The Akamai Bot Manager Premier software development kit (BMP SDK) takes the fundamental technology of Akamai Bot Manager and applies it to native mobile apps. The BMP SDK collects behavioral data while the user is interacting with the application. This behavioral data, also known as sensor data, includes the device characteristics, device orientation, accelerometer data, touch events, etc. Akamai BMP SDK provides a simple API to detect bot activities and defend against malicious bot and account takeover.
Note: This SDK is an optional add-on to Bot Manager Premier. If you want to use it to extend protection to your mobile apps, contact your account rep.
|A. Human Request|
|B. Bot Request|
Integrating the BMP SDK Into Your Mobile App
Before you can start mitigating bot traffic you need to integrate the SDK in your mobile app, configure Bot Manager Premier in the control panel, and then monitor traffic so you can have actionable intelligence.
Integrate BMP into your Mobile App
- Download the SDK for each platform.
- Follow the integration instructions using the links immediately below.
Configure Bot Manager Premier
- Open the Luna Control Center and review your Bot Manager policy, make sure the hostname of your protected endpoint is covered by one of them.
- Define a new protected endpoint and associated with the relevant policy. Keep the new endpoints to monitor mode.
- Define the characteristics of your mobile app traffic: Mobile apps typically have a specific user agent, for example “MyMobileApp/1.0”. It’s important we clearly identify the app traffic for both iOS and Android as well as the app version so that we can apply the correct detection workflow to the request, this is especially important during the initial rollout. This definition will also help take independent action for each mobile app type.
- Deploy the new Bot Manager configuration to the Akamai production network.
For more details to complete these steps, please review Chapter 5 of the Bot Manager integration guide. For assistance with the integration, please contact your Akamai representative who can arrange for the Professional Services team help
Release Your New Mobile App
- Publish your new app to the Apple app stores and Google Play.
- Monitor user adoption.
- Review the bots detected.
- Once you’re satisfied with the accuracy of the detection, you can start mitigating bot traffic. Bot Manager offers flexible mitigation strategies based on the app version or the app type (Android or iOS) to reduce dependencies on users adopting the new app or delays in the implementation lifecycle for one of the apps.
For each request you want to protect, you will need:
- The full URL.
- The method (POST, GET).
- For POST request, include any POST element that would more specifically define the request to protect (only necessary if the endpoint identified by the above URL and method has multiple purposes).
- Identify whether the endpoint only supports native app traffic or also handles web traffic.
In order to prevent false positives, only requests that are triggered by users interacting with the application, and that may be abused by bots to carry out an attack, should be protected with this technology.
Typical use cases include:
- Account login
- Account signup
- Search queries
- Add to cart
- Reward and gift card programs
Identifying the App OS and Version In the User-agent
In order to prevent false positives during the initial rollout, you need to be able to identify the application version so that you can conditionally apply bot detection logic to requests that are expected to send the behavior data. Once enough users have upgraded to the latest version of the application, this condition can easily be removed by updating the Bot Manager configuration in the Luna Control Center.
Also, because the development lifecycle of the iOS and the Android application may not follow the same cadence and speed, you also need to be able to identify which requests come from iOS and Android apps. This strategy may help mitigate bot traffic quicker without having to wait for both apps to be at the same level of maturity and user adoption.
The edge server uses the User-Agent HTTP header to identify the application that is integrated with the SDK. So we recommend using a standard format like Application-Name/Version-Number (Platform-Information) for the User-Agent header in the REST API request.
HelloApp/1.2.3 (iPhone; iOS 11.2.1) MyFirstApp/1.1.2 (Android 7.0; Build/NRD90U)
Once the SDK has been implemented and the protected endpoints added into the Bot Manager configuration, the protected request is processed as follows:
- The user interacts with the mobile device to log into the application. While this happens, the behavior data (device orientation, device acceleration, device characteristics, and touch events) is recorded by the SDK.
- When the user presses the submit button:
- A. The application queries the SDK to retrieve sensor data.
- B. The sensor data is added to the request as a header.
- C. The request is sent to the closest available edge server.
- The Akamai edge server intercepts the REST API request and inspects X-acf-sensor-data header to determine if the request is from a BOT or a human user. After evaluating the sensor data, it takes the predefined action on the request:
- A. If no threat is found in the sensor data, the request is classified as human and forwarded to the origin web server.
- B. If a threat is detected, the bot manager rule fires and the associated action executed.
These responses are covered in more detail in the following section.
Akamai Edge Response
If the request is classified as human, the traffic continues to the origin server and the response is sent back to the app. If the request is BOT, there are two possible actions, monitor and deny.
If the action is monitor, the traffic is allowed and the request is sent to the origin server.
If the action is deny, a 403 HTTP response is sent back to the app, and the app should handle the situation and take appropriate action.
Hint: To differentiate a 403 response from your own origin server, check for AkamaiGHost in the Server HTTP response header, which would be a response from Akamai Edge server; your origin server will have a different value.
When Bots Attack
If you’re under an active attack, the Bot Analysis and Bot Activity tools in the Luna control security center give you full visibility of bot traffic over the last 90 days. You can filter on the protected hostname, and the behavior anomaly detection method.
The Bot analysis tools provide more granular information about the attack traffic for the last 15 days, such as the top IP address, top country, top BotNet ID, etc. For example:
Top IP address
Top IP address provides visibility on the most persisting IP address sending malicious requests.
Top country shows where the traffic is coming from and helps evaluate how distributed the attack is.
Top Botnet ID
Top Botnet ID is tied to the botnet signature and provides a good view of the botnets targeting the endpoints.