How to use MobileBOT Source™ with Mobile Bot Defense
What is MobileBOT Source™?
MobileBOT Source™ offers mobile app developers the option to add a set of App-Specific Key Values to their app’s payload. These key values are then utilized to check the legitimacy of session interactions, ensuring that the interactions are secure and authenticated. Developers can define specific key values that are unique to their application. These values could represent various parameters, such as user ID, session ID, transaction ID, etc., that are critical to the app’s functionality and security.
How Does MobileBOT Source™ Protect Mobile Apps?
The primary function of MobileBOT Source™ is to bolster the security of mobile applications by using encrypted, custom key values to track and verify user sessions and interactions. By integrating these key values, developers can more accurately identify and correlate incoming requests to specific users or sessions. This capability is crucial for recognizing and mitigating potential threats, such as bot attacks. For instance, if a request to the server is flagged as suspicious, the source of this request can immediately be traced to a particular user or action within the app, thanks to the predefined key values. This not only helps in promptly blocking malicious activities but also in understanding the behavior patterns of users, thereby significantly enhancing the app’s security measures against automated attacks and other security threats.
Prerequisites for using Appdome’s MobileBOT Source™:
To use Appdome’s mobile app security build system for Mobile Bot Defense, you’ll need:
- Appdome account (create a free Appdome account here)
- A license for MobileBOT Source™
- Mobile App (.ipa for iOS device or .apk or .aab for Android)
- Signing Credentials (see Signing Secure Android apps and Signing Secure iOS apps)
How to Setup MobileBOT Source™ on Mobile apps using Appdome
On Appdome, follow these 3 simple steps to create self-defending Mobile Apps that use MobileBOT Source™ without an SDK or gateway:
- Upload the Mobile App to Appdome’s Mobile App Security Build System
- Upload Method: Appdome Console or DEV-API
- Mobile App Formats: .ipa for an iOS device or .apk or .aab for Android
- MobileBOT Source™ Compatible With: Obj-C, Java, JS, C#, C++, Swift, Kotlin, Maui, Xamarin, and more.
- Build the feature: MobileBOT Source™
- Build MobileBOT Source™ using Appdome’s DEV-API:
- Create and name the Fusion Set (security template) that will contain the MobileBOT Source™ feature as shown below:
Figure 1: Fusion Set that will contain the MobileBOT Source™ feature
Note: Naming the Fusion Set to correspond to the protection(s) selected is for illustration purposes only (not required). -
To add the MobileBOT Source™ feature to this Fusion Set, follow the steps in the Building the MobileBOT Source™ via Appdome Console section.
- Open the Fusion Set Detail Summary by clicking the “…” symbol on the far-right corner of the Fusion Set, as shown in Figure 1 above, and get the Fusion Set ID from the Fusion Set Detail Summary (as shown below)
Figure 2: Fusion Set Detail Summary
Note: Annotating the Fusion Set to identify the protection(s) selected is optional (not mandatory).
- Follow the instructions below to use the Fusion Set ID inside any standard mobile DevOps or CI/CD toolkit such as Bitrise, App Center, Jenkins, Travis, Team City, Circle CI, or other systems
- Build an API for the app – for instructions, see the tasks under Appdome API Reference Guide
- Look for sample APIs in Appdome’s GitHub Repository
Building the MobileBOT Source™ feature via Appdome Console
To build the MobileBOT Source™ protection using Appdome Console, follow the instructions below:
- Where: Inside the Appdome Console, go to Build > Anti Bot Tab > MobileBOT™ Defense section
- How: Toggle (turn ON) Session Headers > MobileBOT Source™, as shown below.
Figure 3: Validate MobileBOT Source™ - When you select MobileBOT Source™, you’ll notice that the Fusion Set you created now bears the icon of the protection category that contains MobileBOT Source™.
Figure 4: Fusion Set that displays the newly added MobileBOT Source™ protection - Click Build My App at the bottom of the Build Workflow (shown in Figure 3).
- Certify the Session Headers feature in Mobile Apps.
After building MobileBOT Source™, Appdome generates a Certified Secure™ certificate to guarantee that the MobileBOT Source™ protection has been added and is protecting the app.
To verify that the MobileBOT Source™ protection has been added to the mobile app, locate the protection in the Certified Secure™ certificate as shown below:
Figure 5: Certified Secure™ certificate
Each Certified Secure™ certificate provides DevOps and DevSecOps organizations with the entire workflow summary, audit trail of each build, and proof of protection that Session Headers have been added to each Mobile app. Certified Secure provides instant and in-line DevSecOps compliance certification that MobileBOT Source™ and other mobile app security features are in each mobile app build.
Using Input Threat-Events™ for MobileBOT Source™ in Mobile Apps
Note: Input Threat Events are unavailable for multi-platform frameworks such as React Native, Flutter, and Cardova. If you are using these coding languages, it is recommended that you build a bridge class that acts as an intermediary between the framework and the mobile native API.
For more details on how to build bridging classes for Flutter and Cordova, please refer to the following documentation: Flutter and Cordova Plugin Development Guide
A Java bridge class is essential for React Native applications that require the use of MobileBOT Source™ threat events. This bridge class acts as a connector between the React Native JavaScript layer and native Android functionality. It allows the JavaScript code in React Native to interact directly with Android-specific features that are otherwise inaccessible due to the cross-platform nature of React Native. The bridge ensures that MobileBOT Source™ can be utilized effectively within React Native apps by enabling direct communication and operation execution on the Android side.
Example: React Native Bridge Class
package com.your-apps-package-name; // replace your-apps-package-name with your app’s package name
import com.facebook.react.bridge.NativeModule;
import com.facebook.react.bridge.ReactApplicationContext;
import com.facebook.react.bridge.ReactContext;
import com.facebook.react.bridge.ReactContextBaseJavaModule;
import com.facebook.react.bridge.ReactMethod;
import java.util.Map;
import java.util.HashMap;
public class MobileBotModule extends ReactContextBaseJavaModule {
MobileBotModule(ReactApplicationContext context) {
super(context);
}
@Override
public String getName() {
return "MobileBotModule";
}
@ReactMethod(isBlockingSynchronousMethod = true)
public void sendBotSourceEvent(String key, String value) {
Intent newIntent = new Intent("UpdateMBDMap");
Bundle dataBundle = new Bundle();
dataBundle.putString(key, value);
newIntent.putExtras(dataBundle);
Context applicationContext = getApplicationContext();
newIntent.setPackage(applicationContext.getPackageName());
applicationContext.sendBroadcast(newIntent);
Example: JavaScript Call in React Native:
const {MobileBotModule} = ReactNative.NativeModules;
MobileBotModule.sendBotSourceEvent('Digest', '4372890473289147189');
Java
// Define placeholders for key and value
String key = "<KEY_PLACEHOLDER>";
String value = "<VALUE_PLACEHOLDER>";
// Create a new intent with the action "UpdateMBDMap"
Intent intent = new Intent("UpdateMBDMap");
// Create a bundle to hold the data
Bundle bundle = new Bundle();
// Add the key-value pair to the bundle
bundle.putString(key, value);
// Attach the bundle to the intent
intent.putExtras(bundle);
// Get the application's context
Context context = getApplicationContext();
// Set the package name for the intent
intent.setPackage(context.getPackageName());
// Send the broadcast with the intent
context.sendBroadcast(intent);
Kotlin
val key = KEY_PLACEHOLDER>"
val value = "<VALUE_PLACEHOLDER>"
val intent = Intent("UpdateMBDMap")
val bundle = Bundle()
bundle.putString(key, value)
intent.putExtras(bundle)
val context = applicationContext
intent.`package` = context.packageName
// Sending information back to Appdome
context.sendBroadcast(intent)
Xamarin/MAUI Android – CSharp
string key = "<KEY_PLACEHOLDER>";
string value = "<VALUE_PLACEHOLDER>";
// Create a new intent with the action "UpdateMBDMap"
Intent intent = new Intent("UpdateMBDMap");
// Create a bundle to hold the data
Bundle bundle = new Bundle();
// Add the key-value pair to the bundle
bundle.PutString(key, value);
// Attach the bundle to the intent
intent.PutExtras(bundle);
// Set the package name for the intent
intent.SetPackage(ApplicationContext.PackageName);
// Send the broadcast with the intent
ApplicationContext.SendBroadcast(intent);
Objective-C
NSString *key = @;KEY_PLACEHOLDER>";
NSString *value = @"<VALUE_PLACEHOLDER>";
NSDictionary *userInfo = @{key: value};
// Sending information back to Appdome
[[NSNotificationCenter defaultCenter] postNotificationName:@"UpdateMBDMap"
object:nil
userInfo:userInfo];
Swift
let key = "<KEY_PLACEHOLDER>"
let value = "<VALUE_PLACEHOLDER>"
let userInfo = [key: value]
// Sending information back to Appdome
NotificationCenter.default.post(name: Notification.Name("UpdateMBDMap"),
object: nil,
userInfo: userInfo)
Xamarin/MAUI iOS -CSharp
String key = "<KEY_PLACEHOLDER>";
String value = "<VALUE_PLACEHOLDER>";
// Create a dictionary to hold the data
NSDictionary userInfo = new NSDictionary(key, value);
// Post a notification with the data
NSNotificationCenter.DefaultCenter.PostNotificationName("UpdateMBDMap", null, userInfo);
Using Appdome, there are no development or coding prerequisites to build secured Mobile Apps using MobileBOT Source™. There is no SDK and no library to code or implement in the app, and no gateway to deploy in your network. All protections are built into each app and the resulting app is self-defending and self-protecting.
Releasing and Publishing Mobile Apps with Session Headers
After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:
- Customizing, Configuring & Branding Secure Mobile Apps
- Deploying/Publishing Secure mobile apps to Public or Private app stores
- Releasing Secured Android & iOS Apps built on Appdome.
Related Articles:
- How to Use Appdome MobileBOT™ Defense
- How to Secure Android & iOS Apps with Pin to Host
- How to Use Session Headers in Mobile Bot Defense
How Do I Learn More?
If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.
Thank you!
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.