News from the Wire

Appdome unveils identity-first mobile API protection

Tuesday, April 14, 2026 — 17:08:21 (UTC)

Appdome Unveils Identity-First Mobile API Protection

First Layer 7 solution to bring verified application identity, trusted device context, precise location, and deep session risk into API Authorization.

REDWOOD CITY, Calif., April 14, 2026 /PRNewswire/ -- Appdome, the leader in protecting the mobile economy, today announced six major upgrades to its MobileBOT™ Defense product, creating the industry's first, full-suite, Identity-First Mobile API Protection solution. The new capabilities move API security from inference and guesswork to verifiable trust, empowering mobile businesses to stop brute-force bots and authorize API access based on proven identity of the mobile app, device, and session, real-world location, and session risks.

"New technologies, especially AI, have radically expanded the API Attack Surface," said Tom Tovar, CEO and Co-Founder of Appdome. "Bot farms still exist, but the biggest risk now comes from fake, spoofed, and deeply compromised mobile applications, devices, locations, and users. Identity-First Mobile API Protection shifts the model from inferring legitimacy to proving it — requiring trusted application and device identity before sensitive APIs respond."

Moving API Protection from Guesswork to Trust

Legacy mobile bot detection uses a web application firewall (WAF) to infer legitimacy from network behavior and cloud-side heuristics, and a WAF Anti-Bot SDK to manage session cookies and collect basic threat telemetry. This model has become obsolete. New malware can capture and reuse session cookies. Applications running WAF Anti-bot can be weaponized in automated environments. AI deepfakes, as well as fake devices, applications, and users, can be spun up quickly to leverage real or modified identities across 1000s of attack scenarios simultaneously.

Appdome's Identity-First Bot and API defense takes a different approach. With MobileBOT, the true identity of the application and device must be verified first, and any on-device or network risk must be evaluated before granting API access, effectively stopping any class of network or API-level attack. To do this, MobileBOT sends cryptographic mobile application and device identifiers, time-bound session trust, verified GPS location, and deep session risk signals in a hardened payload to the WAF with every API connection request. Unlike behavioral bot management platforms that rely primarily on probabilistic scoring, Identity-First Mobile API Protection provides deterministic proof of application and device authenticity before granting access to APIs.

"It's the first time anyone has used mobile application and device identity to stop bots and API attacks," said Avi Yehuda, Co-Creator and CTO at Appdome. "Before, a network used a single authorization token or cookie to grant access. Now, they have a multi-layered identity scheme that guarantees legitimacy before granting API Access. That's a tectonic shift in how networks protect APIs."

Get New & Better Context to Stop API Attacks

Appdome's new MobileBOT Defense introduces a new, multi-tiered identity model that governs every API session.

Mobile App Identity — 'Is this my app?'

Using MobileBOT, each API request attests a true mobile app with a three-layered identity consisting of:

mTLS-backed client certificate as the primary cryptographic credential passed in the TLS handshake. AppID, unique application identifier derived from the fingerprint of the mobile application's signature and bundleID. AppVerified™ Attestation, a Boolean value that reveals the real-time checksum attestation of the app making the connection request. Together, these create a strong identity model, including:

Something you know – the client certificate, Something you have – the app signature fingerprint, Something you are - a verified, unmodified app. Any API request that cannot present a valid application identity can be blocked before any connection is granted.

Mobile Device Identity — 'Is this a real device?'

In the updates to MobileBOT, Appdome now provides the trusted mobile device context in every API request, including:

Verified device attributes - manufacturer, model, OS, and version, and Actual GPS location - captured inside a hardened application runtime (not inferred from IP). It also provides deeper device and session risk signals, including:

Basic Device Risk - jailbreak/root, emulators, simulators, debuggers, MiTM. Advanced Device Threats - Magisk, KernelSU, Frida, LSPosed, ADB abuse, virtualization, auto-clickers, HideMyApp, and stealth tooling. Fraud and ATO Threats - Deepfakes, Social Engineering, Location Spoofing, Trojans, Spyware, and more. Legacy bot defense products don't offer this level of risk and location granularity and treat device details as after-the-fact telemetry. Appdome's signals, by contrast, are evaluated during API authorization.

Session Identity — 'What Happens If?'

The updated MobileBOT product also introduces a dynamic session fingerprint that includes:

Client-controlled, time-bound Session Fingerprint - enforced inside Appdome's hardened runtime, and Remote Update - allowing the business to control/revoke the TTL, update app-level rate limits, update or rotate Client Certificates, or change Hosts/APIs over-the-air, via remote configuration or at build time. The dynamic and remote update capabilities dramatically enhance the flexibility of the MobileBOT offering, materially reducing replay risk, scripted automation, and credential-stuffing abuse. All values are fully protected at rest and in transit using Appdome's industry-leading mobile app security and MiTM defense. In-transit protections are built on modern TLS using ECDHE-based Forward Secrecy to prevent retrospective decryption of recorded traffic.

"If identity is the new perimeter, then proven, valid, and trustworthy mobile identity must come before biometrics are performed and access is granted – it's that simple," said Roy Cohen, Engineering Lead for MobileBOT Defense. "This release ensures that verified mobile identity — where the app, device, and session must prove legitimacy and intent —establishes trust before sensitive workflows such as onboarding, authentication, IDV, and payments are initiated."

Still Built for Any WAF - by Design

MobileBOT Defense remains compatible with any industry-standard WAF, including Akamai, AWS WAF, Cloudflare, Fastly, F5, Radware, and Imperva. Enterprises can preserve existing infrastructure investments while adding an independent mobile bot and API defense layer that plugs into their network stack. Unlike cloud-centric bot solutions tied to a single provider, Appdome positions itself as the universal mobile trust substrate for the API economy.

"New AI-based attack vectors have changed the mobile application security game," said Jason Bloomberg, managing director of analyst firm Intellyx. "Appdome solves this problem by bringing verified app identity, trusted device context, and precise location intelligence into the API decision flow. Appdome customers now have a low-risk path to the identity-native security essential for fighting modern AI-based mobile threats."

Availability

Identity-First Mobile Bot & API Defense capabilities are available immediately to existing and new Appdome MobileBOT Defense customers. Like all other Appdome defenses, the new MobileBOT Defense solution is built by AI inside mobile apps on the Appdome platform in a zero-touch, no-code, no-SDK workflow.

About Appdome

Appdome's mission is to protect every mobile app in the world and empower defenders with unique data and Agentic solutions to keep users safe. Appdome's patented Agentic Defense Platform can provide defensive capabilities inside every aspect of a mobile business, from DevSecOps to mobile applications, networks, APIs, and Identity. Appdome uses five purpose-built Agents to build, monitor, interrogate, and respond with for 400+ mobile app security, anti-fraud, bot defense, anti-malware, geo compliance, social engineering, deepfake, and other defenses on demand. With Appdome's ThreatScope™ Mobile XTM, brands can analyze risk, threat trends, investigate attacks and manage their Mobile Risk Index™, preempting attacks in real-time. Appdome's Threat-Events™ framework is a real-time threat-signaling agent brands use to customize threat responses inside Android & iOS apps. As a platform, Appdome functions as a continuous compliance center, tracking all builds, changes, teams, users, defense configurations, events, and more for quick and easy audit of the mobile defense lifecycle. Appdome holds several patents including U.S. Patents 9,934,017 B2, 10,310,870 B2, 10,606,582 B2, 11,243,748 B2 and 11,294,663 B2. Additional patents pending.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.

Source: Company press release.

Categories: New Product