Web Application Firewall (WAF) provides the application protection feature that allows you to use SDKs to protect native applications. This feature secures connections and protects applications from bot scripts.

What security issues can be resolved by application protection

Application protection was developed based on years of Alibaba experience protecting against online attackers, exploiters, and speculators. After applications are integrated with the Anti-Bot SDK, they have the same capabilities as Tmall, Taobao, Alipay, and other Alibaba applications to maintain secure connections. The applications have access to the library of malicious device fingerprints accumulated by Alibaba Group against online attackers, exploiters, and speculators. This helps you fundamentally solve your application risks.

Application protection provides the following solutions to resolve security issues of native applications:

  • Malicious registrations, credential stuffing, and brute-force attacks
  • HTTP flood attacks against applications
  • SMS and verification code API abuse
  • Coupon hunting and snatching
  • Malicious purchases of limited goods
  • Malicious ticket checking and abuse such as air tickets or hotel booking
  • Valuable information crawling such as prices, private credit information, financing, and fictions
  • Vote rigging
  • Spam and malicious comments

How to enable application protection

Take the following steps to enable application protection for your applications.

  1. Activate the application protection module in the WAF console.
    Application protection is a value-added service provided by WAF. You must enable the module before you enable application protection. You can enable application protection in the following ways:
    • If you have not activated WAF, you must activate WAF subscription and then purchase the Mobile App Protection service in the advanced configuration. For more information, see Activate Alibaba Cloud WAF.
    • If you have already activated WAF, upgrade the WAF and purchase the Mobile App Protection service in the advanced configuration.
    Advanced configurations-application protection
  2. Add the domain name of your application to WAF to activate application protection. For more information, see Add a domain.
  3. Update the DNS settings of the domain name to resolve the domain name to the corresponding CNAME address of WAF. For more information, see Modify DNS settings.
  4. Contact Alibaba Cloud technical support to obtain the Anti-Bot SDK package and integrate the SDK package into your application. For more information, see the following topics:
    Note SDK integration may take one or two days.
  5. After you finish integrating the Anti-Bot SDK, configure application protection in the WAF console. You can also customize the endpoints that need to be protected and enable version protection as needed. For more information, see Configure application protection.
  6. Use SDK-integrated applications to send test requests, and debug errors and exceptions based on the responses and log data until the SDK integration is verified correct.
  7. Enable application protection in the WAF console after you release the latest version of the SDK-integrated application. For more information, see Configure application protection.
    Note We recommend that you perform an update when you release a new version of your application. Otherwise, the old version still contains security risks.