We're Hiring!

How Can Bots Be Prevented?

Binary numbers; hand holding the text BOT

Bad bots—computer programs that mimic human behavior—are a growing threat to businesses, costing them billions of dollars yearly in fraud and data theft. What can you do about it?

A recent study found that companies are losing about 3.6% of their revenue to bots. According to the study, 60% of sampled organisations detected attacks on APIs and 39% detected attacks on mobile apps. 

NETACEA graphs showing changes in bot attacks

Source: netacea.com

But you can take steps to protect your mobile app from bad bot attacks. Below, we outline six steps you can take to minimize the chances of bad bots infiltrating your platform. 

1. Block or CAPTCHA outdated user agents/browsers

Bad bots often masquerade as old browsers or devices when they make requests to your server. By blocking requests from outdated user agents/browsers, you can reduce the number of bad bot requests your server receives. Thankfully, most modern browsers force auto-updates on users.

2. Block known hosting providers and proxy services

Many bad bot requests come from compromised computers that are part of a botnet. These computers are usually located on shared hosting providers or proxy services. You can prevent many bad bot requests from reaching your server by blocking known hosting providers and proxy services, although you should be aware that masking where communications come from is not too complex.

3. Protect all bad bot access points

Bad bots will try to access your website or app through any open door, including any unprotected API endpoints. Protecting all your access points with authentication and authorization can make it more difficult for bad bots to reach your server, although it should be noted that credential stuffing attacks do use valid usernames and passwords. 

4. Evaluate traffic sources

If you see sudden spikes in traffic from unknown sources, it could be a sign that someone is using a bot to DDoS your website or app. By monitoring traffic sources, you can quickly identify and block malicious traffic before it does any damage. 

5. Investigate traffic spikes

Not all traffic spikes are caused by bad bots. But if you see a sudden spike in traffic that doesn't match up with any changes you've made to your platform, it's worth investigating further. It could signify that someone is trying to DDoS your site or steal data from your app. 

6. Monitor failed login attempts

A high number of failed login attempts could signify that someone is using a brute force attack to gain access to your app, e.g. a credential stuffing attack. By monitoring failed login attempts, you can quickly identify when you are  under siege and minimize the damage. 

Most of the above recommendations are generic in that they can be applied to all internet traffic coming into your platform. Many of them are also 'after the fact' in that they may help you to identify when you have been attacked or are under attack.

Clearly it is preferable to identify and block bad bot traffic at the edge, before it enters your backend infrastructure a causes damage and increases your operating costs. Further, it should be recognised that traffic actually coming  from your mobile app is particularly difficult to differentiate from traffic claiming to come from your mobile app - after all your API key is probably stored inside your mobile app code. 

So how should you deal with this risk?

Invest in a bot protection solution for mobile

The best way to protect your mobile business from bot attacks is to invest in a bot protection solution like Approov. Approov uses a runtime attestation system that verifies the integrity and origin of every request made to your mobile backend APIs using cryptographically signed tokens bound to the requesting device/application couplet - protecting against automated bot attacks, malicious replay recordings, and fraudsters as well as stopping man-in-the-middle (MitM) hijacks and other active breaches. Try out Approov for free today.

David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.