We're Hiring!

Closing Both Web and Mobile Doors To Automated Traffic

Approov and Cloudflare logos below the article title and a toy robot

In this article we will look at the challenges of making sure that bots and other automated traffic can’t gain access to your backend systems, no matter how they try. Most enterprises offer services through their website and their mobile app and both attack surfaces must be considered. Ensuring that both channels are properly defended will prevent DDoS, credential stuffing, data scraping and other fraudulent exploits from occurring.

Websites and mobile apps are implemented by very different technologies and have very different deployment models. They therefore require different security approaches. However, these approaches can work seamlessly together to provide an effective solution; eliminating automated traffic and customer friction simultaneously.

Below we will examine complementary products from Cloudflare® and Approov and then show the value of them working together in order to deliver a holistic defense for enterprises who rely on revenue through both mobile and web channels.

Cloudflare Bot Management

The Cloudflare Bot Management system is a backend analysis engine which enhances current and historical Internet traffic data with various technologies and techniques, including behavioral analysis, Machine Learning (ML), heuristics and client Javascript fingerprinting to identify suspect activities in your traffic.

The Cloudflare network sees about 16% of the web traffic worldwide today and can learn from any type of traffic: web, API, mobile and some other more technical such as Websockets, GRPC, etc.. Cloudflare Bot Management is effective in delivering intelligence to customers because it is known exactly what the security outcomes are for all of this traffic. Therefore the ML algorithm can learn at an extremely high scale. 

When it comes to web traffic, this is very straightforward since the solution can easily challenge people in their browsers where the transaction looks suspicious. These challenges are developed by Cloudflare and are therefore more difficult to get round compared to regular Captcha solutions. In this way, a very small % of false positives are observed and this is very important to enterprise customers because they do not want to block any genuine users. 

For mobile traffic, it’s a little more complicated because the solution can’t challenge users so enterprise customers either need to reluctantly accept false positives or they need to find other solutions to circumvent those false positives. 

Even a very small % of false positives can be a major issue because customers are concerned about them since they may happen on a critical path of their user scenarios, such as payments, and this can be disastrous.

Approov API Threat Protection

Approov ensures that only genuine instances of an enterprise's mobile app, running within a safe runtime environment, is able to use the API to access backend data and resources. In this way all scripted and bot driven traffic which attempts to use the APIs servicing the mobile channel will be blocked, even if they present valid API or user credentials. Approov delivers a positive security model, ensuring that false positives do not occur.

An SDK in the mobile app works seamlessly with the Approov Cloud Service to authenticate that a genuine app instance is present when an API request is made. This is validated at the API endpoint by checking that a short lifetime JWT which is sent from the Approov Cloud Service via the mobile app is signed with the enterprises’ own secret.

In addition to being invisible to app users, Approov also protects enterprises against bad actors exploiting known or unknown vulnerabilities in their APIs. Such vulnerabilities are utilized by adversaries through the use of scripts where they can rapidly try different approaches, probing for weaknesses. By ensuring that only genuine mobile app instances can use the APIs, such attacks are stopped at source.

Finally, Approov removes the headaches associated with implementing, deploying and managing certificate pinning on APIs which service mobile apps. Pinning is considered an essential security layer in API based platforms but there can be reluctance by Development and DevOps teams to adopt pinning due to the complexity. Approov has dynamic pinning built-in, utilizing Approov’s over-the-air capability to make pinning simple at all stages.

One Plus One Equals Three

Enterprises use web, mobile or both to deliver services to their customers. The split between web and mobile varies and even though the general trend is towards mobile, there’s no sign that the web channel will disappear any time soon. It is therefore critical to ensure that both entry points to the enterprise are protected well and that customer experience is considered front and center of any deployed security system. If the friction of the employed security system impacts negatively on genuine customers, the business impacts can be very serious.

Neither Cloudflare Bot Management nor Approov API Threat Protection is the complete package to cover 100% of a typical enterprise platform’s traffic and use cases across both web and mobile channels. However, a highly efficient solution can be created by applying a positive security model for mobile where all Approov validated traffic is allowed and the remaining automated traffic is blocked and a negative security model via Cloudflare Bot Management for analysis and mitigation of all other traffic. 

Moreover, Cloudflare Workers® can be used to validate Approov JWTs originating from the enterprise’s mobile app, making the integration of the two solutions simple to implement. This is a well documented interface point as can be seen in this blog post and this github repo.


David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.