Prevent AI Scraping on Resale Apps with App Attestation

If you run a resale or eCommerce marketplace, your mobile app is more than a shopping experience, it’s the front door to your pricing, listings, inventory, and demand signals. These are the core value drivers of your business. App builders are finding that the front door to their mobile app is Now more than ever, those signals are exactly what AI-driven scraping operations want.

Not because they’re curious. Because scraping has become cheap, automated, and more available than ever thanks to AI.

The harms of app scraping are numerous. AI bots can extract your listings to train competitor models, monitor price movements in real time, copy your catalog into knockoffs, or automate “at-scale” abuse like promo exploitation and account testing.

The mistake that many mobile app builders make is And the part that surprises a lot of app builders and business owners is this:

Even if your users are authenticated, your API may still be trusting the wrong source.

A widely-cited “trust gap” in mobile security is that APIs often can’t tell whether a request is coming from your real app or from an imitation client — “an API cannot verify the source of the request; it simply executes it.”

That’s the problem app attestation is built to solve.

Why AI Scraping is Hitting Marketplaces First

Marketplace and retail apps tend to have a perfect storm of “scrape-worthy” data:

• Fast-changing listings (new arrivals, sell-through, scarcity)

• Inventory + availability signals (what’s in stock, where, and when it drops)

• Price intelligence (discount cadence, dynamic pricing, reseller pricing)

• Search relevance and ranking (what converts, what trends, what’s boosted)

• High-volume endpoints that are hard to lock down without hurting real users

At the same time, bot operators have become better at looking legitimate. They don’t always come in as obvious scripts anymore. They can run automation at scale, mimic user behavior, and “blend in” with traffic patterns — which is why mobile API abuse is so persistent.

This isn’t just a nuisance. It can lead to outcomes that directly hit revenue and operations: data exposure, account takeover attempts, fraud, and disruption of service.

“But We have Login, Rate Limits, and a WAF…”

You should absolutely have those controls — but they’re not designed to answer the specific question AI scraping exploits:

Is This Request Truly Coming from My Official Mobile App?

Attackers can:

• imitate your app’s network calls

• replay requests from a headless client

• run modified (“tampered”) versions of your app

• scale automation through farms of devices/emulators

And because many marketplace APIs are built for speed and scale, they often respond as long as the request looks “valid enough.”

This is exactly why the industry increasingly frames mobile security around verifying trust from the source of the API call before granting access.

App Attestation (Explained for Non-Security Folks)

Think of app attestation like this:

Your app proves it is genuine before your API responds.

With app attestation, each API request carries a cryptographically protected “proof” that the request came from:

• your official app

• unmodified

• running in acceptable conditions

Industry descriptions of attestation are straightforward: it’s a way to verify that a request is coming from a genuine, unmodified instance of your app — not a bot, compromised device, or modified client.

And the key detail: the server (not the client) makes the trust decision using a short-lived token.

How Approov Helps Retail & eCommerce Marketplaces Prevent Scraping

Approov is built to lock down your mobile APIs by having your app attach an industry-standard signed token to requests — a JWT (JSON Web Token) — so the backend can verify that calls are coming from trusted versions of your mobile app. 

What That Means in Practical Business Terms

When you put Approov in front of your marketplace APIs, you can ensure that:

• Real app traffic flows normally

• Imitation clients get blocked (before they extract your data)

• Bot farms don’t get “free API access” just because they can mimic requests

Approov’s positioning is explicit: it’s designed to guarantee the authenticity of requests to your backend services using signed JWTs.

Why This Matters Specifically for Marketplaces

For retail/ecommerce apps, the endpoints that typically matter most include:

• search

• listing details

• inventory availability

• pricing/fees/shipping calculators

• checkout and payment-related operations

Industry research and reporting consistently show these types of endpoints are heavily targeted (data access, payment/checkout operations, and authentication).

The Extra Layer Most Teams Miss: Your Secrets and Third-Party APIs

Scraping and automation aren’t only about reading your listings. They often go after what your app can access:

• third-party APIs (shipping rates, address validation, fraud tooling, payments)

• marketplace partner integrations

• internal service keys or tokens embedded in the app

Approov Runtime Secrets is designed to remove API keys and other secrets from the app package entirely, and instead deliver them securely to valid app instances at runtime. 

For marketplaces, that’s huge. It reduces the chance that someone can extract your keys from the app and use them to run high-volume calls from outside your app.

“What If Someone Intercepts Traffic?” (MitM and Network Replay)

AI scraping operations don’t always “scrape the UI.” They frequently go after APIs by observing traffic patterns and replaying requests.

Approov also offers Dynamic Certificate Pinning, which is designed to ensure your app only communicates with trusted servers and to protect against Man-in-the-Middle (MitM) interception — with the operational advantage of dynamic updates (so you don’t need an app release just to update pins). 

What Rollout can Look Like (Without a Big-Bang Release)

The fastest way to adopt app attestation in a marketplace environment is typically:

1. Start with your highest-value endpoints (search, listing details, pricing/inventory).

2. Monitor first, then move to blocking once you’re confident coverage is complete.

3. Ensure your backend verification is implemented correctly and safely (Approov publishes a go-live checklist for “blocking mode”).

One small but important operational note from Approov’s guidance: never hardcode token secrets in code — use proper secret management.

Signs Your Marketplace App is Already Being Scraped by AI Automation

If you’re not sure whether you’re a target, these are common “quiet indicators”:

• sudden spikes in listing/detail endpoint calls that don’t match session behavior

• unusual geographic distribution for “browsing” traffic

• repeated requests for the same seller/category combos

• price-check patterns at exact intervals

• higher-than-expected infrastructure costs without corresponding GMV growth

• competitors mirroring pricing or inventory moves suspiciously quickly

If any of that sounds familiar, it’s worth reassessing whether your backend currently has any way to confirm the request is truly coming from your app.

FAQ

“Is App Attestation Only for Highly Regulated Industries?”

No. Marketplaces often have high-value data and high-volume APIs, which makes them attractive to automation even without regulatory pressure.

“We Already have Bot Protection — Isn’t that Enough?”

Bot tools are valuable, but they usually work best when they can rely on a strong signal of “this is a real app.” App attestation provides that signal by verifying app authenticity before your backend responds.

“Will This Break Real Users?”

It shouldn’t — when rolled out carefully. That’s why teams commonly start in monitor/bypass mode and follow a go-live checklist before blocking invalid tokens. 

“Does This Only Protect Our Own APIs?”

Approov’s API protection messaging also includes protecting the third-party APIs your app uses, especially when paired with runtime-delivered secrets.