Web Application Firewall (WAF) provides the app protection feature that allows you to use SDKs to protect native apps. This feature ensures trusted communications and provides anti-bot protection.

Security issues resolved by app protection

App protection is developed based on years of Alibaba experience defending against online attackers, exploiters, and speculators. Apps that are integrated with the Anti-Bot SDK can provide the same trusted communications as Tmall, Taobao, Alipay, and other Alibaba apps. The apps are protected against online attackers, exploiters, and speculators based on the library of malicious device fingerprints accumulated by Alibaba Group.

App protection provides solutions to the following security issues of native apps:

  • Spam user registration, dictionary attacks, and brute-force attacks
  • HTTP flood attacks against apps
  • SMS flood attacks
  • Promotion abuse and snatcher bots
  • Auto-purchase bots
  • Brushing, such as, brushing for air tickets or hotel reservations
  • Crawling for valued information, such as price, credit, financing, and fiction information
  • Vote manipulation
  • Spam and malicious comments

Procedure to enable app protection

The following steps show how to enable app protection:

  1. Enable the app protection feature in the WAF console.
    App protection is a value-added service provided by WAF. Before you can use the app protection feature, you must enable the feature. To enable the app protection feature, you can use one of the following methods:
    • If WAF is not activated, you must activate WAF and set Mobile App Protection to Yes on the WAF buy page. For more information, see Purchase a WAF instance.
    • If WAF is activated, upgrade the WAF instance and set Mobile App Protection to Yes on the Upgrade/Downgrade page.
    Mobile App Protection
  2. Add the domain name of your app to WAF. For more information, see Add a website.
  3. Change the Domain Name System (DNS) record of the domain name to resolve the domain name to the CNAME assigned by WAF. For more information, see Change a DNS record.
  4. Contact Alibaba Cloud technical support to obtain the Anti-Bot SDK package and integrate the package into your app.
    For more information about how to integrate the package into your app, see the following topics:
    Note SDK integration may take one or two man-days.
  5. After your app is integrated with the Anti-Bot SDK, configure app protection in the WAF console. You can specify the endpoints that you want to protect and enable version protection based on your business requirements. For more information, see Configure application protection.
  6. Use your app to send test requests, and debug errors and exceptions based on the responses and log data. Make sure that the Anti-Bot SDK has been integrated into your app.
  7. Release the latest version of your app and enable app protection in the WAF console. For more information, see Configure application protection.
    Notice After you release the latest version, we recommend that you push app updates to all devices. Otherwise, earlier versions of apps are still vulnerable to security risks.