Every democratic election depends on trust. Citizens must trust that votes are counted fairly, voter rolls remain accurate, and the digital systems supporting the process are secure.As election authorities modernize, many now use mobile apps to let citizens register to vote, request ballots, and track deliveries directly from their smartphones. But this convenience also creates a new attack surface.
If election APIs are left unprotected, attackers can exploit them using bots, emulators, and automated scripts at massive scale.
The Threat: Scale-Based Voter Registration Fraud
In the lead-up to a hotly contested national election, politically motivated attackers identified a critical exploit vector: the commission's mobile API.
Because the API initially lacked a mechanism to distinguish between a genuine citizen using a real smartphone and a script running on a computer, attackers saw an opportunity to manipulate the election before a single ballot was even cast. Using automated scripts and device emulators, they launched a coordinated campaign to:
- Fabricate identities at scale.
- Flood the system with mass fraudulent voter registrations.
- Undermine the credibility of the entire electoral process.
This wasn't opportunistic hacking; it was a deliberate attempt to compromise a free and fair election by exploiting the mobile attack surface.
The Solution: A Unified, Closed-Loop API Defense
To shut down the attack vector, the Election Commission deployed a layered security approach combining Approov Mobile App Protection with Cloudflare API Shield & Bot Management.
This dual-layer defense operated on two reinforcing principles:
1. Mobile App Attestation at the Source (Approov)
The Approov SDK was embedded directly into the official mobile application. In real time, Approov’s remote attestation service verified whether incoming API requests originated from a genuine, unmodified copy of the official app running on a safe, physical device.
- What was blocked: Emulators, rooted devices, repackaged apps, and automated scripts were stopped immediately at the point of contact.
- The result: If a request didn't come from a verified app on a clean device, it never reached the API.
2. Network-Level Filtering (Cloudflare)
Cloudflare's Enterprise Bot Management and API Shield acted as the outer shield, filtering out non-human, automated traffic at scale. Together with Approov, this created a secure ecosystem where only legitimate mobile app traffic could communicate with the voter registration endpoints.
The Outcome: 100% Protection on Election Day
The defense was an absolute success. 100% of emulator-based, fraudulent registration attempts were automatically blocked. The voter registration API remained entirely stable and available exclusively to real citizens. Hundreds of thousands of legitimate voters successfully registered, requested ballots, and tracked their delivery without a single interruption or a single fraudulent registration bypassing the gateway.
Ted Miracco
CEO of Approov
Ted’s high-technology experience spans 30 years in cybersecurity, electronic design automation (EDA), RF/microwave circuit design, semiconductors, and defense electronics.
