How to Use Session Headers in Mobile Bot Defense Using AI

This Knowledge Base article describes how to use Appdome’s AI/ML in your CI/CD pipeline to continuously deliver plugins that Validate Session Headers in Mobile apps.

What Are Session Headers?

Session headers are critical in mobile security, ensuring session integrity and preventing threats like session hijacking, replay attacks, and tampering. Attackers exploit session vulnerabilities to intercept and modify data, posing risks to user privacy and application security. Secure session management is essential for apps handling sensitive transactions, as it enforces trusted communication between the app and its backend. Implementing strong session headers aligns with regulatory requirements and provides an additional defense against automated bot attacks and fraudulent activities.

How Appdome Protects Mobile Apps with Session Headers?

Appdome’s dynamic Use Session Headers plugin within MobileBOT™ Defense secures session integrity by embedding tamper-proof headers into each request, enabling Web Application Firewalls (WAFs) to classify sessions as “Safe” or “At-Risk.” The plugin also integrates payload signing and encryption, ensuring that session data remains protected from interception and unauthorized modification.

In case of a MITM (Man-in-the-Middle) event detection, Appdome enhances session security by including additional metadata in the WAF logs. In addition to device metadata, the logs will also contain server certificate metadata, such as:

• certificateCN (Common Name)
• certificateIssuer
• certificateSHA1

Since a certificate chain may include multiple certificates, all certificates will be listed, such as certificateCN_1, certificateCN_2, and so on. The same applies to certificateSHA1 and certificateIssuer, ensuring comprehensive tracking of all certificates in the chain.

Prerequisites for Using Appdome's Session Headers Plugins:

To use Appdome’s mobile app security build system to Validate Session Headers , you’ll need:

• Appdome account (create a free Appdome account here)
• A license for Session Headers
• Mobile App (.ipa for iOS, or .apk or .aab for Android)
• Signing Credentials (see Signing Secure Android apps and Signing Secure iOS apps)

How to Implement Validate Session Headers in Mobile Apps Using Appdome

On Appdome, follow these 3 simple steps to create self-defending Mobile Apps that Validate Session Headers without an SDK or gateway:

1. Designate the Mobile App to be protected.

   1. Upload an app via the Appdome Mobile Defense platform GUI or via Appdome’s DEV-API or CI/CD Plugins.

   2. Mobile App Formats: .ipa for iOS, or .apk or .aab for Android
   3. Session Headers is compatible with: Obj-C, Java, JS, C#, C++, Swift, Kotlin, Flutter, React Native, Unity, Xamarin, and more.

2. Select the defense: Session Headers.

   1. Create and name the Fusion Set (security template) that will contain the Session Headers feature as shown below:
      

      Figure 1: Fusion Set that will contain the Session Headers feature
      

      1. Follow the steps in Sections 2.2-2.2.2 of this article to add the Session Headers feature to your Fusion Set via the Appdome Console.

      2. When you select the Session Headers you'll notice that the Fusion Set you created in step 2.1 now bears the icon of the protection category that contains Session Headers.

         

         Figure 2: Fusion Set that displays the newly added Session Headers protection
         Note: Annotating the Fusion Set to identify the protection(s) selected is optional only (not mandatory).

      3. Open the Fusion Set Detail Summary by clicking the “...” symbol on the far-right corner of the Fusion Set. Copy the Fusion Set ID from the Fusion Set Detail Summary (as shown below):

         Figure 3: Fusion Set Detail Summary

      4. Follow the instructions below to use the Fusion Set ID inside any standard mobile DevOps or CI/CD toolkit like Bitrise, Jenkins, Travis, Team City, Circle CI or other system:

         1. Refer to the Appdome API Reference Guide for API building instructions.
         2. Look for sample APIs in Appdome’s GitHub Repository.

   2. Add the Session Headers feature to your security template.

      1. Navigate to Build > Anti Bot tab > Session Headers section in the Appdome Console.

         Like all other options in ONEShield™, Session Headers is turned on by default, as shown below:

         Figure 4: Selecting Session Headers
         Note: The App Compromise Notification contains an easy to follow default remediation path for the mobile app end user. You can customize this message as required to achieve brand specific support, workflow or other messaging.

      Toggle On > Session Headers.
      

      Figure 4: Selecting Validate Session Headers

   3. Initiate the build command either by clicking Build My App at the bottom of the Build Workflow (shown in Figure 4) or via your CI/CD as described in Section 2.1.4.

   Congratulations!  The Session Headers protection is now added to the mobile app

3. Certify the Session Headers feature in Mobile Apps

   After building Session Headers, Appdome generates a Certified Secure™ certificate to guarantee that the Session Headers protection has been added and is protecting the app. To verify that the Session Headers protection has been added to the mobile app, locate the protection in the Certified Secure™ certificate as shown below:

   Figure 5: Certified Secure™ certificate

   Each Certified Secure™ certificate provides DevOps and DevSecOps organizations the entire workflow summary, audit trail of each build, and proof of protection that Session Headers has been added to each Mobile app. Certified Secure provides instant and in-line DevSecOps compliance certification that Session Headers and other mobile app security features are in each build of the mobile app.