Skip to content

Mobile App Impersonation via NHIs: The Silent Killer of API Security

APIs (Application Programming Interfaces) are the unsung heroes in an interconnected digital world. They are the crucial communication channels enabling different software systems to talk to each other, powering everything from your mobile banking app to complex enterprise solutions. However, this vital role also makes them prime targets for malicious actors. While many organizations focus on human user authentication, a more insidious threat often goes unnoticed: Non-Human Interfaces (NHIs).

Blog: Mobile App Impersonation Via NHIs: The Silent Killer of API Security
14:05

 

These NHIs, encompassing everything from automated scripts and web bots to compromised IoT devices and even other rogue APIs, can wreak havoc on your systems if not properly managed. They represent a "silent" threat because their activities can easily blend with legitimate automated traffic, bypassing traditional security measures focused on human interaction.

The Silent Menace: Why NHIs Pose a Unique API Risk

Non-Human Interfaces, by their very nature, operate differently from human users. They are automated, can run continuously, and often interact with APIs at a scale and speed that humans cannot replicate. This presents several unique challenges:

 

  • Stealthy Operations: Malicious NHIs, such as bad bots and scripts, are designed to mimic legitimate traffic or exploit vulnerabilities in the background. Their automated nature allows them to probe for weaknesses, exfiltrate data, or launch denial-of-service attacks without raising immediate red flags that human-centric security might catch.
  • Bypassing Traditional Defenses: Security measures like CAPTCHAs or multi-factor authentication for human users are largely ineffective against sophisticated NHIs. These automated entities don't "log in" in the traditional sense, often leveraging stolen API keys, or exploiting flaws in how an API authenticates and authorizes requests from non-human clients.
  • Difficulty in Detection: Because NHIs often operate in areas not designed for identity-based logging in the same way human users are, their malicious activities can go unnoticed for extended periods. Attackers can modify existing NHIs or introduce new, unauthorized machine identities that blend into the noise of normal system operations.
  • Scalability of Attacks: Once a vulnerability is found, NHIs can exploit it relentlessly and at scale, leading to rapid data breaches, service disruptions, or compromised systems. Think of credential stuffing attacks, where bots hammer login endpoints with stolen usernames and passwords, or automated scraping of sensitive data.

If your APIs are not specifically secured against these non-human threats, you could be leaving your digital doors wide open to abuse, data theft, and service degradation, all happening silently in the background.

Sorting Good NHIs from Bad: Its Not That Easy

It's true that some NHIs are good and we want to let them in. Here are some examples of “good” NHIs: 

 

Internal automation scripts

QA tests, CI/CD checks, monitoring

Trusted partners’ integrations

Access to limited API endpoints

Analytics/data pipeline calls

ETL or audit logs from known environments

Third-party tools

Postman, Zapier, custom dashboards

Legacy systems

Non-app clients that must call mobile APIs

 

So all we need to do is allow good NHIs and block bad ones. The problem? Most backend tools can’t even tell a real mobile app from a fake one. NHIs often slip through firewalls, API gateways, or behavioral bot detection systems.

Backend API security has relied on two main signals to verify legitimate web crawlers from other types of automated traffic: user agent headers and IP addresses. The User-Agent header allows bot developers to identify themselves.  However, user agent headers alone are easily spoofed and are therefore insufficient for reliable identification. 

To address this, user agent checks often add IP address validation, the inspection of published IP address ranges to confirm a crawler's authenticity. But this is not always reliable either since connections from the crawling service might be shared by multiple users and the allocation of IP address ranges change over time.

This highlights one of the challenges presented by using a backend-only app sec solution. Because contextual information about what is happening in the client environment is missing, there is always ambiguity and your security team will spend an inordinate amount of time and energy juggling with false positives and negatives. 

What is needed is a way for every request to be signed and checked for legitimacy at the API - a true Zero Trust approach. 

Addressing the NHI Challenge: Emerging Strategies for Web and Mobile

The industry is recognizing the urgent need to move beyond simply guessing if traffic is human or bot. The goal is to enable explicit authentication and verification for all types of traffic, including legitimate automated services.

A Promising Proposal for Web Bots: Cloudflare’s Web-Bot-Auth 

One interesting development in this area comes from Cloudflare with their Web-Bot-Auth  proposal. This new standard aims to help distinguish "good" bots (like search engine crawlers or legitimate automated services) from malicious ones when they access web resources and APIs.

The concept is straightforward yet powerful:

  • Cryptographic Signatures: Developers of trusted bots and agents would cryptographically sign the requests originating from their service.
  • Standardized Header: This signature would be conveyed via a new HTTP header, Sec-Bot-Auth.
  • Verification: API security platforms and reverse proxies, such as Cloudflare itself, could then validate these signatures. This allows site owners to confidently identify the source of the bot traffic and apply appropriate policies—granting access to known, trusted bots while scrutinizing or blocking unknown automation.

Cloudflare's Web-Bot-Auth is a significant step towards making bot authentication explicit rather than relying on heuristic detection methods, which can be prone to errors. It’s a move towards a future where legitimate automated services can declare their identity transparently and securely for web-facing APIs. 

One critical requirement that is not explicitly addressed by the Cloudflare proposal is the need for this to be dynamic and easy to manage: it must be easy to immediately change your categorization of NHIs from “good” to “bad”, and vice versa, as the landscape and your business evolves. 

The Unique Challenge of Mobile API Security 

While Web-Bot-Auth offers a promising direction for web-based bot traffic, the mobile ecosystem presents a different set of challenges. Here, the primary concern isn't just distinguishing good web bots from bad ones, but ensuring that API requests truly originate from your genuine, untampered mobile app, and not from:

  • Malicious scripts or bots directly attacking your API endpoints.
  • Repackaged or modified versions of your app.
  • Your app runs on a compromised or emulated device.

This is where solutions focused on mobile app attestation become critical.

The Approov Solution: Shielding Your Mobile APIs from Unauthorized NHIs

Approov specializes in securing mobile API traffic by ensuring that your APIs are only accessed by genuine, untampered instances of your official mobile apps. This effectively cuts off automated threats trying to impersonate or exploit your mobile channel. Here’s how Approov tackles the NHI challenge specifically for mobile:

  1. Mobile App Attestation: The Core of Trust:  At the heart of Approov's defense is its powerful mobile app attestation capability. Before an API request even leaves the mobile device, Approov performs a deep, ongoing inspection of the app itself and the environment it's running in. This process verifies:
  • App Genuineness: Is this the official, unmodified version of your app?
  • Runtime Integrity: Is the app running in a safe environment, free from tampering, rootkits, debuggers, or malicious frameworks?

This attestation ensures that requests originate from a legitimate and healthy instance of your mobile app, not from a repackaged app, a script directly hitting your API, an emulator, or a compromised device.

  1. Dynamic, Short-Lived Tokens for Verified Mobile Requests: If the app and its runtime environment pass the attestation checks, Approov issues a short-lived cryptographic token (typically a JSON Web Token - JWT). This token is unique to that specific app instance and device check. The mobile app then automatically includes this token with every API request it makes to your backend servers. Crucially, the secret used to sign these tokens is not stored within the app itself, making it impossible for an attacker to extract it through reverse engineering and then mint their own valid tokens for use by scripts or bots trying to impersonate your app's API calls.
  2. Blocking Automated Attacks on Mobile APIs: No Token, No Entry:Your API backend is then configured to check for the presence and validity of this Approov token on every incoming request.
  • If a valid Approov token is present, the API processes the request as usual, confident that it came from a genuine mobile app instance.
  • If the token is missing, invalid, or expired, the API can immediately reject the request.

This mechanism effectively blocks requests from unauthorized NHIs like bots, scripts, and automated attack tools that cannot pass the initial mobile app attestation process and therefore cannot obtain a valid token to make requests as if they were your mobile app.

  1. Continuous Verification and Runtime Application Self-Protection (RASP):  Approov doesn't just perform a one-time check. It offers continuous monitoring and can react to changes in the app's runtime integrity. If a device becomes compromised after the initial attestation, token issuance can be halted, protecting the API. This provides a form of Runtime Application Self-Protection (RASP) specifically tailored for API access from mobile clients.
  2. Secure Communication Channel:  Approov also ensures that the communication between the app and the Approov service is securely pinned, preventing interception and manipulation of the attestation process.

Critically, all of this can be managed dynamically so that you can always be on top of which NHIs are allowed access and which are not.

A Combined View: Securing Web and Mobile Fronts

Approaches like Cloudflare's Web-Bot-Auth and Approov's mobile app attestation are not mutually exclusive; rather, they address different facets of the NHI threat landscape:

  • Cloudflare's Web-Bot-Auth (and similar initiatives): Primarily focus on identifying and managing known and unknown web bots accessing web resources and APIs. This is crucial for public-facing websites and web APIs that expect to be accessed by legitimate third-party automated services.
  • Approov: Focuses on ensuring that your specific mobile app is the entity making API calls, and that it's genuine and running in a safe environment. This is vital for protecting proprietary APIs that should only be accessed by your official mobile application, preventing any unauthorized script, bot, or tampered app from impersonating it.

In a comprehensive API security strategy, you might see Cloudflare (or similar WAF/bot management solutions) protecting your web frontends and APIs from general web-based bot traffic, while Approov specifically locks down API endpoints intended for exclusive use by your mobile apps.

Benefits of a Multi-Layered Approach including Approov

By implementing Approov for your mobile channels, organizations can:

  • Drastically reduce mobile API abuse: Block automated traffic from bots and scripts trying to exploit your mobile APIs.
  • Protect sensitive data: Ensure that only legitimate mobile app instances can access and transmit data via your mobile APIs.
  • Prevent credential stuffing and account takeover via mobile vectors: Make it exceptionally difficult for attackers to use stolen credentials through unauthorized automation posing as your app.
  • Maintain API service availability: Reduce the load and impact of denial-of-service attacks originating from NHIs targeting mobile API endpoints.
  • Gain clear visibility: Understand which mobile app versions are accessing your APIs and ensure their integrity.
  • "Shield Right" for Mobile: Complement existing "shift left" security practices with robust "shield right" protection for your production mobile apps and their backend APIs.

Conclusion: Don't Let Silent Threats Undermine Your APIs on Any Front

NHIs are an integral part of the modern digital ecosystem, but they also represent a significant and often underestimated threat vector for your APIs, whether they are web-facing or mobile-specific. Traditional security measures are frequently insufficient to counter these automated, stealthy attacks.

Initiatives like Cloudflare's Web-Bot-Auth signal a positive move away from flawed traditional approaches towards a more dynamic, consistent and effective identification of web bots. 

For the critical mobile channel, solutions like Approov provide an indispensable layer of defense by ensuring that API requests originate only from genuine, untampered instances of your mobile applications. Approov helps you unmask and neutralize the silent threat of malicious NHIs targeting your mobile APIs. By adopting robust, specialized solutions, businesses can protect their APIs, their data, and their users in an increasingly automated world.

Let’s stop guessing. We can authenticate every request so let's do it!

NHIs won’t go away. But with Approov, the bad ones simply don’t get in. It's easy to integrate Approov with any back-end security solution to take back control of NHI access.