All Products
Search

This Product

    Edge Security Acceleration:Protect mobile apps

    Document Center

    Edge Security Acceleration:Protect mobile apps

    Last Updated:Mar 31, 2026

    ESA delivers tailored bot management for both native apps and embedded H5 pages. With layered and coordinated policies, ESA defends against bot attacks, reduces bandwidth usage, mitigates resource misuses, and lowers data breach risks, ensuring the stability and security of mobile applications.

    Native apps

    For native apps, protection measures include bot detection, rate limiting, crawler intelligence database, and Internet Data Center (IDC) blacklist.

    If your business is based on iOS or Android native apps (excluding H5 pages embedded in the app), configure rules according to the following to defend against app crawlers:

    1. In the ESA console, choose Websites, and click the name of the website you want to manage.

    2. In the navigation pane on the left, choose Security > Bots.

    3. Click Professional Mode > Create Ruleset, enter the Ruleset Name and set Service Type to Apps.

    4. Click Obtain and Copy AppKey next to SDK Integration. Contact Us to obtain the SDK package, and then integrate the SDK into your Android applications or iOS applications.

    5. Configure rule fields in If requests match... based on the request conditions you want to filter.

      For example, to apply Bot protection to requests from IP address 192.168.0.1, configure: (ip.src eq 192.168.0.1):image

    6. In the Then execute... section, set the protection policies you want to add.

      Policies and parameters

      Bot Characteristic Detection

      • Abnormal Device Behavior: Anti-crawler rules detect and control requests from devices with abnormal characteristics as the following:

        • Expired Signature: Enabled by default, indicating that the timestamp of the device request has expired.

        • Using Simulator: Indicates that an emulator is used on the device.

        • Using Proxy: Indicates that a proxy service is used on the device.

        • Rooted Device: Indicates that the device has Root permissions enabled.

        • Debugging Mode: Indicates that debug mode is enabled on the device.

        • Hooking: Indicates that hook programs exist on the device.

        • Multiboxing: Indicates that multiple processes of the protected app are running simultaneously on the device.

        • Simulated Execution: Indicates that operations simulating user behavior exist on the device.

        • Using Script Tool: Indicates that automatic execution scripts exist on the device.

      • Custom Signature Field: Detects requests that do not carry signatures or have illegal signatures after the app integrates the SDK.

      • Action: You can set the rule to Monitor or Block.

        • Monitor: Triggers an alert without blocking the request.

        • Block:Blocks attack requests.

      • Secondary Packaging Detection: When enabled, requests from apps not in the legitimate package name and package signature whitelist will be considered as secondary packaging requests. You can specify valid app packages:

        • Valid Package Name: Specify the legitimate app package name. For example, example.aliyundoc.com.

        • Signature: Contact Alibaba Cloud technical support to obtain this. If the package signature does not need to be verified, leave this parameter empty. In this case, WAF verifies only the package name.

          Note

          This is not the application certificate signature.

      Bot Throttling

      • IP Address Throttling (Default): You can configure rate limiting conditions for IP addresses. If the number of access requests from the same IP exceeds the specified threshold within the defined Statistical Interval (Seconds), the system will either Block or Monitor further access requests from that IP for a set duration.

      • Device Throttling: You can configure rate limiting conditions for devices. If the number of access requests from the same device exceeds the specified threshold within the defined Statistical Interval (Seconds), the system will either Block or Monitor further access requests from that device for a set duration.

      • Custom Session Throttling: You can configure rate limiting conditions based on Session Type. If the number of access requests from the same session exceeds the specified threshold within the defined Statistical Interval (Seconds), the system will either Block or Monitor further access requests from that session for a set duration.

      Bot Threat Intelligence Library

      Contains source IP addresses that have performed multiple malicious crawling against multiple users on Alibaba Cloud within a certain period. You can set Monitor or Slider CAPTCHA.

      Data Center Blacklist

      The selected IP libraries will be blocked. If you access through source IPs from public clouds or IDC data centers, make sure to whitelist known legitimate calls, such as payment callbacks or monitoring programs from Alipay or WeChat. IDC blacklist blocking supports the following IP Libraries: Alibaba Cloud, Century Internet, Meituan Cloud, Tencent Cloud, and Others.

    7. In the Effective Time section, click Edit in the Actions column, set the effective time, and click OK.

    8. After completing the configuration, click OK.

    H5 pages embedded in apps

    ESA uses legitimate bot management (e.g., search engine whitelists), bot behavior detection, and custom rate limiting to identify normal users requests and malicious or good crawlers.

    For browser-accessed H5 pages, set up rulesets to identify and block malicious crawler attacks using behavior analysis, feature detection, and threat intelligence libraries.