Web Application Firewall (WAF) provides the app protection feature that allows you to use SDKs to protect native apps. This feature ensures trusted communications and provides anti-bot protection.

Security issues resolved by app protection

App protection is developed by Alibaba Group engineers who have years of experience defending against online attackers, exploiters, and unauthorized speculators. Apps that are integrated with Anti-Bot SDK can provide the same trusted communications as Alibaba apps, such as Tmall, Taobao, and Alipay. The apps are protected against online attackers, exploiters, and unauthorized speculators based on the library of malicious device fingerprints accumulated by Alibaba Group.

App protection provides solutions to the following security issues of native apps:

  • Spam user registration, dictionary attacks, and brute-force attacks
  • HTTP flood attacks against apps
  • SMS flood attacks
  • Promotion abuse and snatcher bots
  • Auto-purchase bots
  • Brushing, such as brushing for air tickets or hotel reservations
  • Crawling for valuable information, such as price, credit, financing, and fiction information
  • Vote manipulation
  • Spam and malicious comments

Procedure to enable app protection

The following steps show how to enable app protection:
  1. Enable the app protection feature in the WAF console.
    App protection is a value-added service provided by WAF. You must enable the app protection feature to use it. To enable the app protection feature, you can use one of the following methods:
    • If WAF is not activated, activate WAF and set Mobile App Protection to Yes on the WAF buy page.
    • If WAF is activated, upgrade the WAF instance and set Mobile App Protection to Yes on the Upgrade/Downgrade page. For more information, see Renewal and upgrade of a subscription WAF instance.
  2. Log on to the Web Application Firewall console console and choose Protection Settings > Website Protection. On the Bot Management tab of the Website Protection page, turn on App Protection. Then, configure app protection policies for the API that you want to protect. You can also turn on Version Protection based on your business requirements. For more information, see Configure application protection.

    After you turn on App Protection, you can click Obtain and Copy Appkey to obtain the app key. The app key is used in the integration code to send an SDK initialization request.

    App Protection
  3. Contact WAF technical support to obtain the Anti-Bot SDK package and integrate the package into your app.
    For more information about how to integrate the package into your app, see the following topics:
    Note SDK integration may take one or two man-days.
  4. Add the domain name of your app to WAF. For more information, see Add a website to WAF.
  5. Change the Domain Name System (DNS) record of the domain name to resolve the domain name to the CNAME assigned by WAF. For more information, see Change a DNS record.
  6. Use your app to send test requests, and debug errors and exceptions based on the responses and log data. Make sure that Anti-Bot SDK is integrated into your app.
  7. Release the latest version of your app.
    Important After you release the latest version of your app, we recommend that you push app updates to all devices. Otherwise, earlier versions of your app are still vulnerable to security risks.