This is one in a series of posts about the Akamai 2018 Spring Release. For an overview of the Spring Release, see our post here.
As the share of mobile app traffic on the Internet increases, bot operators have learned to take advantage of native app APIs, since they are typically more challenging to protect. This is because traditional methods developed to protect traditional web or mobile webview requests are not effective:
- Each mobile app is somewhat unique, and native app traffic characteristics are less predictable than traffic coming from web browsers.
- Detection based on rate or reputation can have false positives due to the nature of mobile networks.
Over the last few months, the web security engineering team worked tirelessly to develop a solution that takes advantage of the unique nature of mobile devices and closes the security gap. We are pleased to announce the availability of the Bot Manager Premier Mobile Protection Module (BMP Mobile) in Akamai’s Spring Release. The new product version includes a Software Development Kit (SDK) for iOS and Android and has already been successfully deployed on several mobile applications during our beta phase.
How Behavior Anomaly Detection Works
The purpose of the BMP Mobile SDK is to collect behavioral data while the user is interacting with the mobile application. The SDK itself doesn't do the determination, it sends the data to Bot Manager Premiere. The data is then evaluated to determine if it came from humans or bots. This technique is called behavior anomaly detection and the technology is typically used to protect various use cases from automated attacks including:
- Login to prevent account takeovers.
- Automated account creations.
- Gift cards, coupons, loyalty point programs.
- Hotel and flight searches.
- Add-to-cart workflows.
As an example, let’s take a look at how this works for a login.
- While the user interacts with the mobile device, behavior data (device orientation, device acceleration, device characteristics, and touch events) is recorded by the SDK.
- When the user presses the submit button:
- The application queries the SDK to retrieve the behavior data.
- The request is sent to the closest available edge server.
- The behavior data is added to the protected request.
- The Akamai edge server extracts and evaluates the behavior data and takes the predefined action for the request:
- If no threat is found in the behavior data, the request is classified as human and forwarded to the origin web server.
- If a threat is detected, there are three possible actions: deny, monitor, and serve alternate.
- If the action is deny, a 403 HTTP response is sent back to the app to handle the situation and take appropriate action.
- If the action is monitor, the traffic is allowed and the request is sent to the origin server.
- Finally, the serve alternate action allows for serving a custom response to the client.
The diagram below illustrates the workflow when the request comes from a human (allowed to proceed to the origin website) vs. a bot (blocked at the edge).
What Happens When Bots Attack
If you’re under an active attack, the Bot Analysis and Bot Activity tools in the Luna control security center give you full visibility on bot traffic detected by the Bot Manager product. The Bot Activity tool allows you to see 90 days of all bot activity detected with the Bot Manager. To see how the new method performs, you can filter on the protected hostname and the behavior anomaly detection method:
The Bot Analysis tool provides more granular information about the attack traffic for the last 15 days, such as the top IP address, top country, top BotNet ID, header signature, etc. It also offers additional filtering capabilities to allow you to look at how much attack traffic is targeting a specific URL (protected endpoint).
- Top IP address provides visibility on the most persisting nodes sending malicious requests. This helps to get an idea of the scale of the attack.
- Top country shows where the traffic is coming from and helps evaluate how distributed the attack is.
- Top Botnet ID is tied to the botnet signature and provides a good view of the number of botnets targeting the endpoints.
Many more dimensions are available in the security center to slice and dice the data and get an understanding of bot activity and evaluate the accuracy of the detection. The engineering team continuously evaluates new threats and upgrades the detection engine as needed.
Once you’re satisfied with the accuracy of the detection, you can start mitigating bot traffic. Bot Manager offers flexible mitigation strategies based on the app version or the app type (Android or iOS) to reduce dependencies on users adopting the new app, or delays from the implementation lifecycle for one of the apps.
To get started with the BMP Mobile solution, first, contact your Akamai account representative to make sure you are contracted for the product. Once the product is available on your account, you can start the integration process.
The steps to integrate the BMP Mobile SDK into your mobile app are covered in the SDK integration guide. But the high-level steps are as follows:
- Download the SDK.
- Identify the requests you want to protect (the full URL, method, etc).
- Configure the Bot Manager Behavior anomaly detection method in the Luna control panel.
- Deploy the Bot Manager configuration to the Akamai production network.
- Publish your new app to the Apple app stores and Google Play.
- Monitor user adoption.
- Evaluate the activity detected.
- Mitigate the bot traffic.
Be sure to join our Akamai 2018 Spring Release webinar for an opportunity to ask live questions of our product experts. Register now.