Application protection provides secure connections and anti-bot protection for native applications. This feature identifies proxies, emulators, and requests with invalid signatures. This topic describes how to configure and enable application protection in the Web Application Firewall (WAF) console after you integrate the Anti-Bot SDK into an application.

Notice This topic uses the new version of the WAF console released in January 2020. If your WAF instance was created before January 2020, you cannot use the application protection feature.

Prerequisites

  • You have activated a Web Application Firewall instance, and have purchased the Mobile App Protection module.Advanced Configuration-APP protection
  • You have integrated the Anti-Bot SDK into the target application. For more information, see Overview.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, choose a resource group and a region (Mainland China or International).
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. Click the Bot Management tab, find App Protection in the Bot Management section, and click Settings.Application protection
  5. Create a path protection rule.
    1. On the App Protection page, find the Interface Protection section, and click Add Rule.
    2. In the Add Rule dialog box that appears, set the following parameters.Add Rule-Interface Protection
      Note In the test phase, we recommend that you set the Path parameter to a forward slash (/) and the Matching parameter to Prefix Match to match all paths. You can set Action to Monitor. If the target domain is a test domain, you can set Action to Block. This allows you to debug the application without affecting your online workloads.
      Parameter Description
      Rule Name Specify a name for the rule.
      Path Protection Settings Specify the path that you need to protect. The following parameters are required:
      • Path: Required. The path that you need to protect. A forward slash (/) indicates all paths.
        Note Signature verification may fail when the body of a POST request exceeds 8 KB. We recommend that you disable SDK protection for API operations that do not require protection. For example, the API operation used to upload large images. If you do need to enable SDK protection for an API operation, use a user-defined field.
      • Matching: Prefix Match, Precise Match, and Regular Expression Match are supported.

        If you set the value to Prefix Match, all endpoints under the specified path are considered matches. If you set the value to Precise Match, only the specified path is considered a match. If you set the value to Regular Expression Match, paths specified by the regular express are considered matches.

      • Parameter: The parameters that need to be matched if the protected path contains invariable parameters. WAF can use these parameters to filter endpoints more precisely. The parameters are the parts following the question mark (?) in the request URL.

      Example: The protected URL contains domain name/? action=login&name=test. In this case, set Path to a forward slash (/), Matching to Prefix Match, and Parameter to name, login, name=test, and action=login.

      Protection Policy Select a protection policy.
      • Invalid Signature: This policy is selected by default and cannot be cleared. The system checks whether the signatures of requests sent to the specified path are correct. The rule is matched if the signature is incorrect.
      • Simulator: If this policy is selected, the system checks whether the user uses an emulator to initiate requests to the specified path. We recommend that you select this policy. The rule is matched if a request is initiated from an emulator.
      • Proxy: If this policy is selected, the system checks whether the user uses a proxy to initiate requests to the specified path. We recommend that you select this option. The rule is matched if a request is initiated from a proxy.
      Action The action to be performed on requests that match the rule.
      • Monitor: records the request but does not block the request.
      • Block: blocks the request and returns a 405 HTTP status code.
      Notice Before the SDK integration or debugging is completed, do not set Action to Block for domains used in a production environment. Otherwise, valid requests may be blocked because the SDK is not properly integrated into the application. In the test phase, you can set Action to Monitor to debug the SDK-integrated application based on log data.
      User-defined Field When a user-defined field is used, the system verifies the request signature based on the specified request field and field value.

      By default, the system verifies the signature based on the request body. The verification may fail if the length of the request body exceeds 8 KB. In this case, you can specify a user-defined field to replace the default field for signature verification.

      After you have selected the User-defined Field check box, you can choose Header, Parameter, or Cookie, and then specify the field that is used to verify the request signature. For example, you can choose Cookie and then enter DG_ZUID. This replaces the default body field with the DG_ZUID field in the request cookie as the field used for signature verification.

    3. Click Confirm.
  6. Enable version protection.
    You can configure version protection to block requests from non-official applications. You can also use this feature to verify the validity of an application.
    Note A version protection policy is required only when you need to verify the validity of an application.
    1. On the App Protection page, find the Version Protection section and turn on the Allow Specified Version Requests switch.
    2. In the Add Rule dialog box that appears, set the following parameters.Add a rule-version protection
      Parameter Description
      Rule Name Specify a name for the rule.
      Valid Version Specify the valid versions of an application.
      • Enter the legal package name: Specify the name of the valid application package. For example, com.aliyundemo.example.
      • Package Signature: Contact Alibaba Cloud technical support to obtain the package signature. This parameter is optional if the package signature does not need to be verified. In this case, only the package name will be verified.
        Notice The Package Signature is not the signature of the application certificate.

      Click Add Valid Version to add more valid versions. You can add a maximum of five valid versions. Package names must be unique. Currently, both iOS and Android applications are supported. You can enter multiple valid versions to match the package names.

      Disposal Method for Illegal Version
      • Monitor: records the request but does not block the request.
      • Block: blocks the request and returns a 405 HTTP status code.
    3. Click Confirm.
  7. Enable application protection. In the App Protection section, turn on the Status switch.
    Note We recommend that you integrate the Anti-Bot SDK into the application, debug the application, and release the new version before you enable application protection to make sure that the protection settings take effect.