Protect Mobile Endpoints

Important: Bot Defense Advanced Self-Service Policy Management is a beta feature.

The F5 Distributed Cloud Mobile SDK works with Bot Defense Advanced to protect mobile applications from unwanted automated traffic. The Mobile SDK provides a library that you embed in the mobile application. This library collects telemetry data telemetry and information about the endpoints.

When the application makes HTTP requests, it calls the Mobile SDK to generate headers, which are then attached to the outbound request. When Bot Defense receives these requests, it examines the requests and the headers to determine if the requests are from legitimate users or from automation.

If Bot Defense determines that the request is from a human source or an allowed automated source, it allows the request to proceed to the origin. If Bot Defense determines that the request is from automated traffic, it can apply mitigation actions to block or redirect the traffic according to your endpoint policy.

1. Review the best practices for protecting mobile endpoints.
2. Obtain the base configuration file from F5 Support or your F5 Operations team.
3. Complete one of the following tasks to integrate the F5 Distributed Cloud Mobile SDK with your mobile application:
   • Integrate the F5 Distributed Cloud Mobile SDK library into your Android or iOS application.
   • Use the Distributed Cloud Mobile SDK Integrator, which enables you to integrate the F5 Mobile SDK with your application without making code changes.

Mobile application best practices

When you configure protection for mobile endpoints, F5 recommends that you follow these best practices:

• Before you onboard a mobile application, identify all URLs that must be protected.

• F5 recommends that you integrate the Mobile SDK with applications that have forced-upgrade capability. This allows you to upgrade users to the version of the application that you have integrated with the Mobile SDK. If your applications do not have forced upgrade capability then you cannot enable mitigation actions until all users have upgraded to the version of your application that includes the Mobile SDK.

• F5 recommends that you integrate the Mobile SDK as described in the F5 Distributed Cloud Mobile SDK documentation, which is included in your SDK download file. If you need to deviate from those recommendations, see the F5 knowledge base for other integration considerations or contact F5 Support.

• Initialize the Mobile SDK as early as possible in the application lifecycle to ensure that the Mobile SDK is initialized and ready to add headers before a protected request is made.

• If you use push notifications on Android, you must be aware of special integration considerations when push notifications are sent to many applications at once. See your Android documentation for information.

• So that you can examine traffic filtered by a specific version of your application, F5 recommends that you include an application version marker in the User-Agent header of the request.

  Example: User-Agent: sometext MyApp/3.3 sometext

• For all responses returned to protected requests, execute parseResponseHeaders().

• Each set of headers contains a unique token. Do not send the same set of headers more than once.

• The Mobile SDK is obfuscated. If you use code obfuscation, exclude the Mobile SDK so it is not obfuscated again.

• If your application uses WebView to access the protected content, consider using the JavaScript solution to add telemetry headers to protected requests. See the F5 knowledge base for information about how to use JavaScript with WebView or contact F5 Support.

• To help you identify SDK integration problems early during development, in your test environment, F5 recommends that you keep your mitigation actions set to Block.

Add a Mobile Base Configuration

To use the F5 Distributed Cloud Mobile SDK or Distributed Cloud Mobile SDK Integrator to protect mobile endpoints, you must obtain a mobile base configuration file and bundle it with your mobile application before you release the application in the app store.

The mobile base configuration file contains configuration information needed to initialize the Mobile SDK. It is used during the first launch of an application that uses the Mobile SDK. After the initial launch of the application, the Mobile SDK calls the Bot Defense server and downloads new configuration information each time the application launches.

Obtain the mobile base configuration file from the F5 Operations team or F5 Support.

Next Steps

After you obtain the mobile base configuration file, provide it to your application developers so they can bundle the file with your mobile application that uses the Mobile SDK or Mobile SDK Integrator before you release the application in the app store.

Then either work with your developers to integrate the Mobile SDK with your application or configure the Distributed Cloud Mobile SDK Integrator to automatically integrate the Mobile SDK with your application.

Add the F5 Distributed Cloud Mobile SDK to your mobile applications

To protect your native applications from malicious automation, you can integrate the Mobile SDK with your native applications, which allows applications to route traffic to Bot Defense for evaluation. You can download iOS and Android versions of the Mobile SDK from Bot Defense in the Distributed Cloud Console.

To download the F5 Distributed Cloud Mobile SDK:

1. In Bot Defense, click Manage > Mobile > Mobile SDKs.
2. In the Actions column, click the Action menu (…) next to the SDK for your operating system and click Download Mobile SDK.

For instructions on how to integrate the Mobile SDK, see the following documentation included in the SDK download file:

• F5 Mobile SDK for iOS Integration Guide (XC_iOS_IntegrationGuide.pdf)
• F5 Mobile SDK for Android Integration Guide (XC_Android_IntegrationGuide.pdf)

Keep the following suggestions in mind when you update your app to integrate the Mobile SDK:

• Use getRequestHeaders and parseResponseHeaders API, rather than the generateHeaders and analyzeResponse. This API is simpler and meets the needs of Bot Defense.
• For body, you can pass in nil on iOS and null on Android.
• For Bot Defense, getRequestHeaders always returns headers, regardless of which URL is passed. For this reason, your developer should only add headers to requests that require protection.
• Similarly, parseResponseHeaders should be called for every response to the protected requests.

Integrate the F5 Distributed Cloud Mobile SDK using the Distributed Cloud Mobile SDK Integrator

The Distributed Cloud Mobile SDK Integrator is a no-code solution for integrating the F5 Distributed Cloud Mobile SDK with your mobile application, which saves you both the time and expense of a traditional integration. For more information, see Distributed Cloud Mobile SDK Integrator Overview.

Request the Distributed Cloud Mobile SDK Integrator

1. From the Bot Defense navigation menu, click Manage > Mobile > Mobile SDK Integrator.

   Note: If Mobile SDK Integrator is already enabled, the Mobile SDK Integrator download page appears.

2. From the Mobile SDK Integrator landing page, click Request Service.

Download the Distributed Cloud Mobile SDK Integrator

After F5 fulfills your service request to enable Mobile SDK Integrator, perform the following steps:

1. From the Distributed Cloud Console dashboard, click Bot Defense and then click Manage > Mobile > Mobile SDK Integrator.
2. From the Actions column next to the operating system for your app, click the Action menu (…) and then click Download Mobile SDK Integrator.
3. Extract the contents of the download file.

Next Steps

After you download and extract the Distributed Cloud Mobile SDK Integrator, from the extracted file directory, open the documentation for your operating system:

• Android: F5-XC-Mobile-SDK-Integrator-Android.pdf
• iOS: F5-XC-Mobile-SDK-Integrator-iOS.pdf

Review the documentation for additional information about the contents of the extracted download file directory, system requirements and instructions for using the Distributed Cloud Mobile SDK Integrator.

---