noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

District of Columbia Executive[...]

Mayor Bowser Public Calendar for Friday, August 22, 2025
SBA - U.S. Small Business[...]

SBA Relief Still Available to Missouri Private Nonprofits Affected by[...]
SBA - U.S. Small Business[...]

SBA Relief Still Available to Arkansas Businesses, Nonprofits and[...]

Technology

Radware Ltd.

07/09/2025 | Press release | Distributed by Public on 07/09/2025 15:00

Complementing Attestation with Behavioural Anomaly Detection in Mobile Applications

With the rapid rise of AI-driven tools bots are no longer simple scripts, they've evolved into sophisticated agents capable of closely imitating human behavior. For application owners, this means it's getting harder to tell real users apart from automation, especially when everything appears to be running on a legitimate device.

What's more concerning is how accessible these tools have become. With the growing ease of building advanced bots thanks to off-the-shelf AI utilities and frameworks, the number of automated attacks has risen sharply. This surge in volume, coupled with the sophistication of techniques, makes bot detection not only more difficult but also more critical. Traditional bot detection techniques, often based on static rules or environment checks, are struggling to keep up. Attackers are adapting quickly, using AI to fine-tune their bots and stay one step ahead. This creates a unique challenge in mobile environments, where telemetry is limited compared to browsers.

To tackle this, mobile bot detection has evolved along two complementary paths: attestation-based validation and behavioral anomaly detection. Attestation ensures the SDK is running on an authentic, untampered device, as discussed in our earlier blog on mobile SDK attestation. Behavioral anomaly detection, on the other hand, shifts the focus to how the app is actually used-identifying subtle deviations in interaction timing, gesture patterns, and motion signals. While attestation builds trust in the environment, anomaly detection builds trust in the behavior. This blog explores the latter in detail.

Why Anomaly Detection Matters

Mobile environments are increasingly targeted for abuse-through emulators, instrumentation frameworks, automated replay tools, and reverse-engineering techniques. Unlike browser-based clients, SDKs operate in more constrained environments where visibility is limited, making traditional detection techniques less effective.

Our objective is to uncover usage patterns that deviate from normal human behavior, even when the application and SDK appear to be functioning correctly.

Android vs. iOS: Platform-Specific Challenges

The mobile ecosystem is split primarily into Android and iOS, each with different telemetry possibilities and threat vectors. Our anomaly detection module treats these systems independently while applying a common framework of feature extraction, model training, and enforcement.

Android

Android offers a broader surface for both introspection and abuse. Key signals include:

Device model, build fingerprint, and OS API level
Touch interaction profiles and motion event patterns
App installation source and signature consistency
Sensor presence and live telemetry (e.g., accelerometer, gyroscope)

Due to Android's openness, attackers often use tools like Magisk, Xposed, or emulators such as Genymotion. The challenge lies in spotting subtle inconsistencies that reveal these tools are in play.

iOS

iOS provides a more closed environment with fewer observable data points:

Jailbreak markers (Cydia, file system changes, unsigned binaries)
Simulator detection (missing hardware sensors, deterministic timing)
Network call behavior and UI interaction delays
Limited motion entropy from touch or device movement

While attestation mechanisms (like DeviceCheck or App Attest) help validate the runtime, anomaly detection enables us to catch outlier behavior-particularly from simulated or jailbroken devices.

Examples of Detected Anomalies

Common anomaly patterns observed across mobile apps include:

Static sensors: Device sensors like the gyroscope or accelerometer remain inactive during app usage, which is highly unusual for real users. Human interaction naturally causes slight movements and sensor noise, its absence often points to automated environments like emulators or replays.

Synthetic gestures: Taps, swipes, or scrolls exhibit unnaturally precise paths or timing such as millisecond-perfect delays or linear trajectories without variance. These patterns lack the randomness and fluidity of genuine touch input, making them strong indicators of bot behavior.

Device inconsistency: The reported device metadata (e.g., model name, build fingerprint) doesn't match expected interaction behavior. For instance, a low-end device showing ultra-fast response times or high-touch accuracy may suggest spoofed device properties or simulated sessions.

Session replays: The same interaction sequence is observed multiple times across different sessions, often with differing IPs, locations, or device IDs. This strongly points to session recording and replay attacks, typically used to exploit app logic or abuse transactional flows.

Entropy gaps: Real human input contains natural variability in timing, gesture precision, and motion dynamics. Bots often fail to replicate this entropy, resulting in suspiciously uniform or deterministic input sequences that deviate from normal usage patterns.

These anomalies are contextual-some apps may see them more frequently than others depending on user demographics and typical usage.

Mitigation Strategies

CAPTCHA Challenge
Prompt the user with an in-app CAPTCHA (visual or native) to confirm human interaction in cases of medium-confidence anomalies.

Trigger Attestation
Enforce a mobile attestation process for the flagged session to revalidate device authenticity and runtime environment.

Server-Side Rate Limiting
Apply backend rate controls based on session or user identity to throttle anomalous traffic and contain potential abuse.

These responses are adaptive and configurable, giving application owners control over enforcement without affecting normal user experience.

Final Thoughts

The Mobile Anomaly Detection Module is a key part of Radware's broader mobile defense strategy, working in tandem with attestation to provide a layered and resilient protection model. While attestation validates the environment, anomaly detection adds context by analyzing how the app is used. Together, they provide a comprehensive framework for detecting automation, misuse, and device simulation without compromising the user experience.

Posted in: Application Protection

Radware Ltd. published this content on July 09, 2025, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on July 09, 2025 at 21:00 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at support@pubt.io