Protect Mobile Endpoints

Published April 5, 2023 | Last modified June 11, 2026

Important: Bot Defense Self-Service Policy Management is an Early Access feature.

The F5 Distributed Cloud Mobile SDK works with Bot Defense to protect mobile applications from unwanted automated traffic. The Mobile SDK provides a library that you embed in the mobile application. This library collects telemetry data telemetry and information about the endpoints.

When the application makes HTTP requests, it calls the F5 Mobile SDK to generate headers, which are then attached to the outbound request. When Bot Defense receives these requests, it examines the requests and the headers to determine if the requests are from legitimate users or from an automated source.

If Bot Defense determines that the request is from a human source or an allowed automated source, it allows the request to proceed to the origin. If Bot Defense determines that the request is from automated traffic, it can apply mitigation actions to block or redirect the traffic according to your endpoint policy.

To protect mobile endpoints, complete the following tasks:

  1. Review the best practices for protecting mobile endpoints.
  2. Update network routing for the mobile endpoints you want to protect so that traffic to those endpoints is sent to Bot Defense for evaluation. F5 recommends that you update routing before you configure your mobile endpoints so that telemetry headers added to a request by the SDK are never sent directly to the origin.
  3. Configure your mobile endpoints in the Bot Endpoint Policy. Set the mitigation action to Continue so that Bot Defense initially monitors traffic to the endpoints but does not block the traffic.
  4. Deploy the updated Bot Endpoint Policy. For information, see Deploy Policy Updates.
  5. Download the base configuration file from the F5 Distributed Cloud Console. The new base configuration file contains the newly protected mobile endpoints.
  6. Bundle the base configuration file with your app when you integrate the F5 Mobile SDK. For instructions to how integrate the F5 Mobile SDK, manually, or with SDK Integrator, see Integrate the F5 Distributed Cloud Mobile SDK with your Mobile Application.
  7. Release the updated mobile application to your users.
  8. Perform a false positive analysis on the new endpoints. For instructions, see Verify Mobile SDK Integration.
  9. After you complete the false positive analysis, you can update mitigation actions in your Bot Endpoint Policy to block or redirect requests. For instructions, see Change Mitigation Actions.

Mobile application best practices

When you configure protection for mobile endpoints, F5 recommends that you follow these best practices:

  • Before you begin, identify all mobile endpoints that you want to protect. You may need to download and integrate a new base configuration file each time you add a new mobile endpoint to your Bot Endpoint Policy.

  • When you protect new mobile endpoints, to minimize false positive results, F5 recommends that you download a new base configuration file and bundle it with the next release of your mobile app. While you can add a new endpoint without updating the mobile app, requests that are made to a new endpoint before the app downloads and processes a new remote configuration update can generate false positive results. Download and bundle a new base configuration file to help prevent this.

  • F5 recommends that you integrate the F5 Mobile SDK with applications that have forced-upgrade capability. This allows you to upgrade users to the version of the application that you have integrated with the F5 Mobile SDK. If your applications do not have forced upgrade capability, then you cannot enable mitigation actions until all users have upgraded to the version of your application that includes the F5 Mobile SDK.

  • F5 recommends that you integrate the F5 Mobile SDK as described in the F5 Distributed Cloud Mobile SDK documentation, which is included in your SDK download file. If you need to deviate from those recommendations, see the F5 knowledge base for other integration considerations or contact F5 Support.

  • Initialize the F5 Mobile SDK as early as possible in the application lifecycle to ensure that the F5 Mobile SDK is initialized and ready to add headers before a protected request is made.

  • If you use push notifications on Android, you must be aware of special integration considerations when push notifications are sent to many applications at once. See your Android documentation for information.

  • So that you can examine traffic filtered by a specific version of your application, F5 recommends that you include an application version marker in the User-Agent header of the request.

    Example: User-Agent: sometext MyApp/3.3 sometext

  • For all responses returned to protected requests, execute parseResponseHeaders().

  • Each set of headers contains a unique token. Do not send the same set of headers more than once.

  • The F5 Mobile SDK is obfuscated. If you use code obfuscation, exclude the F5 Mobile SDK so it is not obfuscated again.

  • If your application uses WebView to access the protected content, consider using the JavaScript solution to add telemetry headers to protected requests. See the F5 knowledge base for information about how to use JavaScript with WebView or contact F5 Support.

  • To help you identify SDK integration problems early during development, in your test environment, F5 recommends that you keep your mitigation actions set to Block.

Integrate the F5 Distributed Cloud Mobile SDK with your Mobile Application

To integrate the F5 Distributed Cloud Mobile SDK with your mobile application, you can manually integrate the F5 Mobile SDK with your mobile app, or use the F5 Distributed Cloud SDK Integrator to automatically integrate the F5 Mobile SDK with your mobile app.

Add the F5 Distributed Cloud Mobile SDK to your mobile applications

To protect your native applications from malicious automation, you can integrate the F5 Distributed Cloud Mobile SDK with your native applications, which allows applications to route traffic to Bot Defense for evaluation. You can download iOS and Android versions of the F5 Mobile SDK from Bot Defense in the Distributed Cloud Console.

To download the F5 Distributed Cloud Mobile SDK:

  1. In Bot Defense, select Manage > Mobile > Mobile SDKs.
  2. In the Actions column for the SDK for your operating system, select the Download icon.

For instructions on how to integrate the F5 Mobile SDK, see the following documentation included in the SDK download file:

  • F5 Mobile SDK for iOS Integration Guide (XC_iOS_IntegrationGuide.pdf)
  • F5 Mobile SDK for Android Integration Guide (XC_Android_IntegrationGuide.pdf)

Integrate the F5 Distributed Cloud Mobile SDK using the Distributed Cloud Mobile SDK Integrator

The F5 Distributed Cloud Mobile SDK Integrator is a no-code solution for integrating the F5 Distributed Cloud Mobile SDK with your mobile application. The Mobile SDK Integrator supports most iOS and Android native apps and can be tied directly into CI/CD pipelines to support rapid deployments.

Use the Mobile SDK Integrator:

  • For emergency integrations when you need to integrate quickly.
  • If you have apps that use 3rd-party libraries that are not suitable for manual integration.
  • If you have multiple apps and need a single integration method that works for all app architectures. The SDK Integrator facilitates a universal integration approach.

The F5 Distributed Cloud Mobile SDK Integrator is available to all Bot Defense customers for an annual subscription fee. For more information about the Mobile SDK integrator or Bot Defense, contact info@f5.com or visit https://www.f5.com/company/contact.

Request the Distributed Cloud Mobile SDK Integrator

  1. From the Bot Defense navigation menu, select Manage > Mobile > Mobile SDK Integrator.

    Note: If Mobile SDK Integrator is already enabled, the Mobile SDK Integrator download page appears.

  2. From the Mobile SDK Integrator landing page, select Request Service.
Figure: Mobile SDK Integrator landing page

Figure: Mobile SDK Integrator landing page

Download the Distributed Cloud Mobile SDK Integrator

After F5 fulfills your service request to enable Mobile SDK Integrator, perform the following steps:

  1. From the Distributed Cloud Console dashboard, select Bot Defense and then select Manage > Mobile > Mobile SDK Integrator.
  2. From the Actions column next to the operating system for your app, select the Action menu () and then select Download Mobile SDK Integrator.
  3. Extract the contents of the download file.

Next Steps

After you download and extract the Distributed Cloud Mobile SDK Integrator, from the extracted file directory, open the documentation for your operating system:

  • Android: F5-XC-Mobile-SDK-Integrator-Android.pdf
  • iOS: F5-XC-Mobile-SDK-Integrator-iOS.pdf

Review the documentation for additional information about the contents of the extracted download file directory, system requirements and instructions for using the Distributed Cloud Mobile SDK Integrator.

Download a Base Configuration File

To use the F5 Distributed Cloud Mobile SDK or Distributed Cloud Mobile SDK Integrator to protect mobile endpoints, you must obtain a base configuration file and bundle it with your mobile application before you release the application in the app store.

The base configuration file contains configuration information needed to initialize the F5 Mobile SDK, including all of the mobile endpoints configured in your Bot Endpoint Policy. The base configuration file is used during the first launch of an application that uses the F5 Mobile SDK. After the initial launch of the application, the F5 Mobile SDK calls the Bot Defense server and downloads new configuration information each time the application launches.

Note: F5 recommends that you download a new base configuration file and bundle it with a new version of your mobile app whenever you add new mobile endpoints to your Bot Endpoint Policy. This ensures that the base configuration file contains the latest mobile endpoints. For information, see Protect a New Mobile Endpoint.

  1. From the Bot Defense navigation menu, select Manage > Bot Policies and then select Bot Endpoint Policy.
  2. From the list of saved Bot Endpoint Policies, in the Actions column, select the Action menu () next to the policy for which you want to download a new base configuration file. The policy Type must be Mobile.
  3. Depending on the operating system on which your mobile app runs, select either Download iOS Base Configuration File or Download Android Base Configuration File.
  4. Bundle the new base configuration file with your next app update as described in the F5 Distributed Cloud Mobile SDK documentation.

Next Steps

After you download the mobile base configuration file, provide it to your application developers so they can bundle the file with your mobile application that uses the F5 Mobile SDK or Mobile SDK Integrator before you release the application in the app store.

On this page: