Post on 15-Mar-2021
Mobile Protection Against On-The-Go Bots
Aspen L. SherrillSecurity Solutions ArchitectGlobal Security Services DivisionSecurity Product Development Aligned Services TeamBMP Global Product Line Expert
Tyler DavisSecurity Solutions ArchitectGlobal Security Services DivisionSecurity Product Development Aligned Services TeamEnterprise Extended Product Line Expert
Agenda• Mobile Development Foundations
• HTML5, Native, Hybrid, and WebView Applications• Intro to BMP Mobile (SDK)
• SDK Architecture & Workflows• Demo• Leveraging Mobile Application Definitions
• BMP• Reducing BMS False Positives
• SDK Integration Steps• App Side• API Configuration• Akamai Side
Mobile Development Fundamentals
HTML5WebApp
NativeApp
HybridApp
WebViews
Fundamentals: HTML5 ApplicationsWeb applications living server-side that users
access as they would any other website
• HTML: Framework where developers put their content
• CSS: Describes how HTML elements should be displayed
• JavaScript: Makes it more interactive and able to do cool stuff
HTML5WebApp
Device AccessData Sync
Offline StorageURL Handling
Data SyncLocation
Offline StorageAJAX and DOM
InteractionsFeaturesPoly Fills
Shims
Hybrid Scripts Core Scripts Device Scripts
Device ThemeCore ThemeApp Theme
ThemesHTML ClassesUX Patterns
CSS3HTML5JavaScript
HTML5 AppDevice
Detection
User Request
User View
Data
Structure of an HTML 5 Web App
Fundamentals: HTML5 Web Apps
Fundamentals: HTML5 Web Apps
JavaScript
Gather telemetry, set cookie here à
BMP JS Here à
Device AccessData Sync
Offline StorageURL Handling
Data SyncLocation
Offline StorageAJAX and DOM
InteractionsFeaturesPoly Fills
Shims
Hybrid Scripts Core Scripts Device Scripts
Device ThemeCore ThemeApp Theme
ThemesHTML ClassesUX Patterns
CSS3HTML5
HTML5 AppDevice
Detection
User Request
User View
Data
Structure of an HTML 5 Web App with BMP Web
Fundamentals: HTML5 Web Apps
HTML5 Web Applications summary:
• Web apps built with HTML, CSS, and JavaScript• Hosted in the classic client-server model• Resources reside server-side
BMP Web is the applicable solution for HTML5 Web Apps
HTML5WebApps
Fundamentals: HTML5 Web Apps
Fundamentals: WebViews
Fundamentals: WebViews
• Operating system components that render web content in mobile apps
• ARE NOT full-fledged browsers, can’t perform all functions of a mobile browser
• WebView in Android• WKWebView in iOS
Fundamentals: WebViews
Fundamentals: Native Apps
Native application – Platform-specific, language-specific
• Objective-C and Swift for iOS developed in Xcode• Java, C/C++, Kotlin for Android developed in Android Studio
NativeApp
Fundamentals: Native Apps
Basic ways for mobile apps to get something done, like Login:
• True native calls
or
• WebViews
Fundamentals: Native AppsTrue native call:
The native app code makes the HTTP(S) request, calling a RESTful API
Fundamentals: Native AppsWebView: mUrl = https://bmpapi.akamai.com/Services/samples/v1/login
mWebView = (WebView) findViewById(R.id.webView);mWebView.clearCache(true);mWebView.clearHistory();mWebView.getSettings().setAppCacheEnabled(false);mWebView.getSettings().setLoadWithOverviewMode(true);mWebView.getSettings().setUseWideViewPort(true);mWebView.getSettings().setCacheMode(WebSettings.LOAD_NO_CACHE);mWebView.getSettings().setJavaScriptEnabled(true);mWebView.getSettings().setJavaScriptCanOpenWindowsAutomatically(true);mWebView.loadUrl(mUrl);
Fundamentals: Native AppsImplications for Bot Manager
True native calls:SDK all day err’ day!
WebView Call:Where are the resources located?What is the workflow?
Fundamentals: Native Apps
Implications for Bot Manager if the native app is using WebViews:
BMP Web JS Solution != BMP Web JS Solution
Centralized Hosting Distributed Code
Fundamentals: Hybrid AppsPlatforms, frameworks, or SDKs intended to combine the best of both worlds between HTML5 Apps and Native Apps with one codesource and fast results
Hybrid apps are:• Primarily built using HTML5 and JavaScript• Wrapped inside a thin native container• Has access to native platform features
HybridApp
Fundamentals: Hybrid Apps● Kivy● Corona SDK● Xamarin● Appcelerator Titanium● TheAppBuilder● Apache Cordova (PhoneGap)● Ionic● Sencha Touch● Reactive Native● Firebase● And many, many more
Fundamentals: Hybrid Apps
Fundamentals: Summary• HTML5 Web Apps are Web apps built with HTML, CSS, and Javascript, hosted in the
classic client-server model, where resources reside server-side and are the ideal candidate for BMP Web
• WebViews are Operating system components that allow mobile apps to display web content inside the app, however they are not a full-fledged browser and can’t perform all the functions a mobile browser can. Applications using WebViews should be reviewed to determine if they are compatible with BMP
• Native Apps are specific to a given mobile platform (iOS or Android for our use case) and they’re built using the development tools and languages that each respective platform supports. True native calls the ideal candidates for BMP SDK
• Hybrid Apps are frameworks built to bridge the gap between HTML5 Web Apps and Native Apps. Depending on how these apps are architected they may be suitable for BMP SDK or Web and require application review
SDK Introhttps://developer.akamai.com/tools/sdk/bot-manager
Android:Android StudioAndroid API 15 (Android 4.0.4) and above
iOS:Xcode 8 and aboveAkamai BMP SDK is supported in iOS 8.0 and above
Hybrid Frameworks:CordovaReact NativeIonicIBM MobileFirst
Bot Manager Premier: SDK
Bot Manager Premier: SDK
MOBILE PROTECTIONS DEMO
Bot Manager Premier Mobile Request Flow
Application Side SDK IntegrationAndroid:1. Install the SDK2. Initialize the SDK by calling
CYFMonitor.initialize API from your main activity's onCreate method
3. Pull sensor data string from getSensorData()
4. Send sensor data in the X-acf-sensor-data header
5. Send standardized User-Agent6. Bot domination
iOS:1. Install the SDK2. Edit build settings (Other Linker Flags:
Obj-C)3. If Swift, use an Objective-C bridging
header file4. Import the SDK header into your
source file:5. Pull sensor data string from
getSensorData()6. Send sensor data in the X-acf-sensor-
data header7. Send standardized User-Agent8. Bot domination
SDK Integration: App-side
SDK Integration Best Practices and Issues
Scope protected endpoints properly
• Don’t try to protect every HTTP request the app makes with BMP• Can cause FPs• Can cause Origin issues
• Like BMP Web, only target URLs/Operations that make sense • Login• Giftcard Check Balance• Checkout (if not behind login)• Submit Order (if not behind login)
SDK Integration: App-sideSDK Integration Best Practices and Issues
What clients consume the protected endpoints?
Web browsers only: Web endpoint – Use BMP WebNative Mobile Apps only: Native endpoint – Use BMP SDKWeb browsers and Native Mobile Apps: Hybrid endpoint – USE BMP WEB & BMP SDK
If Native Mobile App, do WebViews consume the same endpoint?• WebViews should be uniquely identifiable from true Native calls• Depending how the workflows are architected, they may need to be excluded from BMP
processing entirely
Application Side SDK - Debugging
Verbose Debugging:
API Architecture – Single OperationSDK Integration Best Practices and Issues
Only call the getSensorData() method for requests to the protected endpoint/operation (don’t try to incorporate sensor data on every HTTP request the app makes)
Scenario 1:https://api.customer.com/api/v1/loginhttps://api.customer.com/api/v1/cachedcredentialshttps://api.customer.com/api/v1/faceandtouchidhttps://api.customer.com/api/v1/submitorder
https://api.customer.com/api/v1/allotherstuff
API Architecture – Multi OperationSDK Integration Best Practices and IssuesScenario 2:https://api.customer.com/api/v1/accountHost: api.customer.comAppAction: AuthenticateUser | RefereshToken | CreateAccount | checkCertificate |
Logout | FaceandTouchID | etcX-acf-sensor-data: 123Content-Length: 2727User-Agent: MyApp/4.5.6 (Android 9; Build/5086253)Content-Type: text/htmlAccept-Encoding: gzipConnection: Keep-AliveAccept: text/html, image/gif, image/jpeg
SDK Integration: Akamai-Side
1. API definitionsI. API/Resource/Resource PurposeII. Origin Reported Failures (ORF) for Bot Endpoint Protection Report (BEP)
2. Security ConfigurationI. Bot Detection Methods (Behavioral)II. Custom Visibility RulesIII. Mobile Application Definitions
Mobile Application Definitions
Mobile Application Definition BMS BenefitsImplications for Bot Manager Standard:
Skip Bot Directory RulesSkip Akamai Defined Bot RulesSkip User-Agent RulesSkip Known Bot Impersonator RulesSkip Subset of Request Anomaly RulesSkip Cookie Validation Rules (Cookie Integrity/Cookie Support Validation)Skip Browser Validation RulesSkip Session Validation RulesSkip Workflow Validation RulesSkip Customer Defined Bot Rules unless Custom Bot is in Allow Mode
Integration Phases
1. MONITOR Mode Integration/Testing in QA environment
2. MONITOR Mode Integration/Testing in PROD environment
3. Release SDK-enabled app version to iOS and Android stores, perform FP analysis/tuning
4. DENY mode for SDK-enabled app versions, Testing in QA environment
5. DENY mode for SDK-enabled app versions, Testing in PROD environment
6. Monitor PROD DENIES, wait for adoption rates to increase, evaluate “web client” traffic
7. DENY mode for ALL app versions, Testing in QA environment
8. DENY mode for ALL app versions, Testing in PROD environment
Summary• True native calls don’t play well with JavaScript and cookies
• BMP Mobile SDK takes the fundamental technology of Akamai Bot Manager and applies it to native mobile apps. The SDK collects behavioral data while the user is interacting with the application
• BMP SDK provides a simple mechanism to detect bot activities and defend against credential abuse and account takeover
• App logic and API Architecture affect how complicated an integration may be
• Integrating and testing BMP Mobile SDK is a highly iterative and collaborative multi-phase process between your mobile app developer team and Akamai
• BMP Web Protection and BMP Mobile Protection work together seamlessly
THANK YOU!Tyler Davis
tyler.davis@akamai.com
www.linkedin.com/in/tyler-davis-41b4b048/
Aspen L. Sherrill
aspen.sherrill@akamai.com
www.linkedin.com/in/aspensherrill/