate mobile device, the bulk of the traffic can be blocked without requiring further traffic analysis. This is precisely where Radware integrated its bot management solution — the Google Play IntegrityAPI and the Apple Device Check and App Attestation Services. By validating the token provided by either the Google or Apple attestation service, authenticity is guaranteed for both the device and the application.
What does this mean for you?
Knowing that a user is using a real device — not an emulator or modified operating system — and from an application downloaded from Google or the Apple store means it hasn’t been modified. This unique capability ensures that only real devices and authentic applications can access your applications.
How does an attestation feature ensure the authenticity of devices and mobile applications?
As shown below, the authenticity of devices and applications are verified with a trust token provided by the Google or Apple attestation services.
Without attestation, it is extremely difficult to validate whether a request to access an application originated from a real device. Here are the challenges:
- It’s no secret that one of the most talked about security issues for all companies relates to the protection and restriction of personal identifiable information (PII). The PII data on mobile devices also include hardware identifiers (IMEI or SIM card) and/or phone numbers. They uniquely identify the device. Without these unique identifiers that are tied to each end user device, it is impossible to identify whether the request is coming from a real or virtual device (emulator or simulator). As a result, there is a need to identify and analyze multiple mobile device attributes to distinguish whether it is a real or virtual device.
- Many device attribute values can change over time. This invalidates bad bot identification capabilities that have been put into action. As a result, there can be many false positives (FP) and false negatives (FN).
- Attackers often change the values for these attributes to make it appear that the request came from a real device. This bypasses detection methods.
Attestation Feature — Operating System Support by Google and Apple
When compared to the coverage of platforms and trust tokens based on the Privacy Pass Protocol, the attestation feature provides good coverage for operating system support. Google Attestation is supported for Android version 4.4 and above. Apple Device Check is supported for iOS 11 and above; App Attest is supported for iOS 14 and above. In short, this means it is highly unlikely that bots originating from an emulator/simulator can bypass these unique detection capabilities and access resources.
Radware Ensures Strong Mobile Bot Protection With Our Multiple, Unique Bot Detection Capabilities
The attestation feature ensures that only real devices and authentic applications can access requested resources.
The Radware Bot Manager Mobile SDK solution provides another significant capability. Its Secure Identity feature perfectly complements attestation capabilities by stopping bots from spoofing, and replying to, the trust token provided by an authentic user. It means Radware Secure Identity with attestation provides higher, industry-leading protection against mobile bots and doesn’t allow botmasters to negatively impact customers.
Any remaining illegitimate traffic that looks like authentic traffic is identified, challenged and blocked by Radware Bot Manager. It accomplishes this through various detection modules via behavioral analysis.
Protection from Mobile Bots is Just a Click Away
Not protecting mobile devices and the applications they support is a dangerous game. Consider this — it’s estimated that there are over 17 billion active mobile devices in the world. That’s over two devices for every person on the planet. Ignoring mobile security is like believing the sun won’t come up tomorrow. It’s time to take the first, and best, step to ensure mobile devices and applications are secure and not providing threat actors an open invitation to launch attacks. Go here to learn more about Radware Bot Manager Mobile SDK. And please reach out to the talented and tenured cybersecurity professionals at Radware here. We’d love to hear from you.