Protecting mobile apps - Edge Security Acceleration - Alibaba Cloud Documentation Center

In mobile application security protection, ESA provides different Bot traffic management solutions for native apps and embedded H5 pages. Native app protection policies effectively block automated attacks and malicious traffic through Bot feature detection, Bot rate limiting mechanisms, bot threat intelligence library matching, and IDC blacklist blocking. H5 page protection policies combine legitimate Bot management (such as search engine whitelists), Bot behavior detection, and custom rate limiting rules to accurately distinguish between normal users and malicious crawlers. Through layered protection and multi-policy coordination, ESA can comprehensively defend against Bot attacks, reduce bandwidth consumption, resource misuse, and data breach risks, ensuring the business stability and security of mobile applications.

Native app protection

If your actual business is based on iOS or Android native apps (excluding H5 pages embedded in the app), you can configure Bot protection rules according to the following procedure to defend against app crawlers.

In the ESA console, select Site Management, and click the target site in the Website list.
In the navigation pane on the left, select Security Protection > Bots.
Click Advanced Mode > Create Rule Set, enter the Rule Set Name and set Protection Target Type to APP.
Click SDK Integration followed by Obtain and Copy AppKey, Contact Us to obtain the SDK package, and then integrate the SDK into your app. For more information, see Integrate protection SDK for Android applications or Integrate protection SDK for iOS applications.
Configure rule expressions in If requests match... based on the request conditions you want to filter. For example, to apply Bot protection to requests from IP address 192.168.0.1, you can configure: (ip.src eq 192.168.0.1). For more information, see Available rule matching fields for Bots.

In the Then execute... section, select the protection policies you want to add.

Protection policy parameter description

Protection Policy	Parameter Description
Bot Characteristic Detection	Abnormal Device Behavior: When enabled, anti-crawler rules will detect and control requests from devices with abnormal characteristics. The following characteristics of a device are considered abnormal characteristics: Expired Signature: Enabled by default, indicating that the timestamp of the device request has expired. Using Simulator: Indicates that an emulator is used on the device. Using Proxy: Indicates that a proxy service is used on the device. Rooted Device: Indicates that the device has Root permissions enabled. Debugging Mode: Indicates that debug mode is enabled on the device. Hooking: Indicates that hook programs exist on the device. Multiboxing: Indicates that multiple processes of the protected App are running simultaneously on the device. Simulated Execution: Indicates that operations simulating user behavior exist on the device. Using Script Tool: Indicates that automatic execution scripts exist on the device. Custom Signature Field: Detects requests that do not carry signatures or have illegal signatures after the APP integrates the SDK. Action: You can set the rule to Observation or Block. Observation: Triggers an alert without blocking the request. Block: Directly blocks attack requests. Secondary Packaging Detection: When enabled, requests from apps not in the legitimate package name and package signature whitelist will be considered as secondary packaging requests. You can specify valid app packages: Specify Legitimate Package Name: Specify the legitimate app package name. For example, example.aliyundoc.com. Package Signature: Contact Alibaba Cloud security technical personnel to obtain this. If the package signature does not need to be verified, leave this parameter empty. In this case, WAF verifies only the package name. Note The value of Signature is not the signature of the application certificate.
Bot Throttling	IP Address Throttling (Default): Specifies that when the number of access requests from the same IP address exceeds the specified Threshold within the Statistics Duration, the system performs the rate limiting action of Block or Observation on access requests from that IP address for the specified rate limiting duration. Device Throttling: You can set device rate limiting conditions to specify that when the number of access requests from the same device exceeds the specified Threshold within the Statistics Duration, the system performs the rate limiting action of Block or Observation on access requests from that device for the specified rate limiting duration. Custom Session Throttling: You can set the Session Type and customize session rate limiting conditions to specify that when the number of access requests from the same session exceeds the specified Threshold within the Statistics Duration, the system performs the rate limiting action of Block or Observation on that session for the specified rate limiting duration.
Bot Threat Intelligence Library	Contains source IP addresses that have performed multiple malicious crawling activities against multiple users on Alibaba Cloud within a certain period. You can set Observation or Slider Verification.
Data Center Blacklist	When this switch is enabled, the selected IP libraries will be blocked. If you access through source IPs from public clouds or IDC data centers, make sure to whitelist known legitimate calls, such as payment callbacks from Alipay or WeChat, monitoring programs, etc. IDC blacklist blocking supports the following IP Libraries: Alibaba Cloud, Century Internet, Meituan Cloud, Tencent Cloud, and Others.

In the Effective Time section, click Edit in the Actions column, set the effective time, and then click OK.
After completing the configuration, click OK.

App embedded H5 page protection

If your scenario involves accessing H5 pages through browsers, you can configure Bot protection rule sets to accurately identify and block malicious crawler attacks through behavior analysis, feature detection, and threat intelligence libraries.