Mobile Protection Against On-The-Go Bots

Aspen L. SherrillSecurity Solutions ArchitectGlobal Security Services DivisionSecurity Product Development Aligned Services TeamBMP Global Product Line Expert

Tyler DavisSecurity Solutions ArchitectGlobal Security Services DivisionSecurity Product Development Aligned Services TeamEnterprise Extended Product Line Expert

Agenda• Mobile Development Foundations

• HTML5, Native, Hybrid, and WebView Applications• Intro to BMP Mobile (SDK)

• SDK Architecture & Workflows• Demo• Leveraging Mobile Application Definitions

• BMP• Reducing BMS False Positives

• SDK Integration Steps• App Side• API Configuration• Akamai Side

Mobile Development Fundamentals

HTML5WebApp

NativeApp

HybridApp

WebViews

Fundamentals: HTML5 ApplicationsWeb applications living server-side that users

access as they would any other website

• HTML: Framework where developers put their content

• CSS: Describes how HTML elements should be displayed

• JavaScript: Makes it more interactive and able to do cool stuff

HTML5WebApp

Device AccessData Sync

Offline StorageURL Handling

Data SyncLocation

Offline StorageAJAX and DOM

InteractionsFeaturesPoly Fills

Shims

Hybrid Scripts Core Scripts Device Scripts

Device ThemeCore ThemeApp Theme

ThemesHTML ClassesUX Patterns

CSS3HTML5JavaScript

HTML5 AppDevice

Detection

User Request

User View

Data

Structure of an HTML 5 Web App

Fundamentals: HTML5 Web Apps

Fundamentals: HTML5 Web Apps

JavaScript

Gather telemetry, set cookie here à

BMP JS Here à

Device AccessData Sync

Offline StorageURL Handling

Data SyncLocation

Offline StorageAJAX and DOM

InteractionsFeaturesPoly Fills

Shims

Hybrid Scripts Core Scripts Device Scripts

Device ThemeCore ThemeApp Theme

ThemesHTML ClassesUX Patterns

CSS3HTML5

HTML5 AppDevice

Detection

User Request

User View

Data

Structure of an HTML 5 Web App with BMP Web

Fundamentals: HTML5 Web Apps

HTML5 Web Applications summary:

• Web apps built with HTML, CSS, and JavaScript• Hosted in the classic client-server model• Resources reside server-side

BMP Web is the applicable solution for HTML5 Web Apps

HTML5WebApps

Fundamentals: HTML5 Web Apps

Fundamentals: WebViews

Fundamentals: WebViews

• Operating system components that render web content in mobile apps

• ARE NOT full-fledged browsers, can’t perform all functions of a mobile browser

• WebView in Android• WKWebView in iOS

Fundamentals: WebViews

Fundamentals: Native Apps

Native application – Platform-specific, language-specific

• Objective-C and Swift for iOS developed in Xcode• Java, C/C++, Kotlin for Android developed in Android Studio

NativeApp

Fundamentals: Native Apps

Basic ways for mobile apps to get something done, like Login:

• True native calls

or

• WebViews

Fundamentals: Native AppsTrue native call:

The native app code makes the HTTP(S) request, calling a RESTful API

Fundamentals: Native AppsWebView: mUrl = https://bmpapi.akamai.com/Services/samples/v1/login

mWebView = (WebView) findViewById(R.id.webView);mWebView.clearCache(true);mWebView.clearHistory();mWebView.getSettings().setAppCacheEnabled(false);mWebView.getSettings().setLoadWithOverviewMode(true);mWebView.getSettings().setUseWideViewPort(true);mWebView.getSettings().setCacheMode(WebSettings.LOAD_NO_CACHE);mWebView.getSettings().setJavaScriptEnabled(true);mWebView.getSettings().setJavaScriptCanOpenWindowsAutomatically(true);mWebView.loadUrl(mUrl);

Fundamentals: Native AppsImplications for Bot Manager

True native calls:SDK all day err’ day!

WebView Call:Where are the resources located?What is the workflow?

Fundamentals: Native Apps

Implications for Bot Manager if the native app is using WebViews:

BMP Web JS Solution != BMP Web JS Solution

Centralized Hosting Distributed Code

Fundamentals: Hybrid AppsPlatforms, frameworks, or SDKs intended to combine the best of both worlds between HTML5 Apps and Native Apps with one codesource and fast results

Hybrid apps are:• Primarily built using HTML5 and JavaScript• Wrapped inside a thin native container• Has access to native platform features

HybridApp

Fundamentals: Hybrid Apps● Kivy● Corona SDK● Xamarin● Appcelerator Titanium● TheAppBuilder● Apache Cordova (PhoneGap)● Ionic● Sencha Touch● Reactive Native● Firebase● And many, many more

Fundamentals: Hybrid Apps

Fundamentals: Summary• HTML5 Web Apps are Web apps built with HTML, CSS, and Javascript, hosted in the

classic client-server model, where resources reside server-side and are the ideal candidate for BMP Web

• WebViews are Operating system components that allow mobile apps to display web content inside the app, however they are not a full-fledged browser and can’t perform all the functions a mobile browser can. Applications using WebViews should be reviewed to determine if they are compatible with BMP

• Native Apps are specific to a given mobile platform (iOS or Android for our use case) and they’re built using the development tools and languages that each respective platform supports. True native calls the ideal candidates for BMP SDK

• Hybrid Apps are frameworks built to bridge the gap between HTML5 Web Apps and Native Apps. Depending on how these apps are architected they may be suitable for BMP SDK or Web and require application review

SDK Introhttps://developer.akamai.com/tools/sdk/bot-manager

Android:Android StudioAndroid API 15 (Android 4.0.4) and above

iOS:Xcode 8 and aboveAkamai BMP SDK is supported in iOS 8.0 and above

Hybrid Frameworks:CordovaReact NativeIonicIBM MobileFirst

Bot Manager Premier: SDK

Bot Manager Premier: SDK

MOBILE PROTECTIONS DEMO

Bot Manager Premier Mobile Request Flow

Application Side SDK IntegrationAndroid:1. Install the SDK2. Initialize the SDK by calling

CYFMonitor.initialize API from your main activity's onCreate method

3. Pull sensor data string from getSensorData()

4. Send sensor data in the X-acf-sensor-data header

5. Send standardized User-Agent6. Bot domination

iOS:1. Install the SDK2. Edit build settings (Other Linker Flags:

Obj-C)3. If Swift, use an Objective-C bridging

header file4. Import the SDK header into your

source file:5. Pull sensor data string from

getSensorData()6. Send sensor data in the X-acf-sensor-

data header7. Send standardized User-Agent8. Bot domination

SDK Integration: App-side

SDK Integration Best Practices and Issues

Scope protected endpoints properly

• Don’t try to protect every HTTP request the app makes with BMP• Can cause FPs• Can cause Origin issues

• Like BMP Web, only target URLs/Operations that make sense • Login• Giftcard Check Balance• Checkout (if not behind login)• Submit Order (if not behind login)

SDK Integration: App-sideSDK Integration Best Practices and Issues

What clients consume the protected endpoints?

Web browsers only: Web endpoint – Use BMP WebNative Mobile Apps only: Native endpoint – Use BMP SDKWeb browsers and Native Mobile Apps: Hybrid endpoint – USE BMP WEB & BMP SDK

If Native Mobile App, do WebViews consume the same endpoint?• WebViews should be uniquely identifiable from true Native calls• Depending how the workflows are architected, they may need to be excluded from BMP

processing entirely

Application Side SDK - Debugging

Verbose Debugging:

API Architecture – Single OperationSDK Integration Best Practices and Issues

Only call the getSensorData() method for requests to the protected endpoint/operation (don’t try to incorporate sensor data on every HTTP request the app makes)

Scenario 1:https://api.customer.com/api/v1/loginhttps://api.customer.com/api/v1/cachedcredentialshttps://api.customer.com/api/v1/faceandtouchidhttps://api.customer.com/api/v1/submitorder

https://api.customer.com/api/v1/allotherstuff

API Architecture – Multi OperationSDK Integration Best Practices and IssuesScenario 2:https://api.customer.com/api/v1/accountHost: api.customer.comAppAction: AuthenticateUser | RefereshToken | CreateAccount | checkCertificate |

Logout | FaceandTouchID | etcX-acf-sensor-data: 123Content-Length: 2727User-Agent: MyApp/4.5.6 (Android 9; Build/5086253)Content-Type: text/htmlAccept-Encoding: gzipConnection: Keep-AliveAccept: text/html, image/gif, image/jpeg

SDK Integration: Akamai-Side

1. API definitionsI. API/Resource/Resource PurposeII. Origin Reported Failures (ORF) for Bot Endpoint Protection Report (BEP)

2. Security ConfigurationI. Bot Detection Methods (Behavioral)II. Custom Visibility RulesIII. Mobile Application Definitions

Mobile Application Definitions

Mobile Application Definition BMS BenefitsImplications for Bot Manager Standard:

Skip Bot Directory RulesSkip Akamai Defined Bot RulesSkip User-Agent RulesSkip Known Bot Impersonator RulesSkip Subset of Request Anomaly RulesSkip Cookie Validation Rules (Cookie Integrity/Cookie Support Validation)Skip Browser Validation RulesSkip Session Validation RulesSkip Workflow Validation RulesSkip Customer Defined Bot Rules unless Custom Bot is in Allow Mode

Integration Phases

1. MONITOR Mode Integration/Testing in QA environment

2. MONITOR Mode Integration/Testing in PROD environment

3. Release SDK-enabled app version to iOS and Android stores, perform FP analysis/tuning

4. DENY mode for SDK-enabled app versions, Testing in QA environment

5. DENY mode for SDK-enabled app versions, Testing in PROD environment

6. Monitor PROD DENIES, wait for adoption rates to increase, evaluate “web client” traffic

7. DENY mode for ALL app versions, Testing in QA environment

8. DENY mode for ALL app versions, Testing in PROD environment

Summary• True native calls don’t play well with JavaScript and cookies

• BMP Mobile SDK takes the fundamental technology of Akamai Bot Manager and applies it to native mobile apps. The SDK collects behavioral data while the user is interacting with the application

• BMP SDK provides a simple mechanism to detect bot activities and defend against credential abuse and account takeover

• App logic and API Architecture affect how complicated an integration may be

• Integrating and testing BMP Mobile SDK is a highly iterative and collaborative multi-phase process between your mobile app developer team and Akamai

• BMP Web Protection and BMP Mobile Protection work together seamlessly

THANK YOU!Tyler Davis

tyler.davis@akamai.com

www.linkedin.com/in/tyler-davis-41b4b048/

Aspen L. Sherrill

aspen.sherrill@akamai.com

www.linkedin.com/in/aspensherrill/