After the SDK is integrated into your app, configure SDK protection in the Anti-Bot Service console to specify the path and version of the app that you want to protect.

The procedure to configure SDK protection is as follows:
  1. Integrate the SDK into your app. For more information, see iOS SDK integration guide and Android SDK integration guide.
  2. Configure the path of the app to be protected in the Anti-Bot Service console. For more information, see Configure path protection.
  3. Use the SDK-integrated app to send test requests, and debug errors and exceptions based on the responses and log data. Make sure that the SDK integration is correct.
  4. Release the SDK-integrated app, and enable protection in the Anti-Bot Service console. For more information, see Enable app protection.
    Note We recommend that you push app updates to all devices after a new app version is released. Otherwise, old app versions are still vulnerable to security threats.

Configure path protection

Specify the path that you want to protect, and create protection rules for the path.

Procedure
  1. Log on to the Anti-Bot Service console.
  2. In the left-side navigation pane, choose Protection > App Protection. Select the target domain name.
  3. Click Create in the Interface Protection section.
  4. In the Add Path Rule dialog box that appears, set the following parameters.
    Note In the test phase, we recommend that you set the Path parameter to a forward slash (/) and the Matching parameter to Prefix to match all paths. You can set Disposal Method to Observation. If the target domain is a test domain, you can also set Disposal Method to Intercept. This allows you to debug the app without affecting your online workload.
    Parameter Description
    Rule Name Required. The name of the rule.
    Path Protection Settings
    • Path: Required. The path that you want to protect. A forward slash (/) indicates all paths.
      Note Signature verification may fail when the body length of a POST request exceeds 8 KB. We recommend that you disable SDK protection for API operations that do not require protection. For example, the API operation for uploading large images. If you do need to enable SDK protection for an API operation, specify the user-defined field.
    • Matching: Prefix and Exact are supported.

      When Prefix is selected, paths whose prefix is the same as the specified path value are matched. When Exact is selected, only the specified path is matched.

    • Parameter: The parameter that needs to be matched if the protected path contains invariable parameters. This helps to filter paths more accurately. The parameters are the parts following the question mark (?) in the request URL.

      For example, assume that the protected URL contains domain name/? action=login&name=test. You can set Path to "/", Matching to "Prefix", and Parameter to "name", "login", "name=test", or "action=login".

    Protection Policy
    • Invalid Signature: This option is selected by default and cannot be cleared. The system checks whether the signature of the request targeting the specified path is correct. The rule is matched if the signature is incorrect.
    • Simulator: If this option is selected, the system checks whether the user uses a simulator to initiate requests to the specified path. We recommend that you select this option. The rule is matched if a simulator is used.
    • Proxy: If this option is selected, the system checks whether the user uses a proxy tool to initiate requests to the specified path. We recommend that you select this option. The rule is matched if a proxy tool is used.
    Disposal Method The action to be taken against the request that matches the rule.
    • Observation: The system records logs, but does not intercept the request.
    • Intercept: The system intercepts the request and returns status code 405.
    User-defined field When a user-defined field is specified, the system verifies the request signature based on the specified request field and field value.

    By default, the system verifies the signature based on the request body. The verification may fail if the length of the request body exceeds 8 KB. In this case, you can specify a user-defined field to replace the default field for signature verification.

    After you have selected the User-defined Field check box, you can choose Header, Parameter, or Cookie, and then specify the field that is used to verify the request signature. For example, you can choose Cookie and then enter DG_ZUID. This replaces the default body field with the DG_ZUID field in the request cookie as the field for signature verification.

  5. Click Confirm.

    After a rule is added, you can edit and delete it based on your needs.

Configure version protection (Optional)

You can configure version protection to intercept requests from non-official apps. You can also use this feature to verify the validity of an app.
Note A version protection policy is required only when you need to verify the validity of an app.
Procedure
  1. Log on to the Anti-Bot Service console.
  2. In the left-side navigation pane, choose Protection > App Protection. Select the target domain name.
  3. Turn on Allow Specified Version Requests in the Version Protection section.
    Note To disable version protection, turn off Allow Specified Version Requests.
  4. In the Add Version Rule dialog box that appears, set the following parameters.
    Parameter Description
    Rule Name The name of the rule.
    Valid Version
    • Legal Package Name: Required. The name of the valid app package. For example, com.aliyundemo.example.
    • Package Signature: Contact Alibaba Cloud security professionals to obtain this value.
      Note Do not enter the app certificate signature in this field.
      Note The Package Signature parameter is not required if you do not need to verify the signature of the app package. In this case, the system only verifies the name of the app package.

    Click Add Valid Version to add up to five records. The package names must be unique. Currently, both iOS and Android app names are supported. You can enter multiple app package names in each record.

    Disposal Method for Illegal Version
    • Observation: The system records logs, but does not intercept the request.
    • Intercept: The system intercepts the request and returns status code 405.
  5. Click Confirm.

    After a rule is added, you can edit it based on your needs.

Enable app protection

After you have verified that the app is properly integrated with the SDK, you can then release the new app version. Meanwhile, you need to enable app protection so that the protection configurations can take effect.
  1. Log on to the Anti-Bot Service console.
  2. In the left-side navigation pane, choose Protection > App Protection. Select the target domain name.
  3. Turn on Enable.
    Notice Before the SDK integration or debugging is complete, do not set Disposal Method to Intercept for domains used in the production environment. Otherwise, valid requests may be intercepted because the SDK is not properly integrated with the app. You can set Disposal Method to Observation in the test phase to debug the SDK-integrated app based on log data.

More information

Use DingTalk to scan the following QR code to join the technical support group. You can consult a security expert in the group if you encounter any technical or urgent problems when you use Anti-Bot Service.
Note To download DingTalk, visit the DingTalk official website.