Mobile APIs are vulnerable to abuse. Attackers use emulators, manipulated or modified apps to flood mobile API endpoints. They can replay purchase calls to steal goods or trigger duplicate fund transfers to steal money. They can even strip threat metadata from the API call to hide jailbreak status.
Server validation misses these attacks because the requests look valid. Most API security tools confirm who sent the request, but ignore whether the app itself is intact.
App Attestation adds a device-side stamp that proves the request is authentic and that it came from the protected app on a healthy device.
Why App Attestation Matters
- In banking, attackers clone the app, slip past MFA, and wire funds to mule accounts to launder money.
- In retail, attackers abuse a coupon redemption call and drain inventory with endless discounts.
- In airlines, attackers can generate fake boarding passes, letting someone clear the gate with no ticket on file.
- In the automotive industry, attackers can exploit APIs to steal vehicles or profit from stolen data.
Each attack works because the backend sees a request that looks real. It cannot prove the app or device is genuine.
App attestation fixes this. The server checks a signal that only the untouched app on a trusted device can create.
Without it, attackers can:
- Generate new API calls that impersonate the real app
- Replay old requests and bypass server-side identity checks and protections
- Strip threat data within the API call to bypass protections
How Zimperium Enables Mobile App Attestation
Zimperium’s runtime protection SDK (zDefend) supports this by helping your supporting backend servers and gateways verify that requests are initiated from an untampered app running in a secure environment. Once embedded, it enables the host app and its backend servers to maintain the integrity of all communications.
Benefits of zDefend
1. Prevent App Tampering
zDefend integrates encrypted signals directly into your application's messages, creating a strong binding mechanism. This binding process validates the application's authenticity and integrity to backend servers receiving API requests from the mobile app. Should an attacker try to remove the SDK, the absence of this crucial signal will alert the server to terminate the request. This prevents app tampering and establishes a highly secure communication channel between the application and its servers.
2. Detect and Block Emulators, Device Farms and Compromised Devices
Attackers frequently use emulators, cloud-based device farms, or compromised physical devices as controlled environments for reverse engineering and large-scale API abuse. With zDefend, each API request can include an attestation signal that verifies the integrity of both the app and its runtime environment. This helps ensure that your servers only trust requests from genuine, uncompromised devices.
3. Stop API Abuse with Replay Attacks
Replay attacks threaten server security by resending valid data, allowing malicious actors to intercept and repeat requests. This can lead to duplicate transactions, unauthorized access, or security bypasses. zDefend provides a strong way to prevent replay attacks by using “nonces” strategically. A nonce, which means "number used once," is a unique and randomly generated value linked to each request. The server then checks this nonce when it receives the request to confirm it has not been used before.
4. Library Lifting
zDefend binds static libraries to your authorized app, ensuring they cannot be removed or reused in unapproved or malicious apps. If an attacker tampers with the library or its traffic in any way, the attestation process will fail, and the backend will reject requests. This protects proprietary code, business logic, and embedded keys from being exploited in other apps.
5. Robust Key Protection
zDefend secures its signals with cryptographically signed keys, protected by white-box cryptography, ensuring they are never exposed, even if the device is compromised. This prevents malicious actors from forging or manipulating signals, preserving security assessment integrity.
6. Flexible Key Management
The solution offers two key management options: built-in keys for secure out-of-the-box use without setup, and "bring your own" custom keys ideal for regulated or high-security environments that require setup. The choice depends on an organization's specific security policies, regulatory obligations, and operational preferences.
Final Thoughts
zDefend’s App Attestation capability helps backed servers trust the mobile app and traffic coming from it. The solution enables you to verify that every request originates from a legitimate and secure app, running on a trusted device.
Need help getting started?
Contact Us for more information or a quick demo of the solution.
