Appdome has announced six major upgrades to its MobileBOT Defense solution, introducing what it calls the industry’s first full-suite Identity-First Mobile API Protection platform. With this advancement, the company aims to shift API security from traditional guesswork to a model based on verifiable trust. As a result, mobile businesses can now prevent brute-force bot attacks and authorize API access using proven identity signals tied to mobile apps, devices, sessions, real-world location, and risk context.
As cyber threats continue to evolve, especially with the rise of AI-driven attack techniques, the API attack surface has expanded significantly. Consequently, traditional security approaches are no longer sufficient. Instead of relying on behavioral patterns or probabilistic scoring, Appdome’s new approach focuses on deterministic identity verification before granting API access.
“New technologies, especially AI, have radically expanded the API Attack Surface,” said Tom Tovar, CEO and Co-Founder of Appdome. “Bot farms still exist, but the biggest risk now comes from fake, spoofed, and deeply compromised mobile applications, devices, locations, and users. Identity-First Mobile API Protection shifts the model from inferring legitimacy to proving it requiring trusted application and device identity before sensitive APIs respond.”
Traditionally, mobile bot detection relied on web application firewalls (WAFs) and anti-bot SDKs to infer legitimacy based on network behavior and session data. However, attackers have found ways to bypass these defenses by reusing session cookies, exploiting automated environments, and leveraging AI-powered deepfakes. Therefore, this legacy model has become increasingly ineffective against modern threats.
In contrast, Appdome’s MobileBOT Defense introduces a fundamentally different approach. It requires verification of both application and device identity before evaluating session risks and granting API access. To achieve this, the platform sends cryptographic identifiers, verified GPS data, session trust signals, and risk indicators in a secure payload with every API request. This ensures that only authenticated and trusted entities can interact with APIs.
“It’s the first time anyone has used mobile application and device identity to stop bots and API attacks,” said Avi Yehuda, Co-Creator and CTO at Appdome. “Before, a network used a single authorization token or cookie to grant access. Now, they have a multi-layered identity scheme that guarantees legitimacy before granting API Access. That’s a tectonic shift in how networks protect APIs.”
Furthermore, the upgraded MobileBOT Defense introduces a multi-tiered identity model that governs each API session. First, mobile application identity ensures that only legitimate apps can initiate requests using a combination of cryptographic certificates, unique app identifiers, and real-time attestation checks. As a result, any unauthorized or modified application can be blocked immediately.
In addition, the solution verifies mobile device identity by capturing trusted device attributes such as manufacturer, OS version, and real-time GPS location. It also evaluates advanced risk signals, including jailbreak detection, emulator use, and sophisticated threats like malware, deepfakes, and location spoofing. Consequently, organizations gain deeper visibility into device-level risks before allowing access.
Moreover, session identity plays a critical role in enhancing security. The platform introduces dynamic session fingerprints that are time-bound and controlled within a hardened runtime environment. With remote update capabilities, organizations can adjust session parameters, revoke access, and update security controls in real time. This flexibility significantly reduces risks such as replay attacks, credential stuffing, and automated abuse.
“If identity is the new perimeter, then proven, valid, and trustworthy mobile identity must come before biometrics are performed and access is granted – it’s that simple,” said Roy Cohen, Engineering Lead for MobileBOT Defense. “This release ensures that verified mobile identity where the app, device, and session must prove legitimacy and intent establishes trust before sensitive workflows such as onboarding, authentication, IDV, and payments are initiated.”
Importantly, MobileBOT Defense remains compatible with all major industry-standard WAFs, including Akamai, AWS WAF, Cloudflare, Fastly, F5, Radware, and Imperva. Therefore, enterprises can integrate the solution into their existing infrastructure without disruption, while adding a powerful new layer of mobile API protection.
“New AI-based attack vectors have changed the mobile application security game,” said Jason Bloomberg, managing director of analyst firm Intellyx. “Appdome solves this problem by bringing verified app identity, trusted device context, and precise location intelligence into the API decision flow. Appdome customers now have a low-risk path to the identity-native security essential for fighting modern AI-based mobile threats.”
Overall, Appdome’s latest upgrades mark a significant shift in API security strategy. By prioritizing identity verification and real-time risk assessment, the company is enabling organizations to defend against increasingly sophisticated, AI-driven attacks while ensuring secure and reliable API access.
Recommended Cyber Technology News:
- GitHub, Jira Emails Exploited for Stealth Phishing Attacks
- Oracle Enhances Aconex to Boost Project Visibility and Compliance
- MSBuild Abuse Enables Stealthy Fileless Windows Attacks
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
