Creating a Human, Bot-Free Social Engagement Platform

Nimses is a worldwide system which rewards users equally based on how long they have been members of the network. When a person registers an account, each minute of their life turns into a single Nim, a unique and indestructible unit of digital currency. These can then be traded for online entertainment or offline goods and services. One can manage their personal "wallet", "account", or more accurately, Nimb through the free, location-based Nimses App.

The social networks we're all used to eat up the time we spend on them and transform it into advertising revenue. Nimses takes every minute of every registered user's time (whether or not they've been on the app during it), and returns it to them in the form of a nim. A like on Nimses means you’re spending some measurable amount of your life on that user, who's hopefully made a bit of yours better. It's not any different from reality, really - it just tells it as it is. So we get to choose wisely.

They call it "The Absolute Capital" - and it is indeed the only true measurement of human value we will ever have. And where you count on human value, you can't have bots.

Success Can Get You Noticed - By the Bad Guys Too

With the Nimses beta launch in June 2017, the platform gained 2 million users in 2 weeks. And as we see time and again, when a platform gets successful, there's always someone close behind trying to spoil the fun for everyone. In this case there were early signs that fake accounts and bots were being set up to generate nims that didn't represent anybody's time and with that, threatening to devalue nims for everybody else.

That's when we got the email from Nimses. We spoke to Andrii Sirchenko and Yegor Okhotnikov at Nimses to hear about their experience.

When the Nimses platform launched, the growth of new users was very rapid, exactly as we hoped. However, we soon began to see a few automated attacks against our API which threatened to pollute our environment and negatively impact our users' experience. Andrii told us. Despite robust verification mechanisms and active detection of suspicious activity, Nimses were worried about their ability to contain misuse of their platform. As a result they wanted to find a solution to prevent the automated registration of fake accounts by bots. The danger was that these fake accounts could then be sold in bulk to those who wanted to pollute the experience for legitimate users in various ways or simply wanted to collect Nimbs for multiple accounts, devaluing the entire concept.

Our backend API was not secured, and we realized that this could lead to high amounts of scripting. Tens of thousands of bot accounts could have been created, and they might be generate tons of spamming activity.

The mission of Nimses is to give every human being an access to universal basic income based on the time of their life. As Yegor puts it, It is mission-critical for our service to ensure that one person has a single account, and securing our API was a first step in achieving this goal. Nimses needed to ensure that only genuine users could access the platform.

Approov allowed Nimses to prevent automated abuse of their platform thanks to its ability to authenticate only legitimate apps to their API.

A rapid solution was of great importance to Nimses to ensure that the fledgling bot issue did not spiral out of control and overwhelm their platform. This was achieved by integrating Approov's SDK into their app and implementing a simple, industry-standard token check mechanism for the API back-end server to process. In the words of Andrii, Approov provided a near immediate solution out of the box, which helped us to secure the API. The simplicity of Approov’s integration meant that we went from initial contact with CriticalBlue to a deployed solution in only 8 days.

Approov ensured that only the Nimses app could be used to create and interact with user accounts, immediately preventing direct API abuse by scripts.

The bad guys though, are as smart as they are determined; the early scripting activities were blocked but then we saw what looked like tests of mimicking human behavior through automated UI events via the real app. However, Approov reports when app instances are running on emulators and once emulator blocking was switched on, the tests stopped.

Approov provided a  
near immediate solution  
out of the box ... 
...we went from initial  
contact with CriticalBlue  
to a deployed solution  
in only 8 days.
— Andrii Sirchenko  

By providing a basis for trust in the client along with additional information about the device, Nimses have since further enhanced their existing account registration and usage monitoring capabilities to become far more effective blocking more sophisticated automation attacks emanating from the app running on real devices. According to Yegor,

Ease of integration and Time-to-Market were key drivers for us to make the decision to adopt Approov. We looked at addressing it in-house but evaluated that focusing on developing core features of our platform would be a much better use of our limited internal resources.

In the words of Andrii, Of course, there is no magic pill for full system security. But now that Approov is in place we like to think we've built a comprehensive package for securing mobile APIs. We were somewhat sceptic in the beginning, but results were very good.

Yegor added: We believe the problem is solved since our fraud monitoring activities do not find successful attacks anymore.

Nimses are now well on their way to establishing the Nim as a well-recognised, widely usable currency, with more physical spaces accepting it as payment for goods and services ranging from meals, coffee and flowers, to entrance fees for art galleries and haircuts.

After an initial launch in Russia and Ukraine, Nimses is currently planning their worldwide launch. They have now gained the trust of more merchants than ever before, and reached a larger-than-ever satisfied user base. In the nearest future they will be launching a blockchain and exchange, so that everyone will be able to buy or sell nims. Long term plans are to cover all regions worldwide and create a full-cycle ecosystem based on the nim that will satisfy users, business and local communities.

So now that we have the Nimses guys here answering questions, we can't help but ask them: how have you benefited from using Approov?

  • Using Approov helped us to move resources to feature development and not spend time on fighting fraud.
  • We wouldn't surprise anyone if we said that these battles against the bad guys conflict with the genuine user requests we are getting in the meantime for features, better scalability, and continual improvements to the core platform. This is the problem we try to address with Approov - moving security away from its classic role as an afterthought that's difficult to pay attention to when so much else is always going on.
  • Additionally, it is worth mentioning that Approov tech team support was very helpful and aimed at resolving our needs and making the overall solution mature.
Awww. Thanks guys.

For our part, what we love about working with Nimses is their responsiveness. Things happen quickly over there; the tech team makes sure their software is robust and secure, they use the cutting edge of technology, and they know what they're doing. They don't hold back on the feedback either:

The process of upgrade is smooth, however we would like to have more insights in stats/reports covering app version, Approov library version, fail rate, available through some sort of admin console. So far it is not possible.

We're working on it. We provide detailed stats around emulators, rooted/jailbroken devices, instrumentation frameworks, and we are working on providing finer grained data. In the meantime, what (if anything!) have you learned from working with CriticalBlue, if we may ask? Yegor makes us happy with his answers:

  1. API security matters :)
  2. API security is a bit more complex than it appears
  3. Attackers are smart (very smart)
  4. Even a small break can lead to huge problems (as we had a non-obvious problem with SSL pinning, which we were able to resolve with the help of CriticalBlue).

Finally, we'd like to leave you with Nimses' words of advice for other businesses facing similar challenges as they did:

Think of security as the key to success. Plan security-forward.

How Approov can help protect your business