Native iOS and Android apps face bot attacks that Web Application Firewall (WAF) cannot intercept at the network layer alone—attackers emulate legitimate device behavior to bypass standard protections. App protection embeds the Anti-Bot SDK directly into your app to authenticate every request at the client level, using Alibaba Group's device fingerprint library to identify malicious clients with the same trust model used by Tmall, Taobao, and Alipay.
Threats defended against
Apps integrated with the Anti-Bot SDK are protected against the following threats:
| Threat category | Examples |
|---|---|
| Account abuse | Spam user registration, dictionary attacks, brute-force attacks |
| Traffic flooding | HTTP flood attacks, SMS flood attacks |
| Business fraud | Promotion abuse, snatcher bots, auto-purchase bots |
| Fake activity | Brushing (e.g., air tickets, hotel reservations), vote manipulation, spam and malicious comments |
| Data theft | Crawling for price, credit, financing, fiction, and other sensitive information |
Billing
App protection is a value-added service provided by WAF. You must purchase the Mobile App Protection add-on before enabling the feature.
Enable app protection
Enabling app protection requires seven steps across the WAF console and your app development environment. SDK integration may take 1–2 person-days.
Step 1: Add the Mobile App Protection add-on
If WAF is not yet activated: On the WAF buy page, set Mobile App Protection to Yes when purchasing.
If WAF is already activated: Go to the Upgrade/Downgrade page for your WAF instance, set Mobile App Protection to Yes, and confirm the upgrade. For details, see Renewal and upgrade of a subscription WAF instance.
Step 2: Turn on app protection and configure policies
Log in to the WAF console.
Go to Protection Settings > Website Protection, then click the Bot Management tab.
Turn on App Protection.
Click Obtain and Copy Appkey to get your
app key. You need the app key in the SDK initialization code.Configure app protection policies for the APIs you want to protect.
(Optional) Turn on Version Protection based on your business requirements.
For policy configuration details, see Configure application protection.
Step 3: Integrate the Anti-Bot SDK into your app
Contact WAF technical support to get the Anti-Bot SDK package, then integrate it into your app using the app key from step 2.
Integration guides:
Step 4: Add your app's domain to WAF
Add the domain name used by your app to WAF. For details, see Add a website to WAF.
Step 5: Update your DNS record
Change your domain's DNS record to resolve to the CNAME assigned by WAF. For details, see Change a DNS record.
Step 6: Test and verify
Use your app to send test requests, then review the responses and WAF log data to confirm the Anti-Bot SDK is working correctly. Debug any errors before proceeding.
Step 7: Release the updated app
Publish the new app version with the integrated SDK.
Push the update to all devices promptly. Devices still running an earlier version without the SDK remain unprotected.
Next steps
Configure application protection — Set up protection policies for your APIs