Appdome launches identity-first mobile API protection
Appdome has launched Identity-First Mobile API Protection, expanding its MobileBOT Defence offering.
The release adds six upgrades intended to change how mobile API requests are assessed before access is granted. Instead of relying mainly on web application firewall heuristics, cookies and behavioural scoring, the system adds app identity, device context, location, session trust and runtime risk checks to API authorisation.
Mobile APIs have become a growing target for bot abuse, account takeover attempts and credential theft, as attackers use automated tools and modified apps to mimic legitimate traffic. Appdome argues that traditional bot controls, which often depend on network behaviour and cloud-side analysis, are no longer enough when attackers can reuse session cookies or run manipulated apps in automated environments.
"New technologies, especially AI, have radically expanded the API Attack Surface," said Tom Tovar, Chief Executive Officer and Co-Founder of Appdome. "Bot farms still exist, but the biggest risk now comes from fake, spoofed, and deeply compromised mobile applications, devices, locations, and users. Identity-First Mobile API Protection shifts the model from inferring legitimacy to proving it - requiring trusted application and device identity before sensitive APIs respond."
Identity Checks
The revised MobileBOT product is built around three layers of verification: the app, the device and the session. For app identity, each API request can carry a client certificate during the TLS handshake, an application identifier based on the app signature and bundle ID, and a checksum attestation showing whether the app has been modified.
This is designed to help API gateways and firewalls determine whether a request comes from a recognised version of an app before allowing a connection. Requests that cannot present a valid application identity can be blocked at that stage.
For device identity, MobileBOT now passes device attributes such as manufacturer, model, operating system and version with each request, alongside GPS location captured within the app runtime rather than inferred from IP address data. It also sends risk indicators tied to compromised devices and sessions, including root or jailbreak status, emulators, simulators, debuggers and man-in-the-middle attempts.
Additional signals cover more advanced threats, including Magisk, KernelSU, Frida, LSPosed, ADB abuse, virtualisation, auto-clickers and stealth tools. The product can also flag fraud-related indicators such as deepfakes, social engineering, location spoofing, trojans and spyware.
"It's the first time anyone has used mobile application and device identity to stop bots and API attacks," said Avi Yehuda, Co-Creator and Chief Technology Officer at Appdome. "Before, a network used a single authorization token or cookie to grant access. Now, they have a multi-layered identity scheme that guarantees legitimacy before granting API Access. That's a tectonic shift in how networks protect APIs."
Session Controls
Appdome also introduced what it describes as a dynamic session fingerprint. It says this gives businesses control over how long a session remains valid and lets them change rate limits, rotate client certificates or alter hosts and APIs through remote configuration or at build time.
The aim is to reduce replay attacks, scripted automation and credential-stuffing attempts by limiting the useful life of session data and adding more checks to each connection request. Appdome says the data is protected at rest and in transit, with in-transit protection based on modern TLS with ECDHE-based forward secrecy.
Roy Cohen, Engineering Lead for MobileBOT Defence at Appdome, said the latest release places identity checks before access to sensitive user actions.
"If identity is the new perimeter, then proven, valid, and trustworthy mobile identity must come before biometrics are performed and access is granted - it's that simple," he said. "This release ensures that verified mobile identity - where the app, device, and session must prove legitimacy and intent - establishes trust before sensitive workflows such as onboarding, authentication, IDV, and payments are initiated."
WAF Support
The product is designed to work with standard web application firewalls. Appdome listed compatibility with Akamai, AWS WAF, Cloudflare, Fastly, F5, Radware and Imperva, allowing customers to add the service without replacing existing infrastructure.
That may appeal to companies that already rely on established WAF providers and want to add mobile-specific checks without changing their wider network stack. Appdome is positioning the release as a layer that feeds mobile trust signals into existing API protection tools.
Appdome also linked the launch to the growth of AI-assisted attacks against mobile apps, citing external industry analysis.
"New AI-based attack vectors have changed the mobile application security game," said Jason Bloomberg, Managing Director of analyst firm Intellyx. "Appdome solves this problem by bringing verified app identity, trusted device context, and precise location intelligence into the API decision flow. Appdome customers now have a low-risk path to the identity-native security essential for fighting modern AI-based mobile threats."
The new Identity-First Mobile Bot & API Defence functions are available to existing and new MobileBOT Defence customers.