We're Hiring!

What is a Bot Manager?

Group of red toy robots

In the world of mobile app development, it's essential to be aware of the latest security threats. Unfortunately, bot attacks are among the most common and dangerous security threats. For example, the Chamois botnet once infected over 20 million Android devices - serving malicious ads and directing users to premium SMS scams.

schematic representation of mobile hack

Source: tutorialspoint.com

A bot manager is a tool that helps developers and DevOps team members to protect their platform against bot attacks. Bot management tools identify and block bots trying to access your backend systems; distinguishing between good bots and bad bots as well as between automated and human interactions. 

What Does a Bot Manager Do? 

In a nutshell, they help to keep the internet safe and running smoothly by controlling the bots that crawl across it. By identifying which bots are good and which are bad, they can block their activities accordingly. For example, in a web context good bots are allowed access to certain content and resources, while bad bots are denied access and may even be served alternative content.

Like search engine crawlers, good bots help us access information quickly and efficiently. Bad bots, on the other hand, can be used for everything from data scraping to DDoS attacks. 

A good bot manager should be able to identify bots vs. human visitors, identify bot reputation, and add good bots to allowlists. They should also be able to challenge prospective bots with a CAPTCHA test or other techniques, limit any potential bot's excessive use of a service, and deny access to specific information or resources for malicious bots.

Protecting mobile first or mobile centric businesses - where the mobile app is the main touchpoint for end users - is the most difficult scenario to secure because mobile apps can be downloaded and reverse engineered by anyone.

What Types of Bot Attacks Does Mobile Bot Management Mitigate? 

Bot management solutions are designed to protect mobile apps from various automated attacks. Perhaps the most well-known type of bot attack is the distributed denial-of-service (DDoS) attack, in which a backend platform is overwhelmed with traffic from many bots to bring it down. 

However, cybercriminals can also use bots to launch simpler denial-of-service (DoS) attacks, in which a single bot pings an app repeatedly to slow it down or crash it. This is particularly relevant for mobile apps that use 3rd party services which are accessed directly from the app code; a single bot can overwhelm a 3rd party service, potentially causing that 3rd party service not to respond which in turn might cause the mobile app to become unresponsive.

Credential stuffing is another type of bot attack that involves using stolen usernames and passwords to gain unauthorized access to accounts. Credential stuffing may also be used to steal payment card numbers or other personal information.

These attacks are particularly difficult to defend against because they operate at low frequencies, usually passing under the radar of traditional security mechanisms.

How Does Approov Mobile Protection Protect Against Bots? 

The traditional approach to app security incorporates all of the threat detection code into the app itself, which runs in an attacker-controlled setting. Even if the detection code is well protected, it relies on the application making a local assessment of its own integrity, which provides an obvious point of vulnerability that attackers frequently target. Also, by focusing the defense strategy on the app itself, the APIs that service the mobile app are vulnerable to attack directly by automated bots and scripts.

Approov covers both the mobile app and APIs. The app must pass a series of dynamic integrity checks to be authenticated by Approov's attestation service. These findings are then transmitted to the Approov cloud using a proprietary challenge-response mechanism that is resistant to replay attacks. The Approov cloud determines the outcome.

After integrity is verified, the app in question is given a short-lived cryptographic token to show its authenticity to backend API services. This way, the app cannot make its own decisions about its integrity; the defense moves out of the attacker's reach and into the Approov cloud.

To see Approov in action, sign up for a live demo


David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.