Mobile API Protection
Introducing DexProtector API Protection
It exists to make sure your backend only accepts requests from genuine, untampered mobile apps.
Your mobile application is like a portal to your backend.
Attackers understand this concept, which is why they will often try to use tampered or outdated apps to bypass your security.
DexProtector API Protection stops attacks like these from succeeding. It enables you to cryptographically and intelligently verify that every API request is coming from a trusted, secure app instance.
The Challenge: How to know which API requests you can trust
Mobile apps have long been the go-to digital user interface — but from a security perspective you can think of them as machines that generate API requests. That’s why attackers are targeting this interface relentlessly.
The most common risks associated with APIs are detailed in the OWASP Top 10 API Security Risks – 2023. A rich set of countermeasures, including strong request verification, are also detailed there.
Robust request validation is crucial for Mobile APIs because the API is the only way a mobile app can communicate with the backend.
Without it, your backend might be exposed to the following real world threats:
- Bots hammering your backend with credential stuffing attacks
- Attackers exploiting older app versions lacking critical security updates, code obfuscation, data encryption, or runtime application self-protection mechanisms – thereby circumventing security controls that help enforce fraud prevention and app integrity
- Fraudsters carrying out API requests from non-mobile endpoints, enabling them to evade device-based security checks
- Functional cloned apps interacting with your APIs and stealing real user data
- Stolen API keys being reused in spoofed requests
- Replay attacks mimicking legitimate user activity
The end result of these attacks?
Financial fraud, data breaches, account takeovers, skewed analytics, reputational damage — not to mention serious compliance risk.
The Solution:
Validate every Mobile API request at the source
DexProtector API Protection verifies the integrity and legitimacy of the application initiating an API request (before processing it). This protects your backend and strengthens every layer of your mobile channel protection.
Mobile API Protection with DexProtector:
Verifies app integrity by making sure the application accessing your APIs is authentic and untampered
Leverages Runtime Application Self-Protection (RASP) – it is built on DexProtector's RASP technology and secure key management for comprehensive security
Secure key management – it integrates with Hardware Security Modules (HSMs) via Google Tink for robust key storage and protection
How it works
DexProtector's Mobile API Protection uses a secure, self-contained method to verify app authenticity.
Secret Key Embedding:
During app protection, DexProtector securely embeds a unique cryptographic secret key within the application.
Runtime Verification and JWT Generation:
At runtime, DexProtector's RASP engine checks if the app is running in a secure state. If it is, then it generates a short-lived JSON Web Token (JWT) that confirms the app's integrity. The JWT is cryptographically signed using the previously embedded secret key.
Backend Validation:
The mobile app transfers this JWT to the backend. The backend uses the same secret key (securely provisioned on the server-side) to verify the JWT's signature, expiration, app version, and package.
Authorization Decision:
If the JWT is valid, then backend trusts that the request originates from a legitimate, protected app instance. If it is invalid, then the request is rejected, preventing potential abuse and protecting your backend.
DexProtector is an EMVCo-certified no-code security solution for Android and iOS applications and libraries.
A post-build protection tool, DexProtector is deployed fully on-premises and offline, and is easily integrated into the mobile application build process. It has been EMVCo SBMP evaluated and approved for five consecutive years.
DexProtector comprehensively secures the app through obfuscation, encryption, and Runtime Application Self-Protection (RASP), automatically integrating a range of runtime components to prevent and mitigate reverse engineering, tampering, data theft, and fraud.
Alice Threat Intelligence is a monitoring and attestation solution that provides real-time reporting about the threat landscape.
Alice enables banks to increase observability over usage of their mobile apps, to identify malware, compromised devices, and suspicious activity, and to assess risk factors for each user session in real-time and retrospectively.
Its tamper-proofed User Identification and Anti-Malware modules help not only to secure your app today, but also help to fortify it against the threats to come.
Alice has its own alternative approach to Mobile API Protection using real-time telemetry data and a unique session_id.
Get in touch with us if you would like to find out more about it.
Key benefits of Mobile API Protection
Ensure that only requests from trusted mobile app instances are accepted
Stop API abuse and block automated fraud, data scraping, and brute-force attacks
Prevent mobile app fraud at the source by reliably validating app integrity on the backend
Protect against clones, fakes, and repackaged apps
Enterprise-Ready – secure key management, scalable architecture, and easy integration
Reduced business risk – prevent fraud, protect data, and support compliance
API Protection is critical for any mobile app interacting with sensitive data or functionalities
Financial Services
Prevent account takeovers and secure transactions
Retail & E-commerce
Block fake orders, loyalty fraud, and scraping
Gaming
Stop cheating, unauthorized access, and botting
Healthcare
Secure patient records and personal health data
Licel has more than 14 years’ experience securing mobile channels — from runtime protection and obfuscation to real-time threat and device intelligence.
Our solutions bring together our deep understanding of mobile app behavior with cutting-edge protection mechanisms to transform the mobile device into a trusted portal.