Delivers 400+ Defenses in a single MobileBOT™ Protection Profile to Turn Web Application Firewalls into Fraud-Fighting Machines
Appdome, the leader in protecting mobile businesses, today announced at RSAC 2025 that its AI-Native
MobileBOT™ Defense solution now offers the most comprehensive mobile bot defense profile on the market. Capable of evaluating 400+ attack vectors in Android & iOS apps, OSs, devices, user interfaces and networks, Appdome’s new MobileBOT™ defense profile allows network security teams to not only stop brute force bot and credential stuffing attacks but also stop hyper targeted, spear phishing, account takeover (ATO), KYC fraud, on-device fraud (ODF), and deepfake threats in real time across account creation, login, password reset, payment and other critical API endpoints.
“Up until now, mobile bot defense has been about trying to stop brute force bot and credential stuffing attacks and inspecting the mobile device for 2-3 threat signals,” said Tom Tovar, co-creator and CEO of Appdome. “This isn’t enough. Mobile brands need to stop brute force attacks, for sure, but they also evaluate mobile device, OS, application, user interface and network level threats before allowing anyone to connect to their APIs.”
AI Has Changed Bot Defense Forever
Modern bot attacks aren’t contained to brute force bot and credential stuffing attacks launched from bot farms, automated scripts and similar attack vectors. Today, bot attacks can also include hyper-targeted ATO attacks that use AI-generated deepfake images, face cloning, liveness spoofing, and mobile Trojans to bypass biometric checks of specific users. These attacks can also be combined with client-side malware to intercept OTPs, complete Captcha challenges, hijack sessions, and exploit sensitive app flows like login, payment, and password reset. Some bot attacks weaponize the mobile app itself—evading traditional anti-bot defenses and putting user trust, compliance, and revenue at risk.
AI-Native Bot Defense is the Future
Appdome’s AI-Native MobileBOT™ Defense redefines mobile bot protection by providing multi-layered defense built for Android & iOS environments. While legacy bot defense SDKs aren’t protected in the app, use vulnerable cookies or JWTs to identify apps, and monitor only a few basic threat indicators such as emulators and jailbreak/root, Appdome’s MobileBOT™ Defense provides application-level rate limiting to eliminate the risk of weaponized and zombie applications, immutable application fingerprinting using secured client certificates to stop brute force attacks, and provides deep session risk, evaluating up to 400 configurable attack vectors in a single bot defense profile. With Appdome MobileBOT™ Defense, network security teams can stop brute force attacks and scan the mobile environment for any sign of deepfakes, social engineering scams, voice cloning, trojan attacks, vishing, remote access trojans (RATs), mobile device takeovers, and more before allowing a connection.
“Your bot defense strategy has to take AI into consideration,” said Gil Hartman, founding engineer and Field CTO of Appdome. “Brute force bot and credential stuffing attacks are one way the attacker guesses the user name and password of the victim. With AI, guessing gets really easy, really fast and your network and API defense have to be able to repel more sophisticated ATO threats.”
Tailored Profiles Stop Targeted ATO Attacks
Using a single MobileBOT™ Defense Profile, mobile brands and enterprises can evaluate up to 400+ attack vectors before allowing connections to any API, endpoint, or host. More importantly, network security teams can create separate defense profiles to address the specific threats applicable to each API. For example, network security professionals can evaluate different threats in each bot defense profile for:
Sign Up & Onboarding APIs - Detect the presence of fake users and devices signing up to your service including fake taps, clicks, swipes, gestures as well as fake location and devices.
Sign In & Password Reset APIs - Detect the presence of spyware such as keyloggers, overlay attacks, and activity monitoring, as well as ATO risk from deepfakes, ATS Malware and more.
Payment APIs – Detect the presence of data harvesting and trojan malware, MiTM attacks, session hijacks, OS compromises, vishing, social engineering scams and more.
“Tailored threat evaluation per API or host across 400+ threat vectors is huge,” said a leading industry analyst. “This level of deep inspection per API allows network security professionals to turn any Web Application Firewall into Mobile Fraud Fighting machine and get so much more out of their WAFs.”
Layered Defense to Stop All Mobile Bot Attacks
Appdome’s MobileBOT™ Defense solution is the only anti-bot solution purpose built for mobile applications, mobile environments and mobile businesses. Every feature of MobileBOT Defense is designed to address the unique computing environment, threat vectors and operating requirements of the mobile channel. Here are just some of the key elements of MobileBOT Defense by Appdome:
App-Level Rate Limiting – Leverages the compute on the mobile device to throttle API requests coming from “noisy,” malware controlled or zombie mobile apps.
Application Fingerprinting – MTLS Pre-Check authenticates the real app during the TLS handshake, allowing network security teams to deny API requests from bot farms, bot scripts and fake applications.
Extended Bot Defense Profiles – Evaluate session risk across up to 400+ separate threat vectors in mobile devices, OS, applications, user interface and networks to stop targeted ATOs, KYC Fraud and On-Device Fraud on a per API basis.
Pin to Host – Uses Appdome’s secure certificate pinning to validate the authenticity of servers your application is connecting to per API.
Dynamic API Updates - Remotely update protected hosts and endpoints without a new app release.
Zero-Trust and Dynamic Threat Evaluation – Allows network security professionals to control when threat evaluations are performed.
Hardened Implementation in Apps – Delivers tamper-proof anti-bot implementation in Android & iOS apps, free of spoofing, interception and compromise.
All Mobile App Compatibility – Works seamlessly with any Android or iOS app.
No-SDK, No Server Delivery - Eliminates integration work and infrastructure overhead, accelerating deployment and eliminating engineering work.
All Web Application Firewall Compatibility – Compatible with all industry standard WAFs; no change outs required.
“To protect Mobile APIs from bot and ATO attacks, you need a bot defense product that is purpose-built for the unique threats and challenges of your mobile app and business,” said Chris Roeckl, Chief Product Officer at Appdome. “You also need an anti-bot solution that works with all the Web Application Firewalls you have today and tomorrow, otherwise it just doesn’t work.”
With the MobileBOT release, Appdome now offers full flexibility for mixing and matching where and how to enforce mobile app protections. Mobile businesses can enforce these protections at the client app level, network layer, or a combination of both. Whether stopping brute force bots or user-level targeted fraud, Appdome’s layered defense model ensures optimal protection and performance.
Appdome’s MobileBOT Defense requires no SDKs, no servers, and no changes to existing WAF infrastructure, bypassing the limitations, complexity and cost of traditional anti-bot products. By working with any WAF, businesses can preserve and extend their WAF investments and, with client-side rate limiting, can dramatically lower data processing costs.
Appdome is demonstrating the AI-Native MobileBOT Defense solution and the full Appdome AI-Native Platform at RSAC in San Francisco at booth
South-0948.
.
