Manual Chapter :
Working with Anti-Bot Mobile Application
SDK
Applies To:
Show VersionsBIG-IP ASM
- 17.0.0
Working with Anti-Bot Mobile Application
SDK
About anti-bot mobile
application SDK
You can configure the BIG-IP
system to detect traffic coming from known mobile applications and determine which of the
requests to allow to continue to your server application. The ability to distinguish mobile
application traffic from browser traffic is important because mobile applications do not usually
run JavaScript code coming from the server. Therefore, responding with JavaScript-based
challenges, such as Client Side Integrity and CAPTCHA, breaks the application. You can configure
the anti-bot mobile application SDK so the system does not respond to mobile application traffic
with those challenges (as it does to browser clients), but rather tests them for human activity.
Attackers can easily generate traffic that mimics the behavior of a mobile
app by setting the User-Agent string and sending HTTP requests that are similar to those sent by
authentic applications. Attackers might even log in as a valid registered user in those cases,
and perform automated tasks, such as content scraping and other web attacks, from their attacked
HTTP client tool.
You can reliably detect traffic from your mobile applications by using the
Anti-Bot Mobile Application SDK. The SDK authenticates your application with BIG-IP system security, something that tools emulating mobile
applications cannot do. See the
ASM Anti-Bot Mobile Application
SDK
for details on how to build your mobile application. See this Appdome article for details on integrating apps
with the F5 Anti-Bot Mobile SDK. This feature detects
only mobile applications running with the ASM® Anti-Bot
Mobile Application SDK.
Importing Android mobile application
publisher certificates
You identify Android mobile applications by the certificate used
to sign them. We do not trust the name of the application as this name can be
spoofed if the application was not installed from the Google Play store. If you want
to detect mobile applications running on Android devices, you first have to upload
the certificates of their publisher, the signing party. This certificate to used
for repackaging detection.
- Locate and open the .apk application file with an archive extractor.
- Extract the META-INF/APPDOME.RSA file.
- In the directory where you extracted the .RSA file, install the OpenSSL package (version 1.0 or later), if not already installed.
- Run the following commands:
- openssl pkcs7 -print_certs -inform der -in CERT.RSA -out cert.crt
- openssl x509 -inform pem -in /tmp/cert.crt -outform der -out /tmp/cert.der
- On the Main tab, click.The Import SSL Certificates and Keys screen opens.
- ForImport Type, selectCertificateand enter the certificate name.
- Select theCertificate Source, and either upload or copy and paste the cert.der certificate file.
- ClickImport.
Configuring a Bot Defense profile to detect mobile
applications
Before configuring your Bot Defense profile, you must
have first uploaded the publisher certificates that you will use in the Bot Defense
profile.
You can use an existing Bot Defense profile or create
a new one for use with your mobile application detection.
The
mobile application user does not see a CAPTCHA challenge and the mobile application
is not presented with the Client Side Integrity challenge. Client-Side Integrity and
CAPTCHA challenges used in other features such as Bot Defense mitigation, Web
Scraping prevention and Brute Force attack prevention will
not
be applied to mobile app traffic in order not
to block the application when they inevitably fail. However, to strengthen the
security in those features with mobile application clients, you can use a challenge
for human behavior as a replacement for those challenges. Use this challenge if most
of the requests sent by your mobile applications are preceded with some human
interaction, typically tapping the screen. This is especially important for the
login operation monitored by the Brute Force protection feature. It checks that the
request was indeed triggered by a human and not generated automatically. However, if
your mobile application might log in automatically without user intervention, you
should disable this option and select the Always passed option.When licensed, mobile application protection is enabled by
default when creating a Bot Defense profile. The mobile application default settings
are:
- iOS Application Packages: Allow Any
- iPhone Jailbroken Devices: Disallowed
- Android Application Publishers: Allow Any
- Android Rooted Devices: Disallowed
- Debugger Enabled Devices: Disallowed
- CAPTCHAT Substitute for Mobile Applications: No Challenge
- Emulators: Disallowed
- On the Main tab, click.The Bot Defense Profiles screen opens, where you can create a new profile (step 2) or use an existing profile (step 3).
- To create a new Bot Defense profile:
- ClickCreate.The Create New Bot Profile screen opens.
- Type aNameandDescription.
- ClickSave.The Bot Defense Profiles screen opens.
- Click the name of the profile you just created, and go to step 4.
- To use an existing profile, click the name of the Bot Defense profile you want to use.The Bot Profile Properties screen opens.
- On the left, clickMobile Applications.
- In the Mobile Applications area, clickOnif it is not already on.
- iOS Application Packages:
- Allow Any: If you want to detect authentic mobile application traffic without checking which application sent the request.
- Custom: Enter the mobile application package names individually that you allow access to your server application and clickAdd.Mobile applications are identified by their package names (also known as Bundle IDs), for example,com.f5.app1.
- iPhone Jailbroken Devices: ClickAllowedto allow requests from jailbroken devices. This isnotrecommended because it allows unchecked applications with spoofed identities in the system.
- Android Application Publisher:
- Allow Any: If you want to detect authentic mobile application traffic without checking which application sent the request.
- Custom: Assign the mobile application publisher certificates that are allowed access to your server application by moving them to theAssigned publisher certificatelist. The uploaded certificate names appear in theAvailable publisher certificatelist but not all certificates on the list belong to mobile application publishers.
- Android Rooted Devices:
- Disallowed: Prohibits requests from rooted devices. This is the recommended setting.
- Allowed: Allows requests from rooted devices. This isnotrecommended because rooted devices can allow attackers to hijack sessions of mobile applications for a limited time.
- Debugger Enabled Devices:
- Disallowed: Prohibits traffic that passes through an external debugger.
- Allowed: Allows traffic from devices where the mobile application is attached to an external debugger. Debuggers may tamper with the functionality of the SDK and present a risk.
- CAPTCHA Substitute for Mobile Applications:
- No Challenge: The traffic is passed without incident.
- Human Behavior Challenge: When a CAPTCHA or Client Side Integrity challenge needs to be presented, the SDK checks for human interactions with the screen in the last few seconds. If none are detected, the traffic is blocked.
- Emulators:
- Disallowed: If your mobile application is in production.
- Allowed: If your mobile application is in testing phase.Use this option with care because emulators can be abused to create automated attacks on your server application.
- Allowed Application Signatures: This option is for working with mobile applications which were not built with the Anti-Bot Mobile SDK. This relies on analyzing the User-Agent header field only, which can be easily spoofed, and should be used with care. Select one or more applications from the list to allow or selectCreate Signatureto create a new application signature.
- ClickSaveto save the profile configuration.
- On the Main tab, click.
- Click the name of the virtual server to attach the Bot Defense profile to.
- Selectfrom the virtual server submenu.The Policy Settings screen opens.
- In theBot Defense Profile, select Enabled and select the desired Bot Defense Profile from the list.
- InLog Profile, add the local Bot Defense profile toSelected.
- ClickUpdateto update the profile.
Mobile application traffic
Mobile application requests are logged in Bot Defense logs, and also in
the Application (ASM) request log if an ASM®
policy is configured. A typical use case for logs is troubleshooting requests that were
accidentally blocked or passed. In Bot Defense request logs, you can see the action taken
for that request, and also see the attributes of the mobile applications such as the
application display name, version, or whether it was from a jailbroken or rooted device.
This way you can track the reason for blocking an application. For example, if the request
was blocked because it did not match any of the allowed application package names or
publishers, you see the actual application's display name and the reason,
Mobile application does not match profile
criteria
.Setting up mobile application request
logs
You can monitor the traffic coming
from mobile applications that use the mobile application SDK in the logs and in the
charts.
- On the Main tab, click.
- Select the name of an existing profile and go to step 4, or clickCreateto create a new profile.
- If you create a new profile, on the Create New Logging Profile screen:
- Enter aProfile Nameand optionalDescription.
- ClickFinished.
- On the Logging Profiles screen, click the name of the profile you created.
- On the Edit Logging Profile screen, enableBot Defense.The screen displays the Bot Defense area.
- EnableLocal Publisher.
- Optional: Select aRemote Publisherfor your remote logging system such as Splunk.
- Enable the types of requests to see in the logs, most typicallyLog Illegal Requests.
- ClickUpdateto save the logging profile properties.
- On the Main tab, click.
- Select the virtual serve to attach the login profile to.
- Selectfrom the virtual server submenu.The Policy Settings screen opens.
- InLog Profile, add the Bot Defense profile toSelected.
- ClickUpdateto update the profile.
- Run mobile application traffic to generate logs.
- On the Main tab, click.Mobile application requests have Client Type set asMobile Application. Scroll very far to the right to see the Client Type column. You can filter the requests by this criterion.
- If you deploy an ASM policy for your application, on the Main tab, click.Just as in the Bot Defense log, requests coming from mobile applications can be filtered by their Client Type.The same request logged in both Bot Defense and Applications Requests logs will have the same Support ID, so its records can be correlated.
An interesting use case is to track requests that were blocked because no human
behavior was found in Web Scraping or Brute Force features, although the Challenge
for Human Behavior option was selected when client side challenges were required.
Once you realize that the request was blocked in the ASM
Application log, you can look for the matching entry of the same request in the Bot
Defense log. You can do this by searching the same Support ID in that log. Observe
the Human Behavior Indication attribute in the log: if it was not Human Detected,
then the request was blocked because no tap screen event was recorded prior to the
request.
Viewing mobile application traffic
statistics charts
You can get important insights about the traffic accessing your
server
applications,
and specifically traffic coming from mobile applications, by looking at the bot
traffic statistics. You can see how much of the traffic came from mobile
applications at any time in the selected time period. You can also narrow the chart
to specific applications by selecting a specific virtual server.
- On the Main tab, click.The Bot Traffic statistics screen opens with all virtual server traffic displayed by default.
- At the top of the Virtual Servers pane, select a specific virtual server whose traffic you want to investigate or leave all virtual server traffic statistics displayed.
- Select the traffic time period.
A doughnut graph displays the total amount of traffic with the percent of traffic by
class, including the Mobile Application class.