Appdome announced at Black Hat 2025 the integration of its IDAnchor™’s Customer Identity Protection suite into MobileBOT™ Defense, Appdome’s bot defense offering. This powerful combination enables mobile brands and businesses to build a virtual Mobile API Gateway on top of any standard backend infrastructure, preventing unauthorized API access, stopping brute-force bot attacks, and eliminating point products for API Protection and Bot Defense.
Build Your Own Mobile API Gateway
Powered by AI, Appdome’s MobileBOT™ Defense, with IDAnchor inside, enables mobile teams to create a virtual Mobile API Gateway that sits on top of any standard backend infrastructure. Together, they provide an OS-independent chain of trust consisting of:
- WorkspaceID – root identifier from the DevOps environment,
- ReleaseID – intermediate identifier for each App Release,
- InstallID – leaf identifier for each App instance, and
- DeviceID – leaf identifier for each mobile Device that uses an IDAnchor enabled app.
- True Device Attributes™ – OS-independent device attributes.
- Threat Signals – for identity, OS, Application and Device Threats.
During any API connection request, if any part of the chain is missing, altered, or replaced, the mobile brand or business knows the origin of API request is suspicious or malicious. If an attacker attempts to impersonate legitimate mobile users, applications, devices, locations, or uses automated programs to generate requests individually or via brute force methods, the connection can be dropped or routed for mitigation in the application. No external systems or SDKs are required.
Immutable Mobile Identity vs. Cookies and Tokens
Legacy mobile API and bot defense products use time-based cookies and tokens to determine session validity. They can be stored insecurely or transmitted in the clear, making them vulnerable to reuse by the attacker. Cookies and tokens do not provide any data on the mobile device, application, or installation making the API request. In short, cookies and tokens cannot tell if the API request is coming from a good, bad, real, fake, compromised or uncompromised mobile user, app, install, or device.
In contrast, each IDAnchor fingerprint can be cryptographically bound to each user so that it is not reusable and persists across re-installs, OS updates, and factory resets. This fully addresses these top challenges in legacy bot protection strategies:
- Fake Users & Devices: Fake users and fake, emulated, or spoofed devices cannot present a valid IDAnchor identity, making it easy to block spoofed or impersonated sources.
- Bot Attack Masking & Evasion Techniques: Any attempted reuse or manipulation of the device, application, or OS attributes will result in an IDAnchor mismatch, revealing the attacker.
- Stolen Credentials or Identities: Stolen identities using separate devices, synthetic identity or AI generated deepfakes, vishing, or session hijacks.
- Install and attribution fraud: Fraud attempts conducted by emulator farms, malware-controlled apps, or fake devices.
- KYC-fraud: Fake signups, fake account creation, and usage performed by bots or automated tools designed to spoof real behavior.
- Weaponized Mobile Apps. Malware-controlled or modified apps will change the IDAnchor fingerprint, revealing the weaponized mobile app.
- Brute force credential stuffing: Attacks that use automated programs or stolen credentials with fake or spoofed mobile applications and devices.
- Bot Source Triangulation: A bot detected from App A can be blocked or flagged in App B—without needing to sync external intelligence.
- Risk Scoring for API Connection Requests: Each match or mismatch of IDAnchor values is represented as a percentage and can be used as a proxy for connection risk or used to influence risk scoring methods for such purpose.
Appdome will showcase IDAnchor™ and MobileBOT™ Defense at BlackHat USA in Vegas Aug 6th and 7th. Stop by Booth #4746 in the Black Hat Business Hall to learn more and see it live. For those not attending Black Hat, learn more about Appdome Mobile API and Bot Protection.
Related
This entry was posted on August 19, 2025 at 9:02 am and is filed under Commentary with tags Appdome. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Appdome Empowers Mobile Brands to Build Their Own Mobile API Gateway with AI, Unifying API and Bot Protection in One Solution
Appdome announced at Black Hat 2025 the integration of its IDAnchor™’s Customer Identity Protection suite into MobileBOT™ Defense, Appdome’s bot defense offering. This powerful combination enables mobile brands and businesses to build a virtual Mobile API Gateway on top of any standard backend infrastructure, preventing unauthorized API access, stopping brute-force bot attacks, and eliminating point products for API Protection and Bot Defense.
Build Your Own Mobile API Gateway
Powered by AI, Appdome’s MobileBOT™ Defense, with IDAnchor inside, enables mobile teams to create a virtual Mobile API Gateway that sits on top of any standard backend infrastructure. Together, they provide an OS-independent chain of trust consisting of:
During any API connection request, if any part of the chain is missing, altered, or replaced, the mobile brand or business knows the origin of API request is suspicious or malicious. If an attacker attempts to impersonate legitimate mobile users, applications, devices, locations, or uses automated programs to generate requests individually or via brute force methods, the connection can be dropped or routed for mitigation in the application. No external systems or SDKs are required.
Immutable Mobile Identity vs. Cookies and Tokens
Legacy mobile API and bot defense products use time-based cookies and tokens to determine session validity. They can be stored insecurely or transmitted in the clear, making them vulnerable to reuse by the attacker. Cookies and tokens do not provide any data on the mobile device, application, or installation making the API request. In short, cookies and tokens cannot tell if the API request is coming from a good, bad, real, fake, compromised or uncompromised mobile user, app, install, or device.
In contrast, each IDAnchor fingerprint can be cryptographically bound to each user so that it is not reusable and persists across re-installs, OS updates, and factory resets. This fully addresses these top challenges in legacy bot protection strategies:
Appdome will showcase IDAnchor™ and MobileBOT™ Defense at BlackHat USA in Vegas Aug 6th and 7th. Stop by Booth #4746 in the Black Hat Business Hall to learn more and see it live. For those not attending Black Hat, learn more about Appdome Mobile API and Bot Protection.
Share this:
Like this:
Related
This entry was posted on August 19, 2025 at 9:02 am and is filed under Commentary with tags Appdome. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.