We're Hiring!

What are Bot Attacks?

Group of metal robots

In this day and age, it's more important than ever to make sure your mobile app - and the APIs it uses - are well-protected against bot attacks. Bot attacks can come in many forms, from web content scraping to form submission abuse, and they can wreak havoc on your app if you're not careful. Bot attacks can be used for various purposes, for example launching distributed denial-of-service (DDoS) attacks, stealing sensitive personal or business information, or committing fraud. 

How Attackers Execute Bot Attacks?

Bot attacks are usually carried out by botnets, which are networks of infected computers controlled by a central authority, or by scripts. The computers in a botnet are known as bots or zombies. Attackers will use botnets to carry out various tasks, such as sending spam emails or launching DDoS attacks. 

According to the Spamhaus Botnet Threat update for Q2, 2022 botnet problems reduced slightly by 11%, but they were still 3,141 botnet command and control (botnet C&C) servers identified during the survey period. 

Spamhaus table showing percentage change in botnetsSource: Spamhaus.com

Alternatively, bot traffic may come from simple scripts which do not require a botnet to be effective. The objective of scripted attacks is to impersonate a genuine source of API traffic, for example a web page or a mobile app. In such cases, the script is a smart and easy way to create a flexible access point into the backend infrastructure, services and data.

Types of Data Attackers Target 

Attackers can target many different types of data with bot attacks. Some of the most common types of data include: 

  • Web Content or API Data Scraping: This involves using bots to extract content from websites automatically. Attackers will use web content scraping for various purposes, such as stealing competitive intelligence or scraping content for use in other malicious activities. 
  • Account Takeover (ATO): This attack occurs when an attacker uses stolen login credentials to take over a victim's account. Once the attacker has taken over the account, they can do anything the legitimate user could do, including changing the password, accessing sensitive data, and making unauthorized transactions. 
  • Form Submission Abuse: This happens when an attacker uses a bot to submit false or malicious data through online forms. Cybercriminals can use it for various purposes, such as submitting spam comments on blogs or fake reviews on business listings. 
  • API Abuse: This attack occurs when an attacker makes unauthorized requests to a backend server or service via an application programming interface (API). Attackers can leverage API abuse to launch DDoS attacks or steal sensitive data like passwords and financial information. 

How to Protect Mobile Apps from Bot Attacks 

Mobile apps and the APIs that service them are some of the most difficult parts of your business to protect. Your mobile apps can be downloaded by anyone and once downloaded they may reverse engineer, study, modify or manipulate your app to suit their purposes. Since important business logic is contained within your mobile code, alongside required credentials such as API keys, your mobile app truly is a treasure trove of data for attackers. As a result, you must deploy specialist mobile app and API security techniques.

One way that you can protect your mobile apps and the API that service it is to use Approov Mobile App Protection. Approov protects mobile apps from being bypassed by using a remote attestation approach, where the running app must prove itself to be genuine through a sequence of integrity measurements. These results are then sent to the Approov cloud service using a patented challenge-response protocol, immune from replay attacks. The Approov cloud then decides if the request has come from a genuine instance of your mobile app running on a safe mobile device. If integrity is verified, the running app is issued with a short-lived cryptographic token that it can use to prove its authenticity to its backend API services. The app does not make its own decisions about integrity and cannot sign its own tokens. Defense is moved out of the attacker’s reach and into the Approov cloud.

Sign up for a free 30-day trial of Approov Mobile App Protection to keep your mobile business safe from bot attacks.

David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.