By Jan Sysmans, Mobile App Security Evangelist, Appdome
Mobile applications have emerged as the primary platform for consumers in India to engage with mobile brands, prompting a shift in the threat landscape where malicious bot activity is increasingly targeting mobile platforms. Botnet assaults are becoming more sophisticated, mirroring human behavior and exploiting genuine mobile app functionalities, rendering them difficult to identify. The 2024 Imperva Threat Research report, for one, reveals that bad bots now comprise nearly one-third of all online traffic because of how much they’ve advanced in recent years. And the stakes are incredibly high; for example, IBM’s Cost of a Data Breach report shows that the average data breach cost in India reached INR 179 million in 2023 – an all-time peak for the report and a nearly 28% increase since 2020.
A big reason for this is that traditional anti-bot solutions, like Web Application Firewalls (WAFs), struggle to protect against most mobile-based attack vectors, resulting in significant blind spots in organizations’ API defenses, highlighting the need for advanced mobile-specific bot defense solutions.
Why legacy tools are limited
Many organisations use WAFs as the front-line defense against malicious bots. Traditional anti-bot offerings have struggled to keep pace with the evolving diversity and sophistication of mobile applications, often trying to force-fit bot defense methods designed for web applications onto mobile frameworks. This mismatch often requires mobile app developers to change the mobile application network stack, remove valuable TLS-protecting network connections, or limit bot defense to singular hosts. The result, for the mobile app-driven economy, is that larger parts of the mobile infrastructure are left vulnerable to mobile bot attacks, fraud, ATOs, API abuse, credential stuffing and more.
Fundamentally, WAFs are specifically designed to protect web applications. They typically do this by filtering, monitoring and blocking HTTP requests between a client (such as a mobile app or web browser) and a website or backend server. This works well in dealing with threats that attack web apps, websites and web-based communications channels. But now that most internet and network traffic come from mobile channels, protecting against mobile bots with a web-centric defense method is like trying to put a putting a square peg in a round hole. It just does not work well. This is because mobile apps are different from websites or web apps. Mobile apps do not behave the same way as websites, and they do not face the same types of threats. Defending against malicious bots in the mobile channel requires an inherently different approach which encompasses the following four key areas:
1.Fingerprinting & Networking differences
2. Attack and threat vector differences
3. Telemetry and threat intelligence differences
4. API and business logic differences
These key areas are all blind spots for traditional web-centric WAT anti-bot protections and are not effective as a protective tool for protecting mobile backend servers against credential stuffing and other bot-based attacks.
Striving to be something they can’t be
To overcome these limitations, existing anti-bot solutions attempt to bend their products to address mobile-based threats. For example, some require the implementation of an SDK into the mobile app, because that’s the only way the mobile app can respond to the main methods used by WAFs to identify bots from humans (ie: CAPTCHAs, JavaScript challenges, or JWT tokens).
Such solutions also typically require separate servers to be deployed behind the WAF, which are used to evaluate connection requests to discern legitimate connections from malicious ones. These “workarounds” impose single points of failure, performance bottlenecks, and latency, and often come with unacceptable capacity limitations (such as limiting anti-bot protection to a single host or API). On top of that, WAF mobile SDKs also have limitations in terms of the dev framework support and can require developers to rewrite the network stack to achieve compatibility with the WAF. Such workarounds create more work and more costs. To make matters worse, because most anti-bot solutions on the market are not sufficiently hardened to protect against clones, spoofing, malware, or tampering, hackers can easily compromise, bypass, or disable the anti-bot solution if it’s implemented inside a mobile app that is not sufficiently protected against reverse engineering and other attacks. So all that work and money is being wasted on an imperfect solution.
Modernising mobile bot defense
The need of the hour is to modernise anti-bot defense, and that hinges on solutions that have been specifically designed to protect the mobile channel, the mobile backend and the mobile apps against all kinds of bot attacks. A modern mobile anti-bot solution will offer multiple unique fingerprinting methods, detect and defend against mobile-specific threat vectors, collect real-time threat intelligence from inside the mobile app and work with multiple WAFs at the same time, even if they are from different vendors. This will tailor the defense strategy to the mobile ecosystem, seamlessly integrating with existing infrastructure, providing real-time threat intelligence, and offering self-defending capabilities.