Counteract API abuse

Build38 provides robust protection from API abuse attacks. Our unique defense against these advanced threats centers around our active app hardening capabilities. These involve individualizing each app instance through X.509 certificates, injecting unique cryptographic keys into mobile app instances, and maintaining a secure link with all app instances continuously.

How hackers do it

Hackers can leverage a compromised app as a Trojan horse to unlawfully access back-end APIs. In this scenario, the attacker first compromises a legitimate mobile app, often by injecting malicious code or tampering with its behavior.

Once the app has been compromised, it still looks like a trustworthy application, but behind the scenes, it has been programmed to send unauthorized API requests to the target server, typically bypassing security measures.

Another attack scenario involves compromising API credentials or tokens themselves, and following up with programmatically initiated API calls from a malicious server.

Regardless of the method used to hack a mobile app’s back-end APIs, the potential fallout can be devastating, allowing for wide-scale breaches of sensitive personal user data.

How Build38 protects your mobile apps

We protect you from API abuse with exclusive Active App Hardening capabilities.

Active hardening

Active app hardening is achieved through three distinct methods:

  • When an app is launched, the Build38 Active Hardening Server issues X.509 certificates for each instance, ensuring unique and secure identification throughout each app's lifespan.
  • The server verifies device binding information to continuously strengthen the app's local device binding.
  • The server individualizes every app instance by injecting a unique cryptographic key into each one, reinforcing local defense.

This not only enhances app security but also fortifies the entire mobile technology stack, including back-end APIs. Robust app individualization ensures that only legitimate instances can access back-end APIs, effectively preventing API scraping attacks. We accomplish this in two ways:

  1. Enabling mutual TLS authentication in the API gateway.
  2. Utilizing our platform’s REST APIs to programmatically verify the app’s authenticity.

Why businesses 
choose Build38

Businesses worldwide trust Build38 with their mobile app security. Don’t just take our word for it—listen to what our customers have to say.

Discover the next generation
of mobile app security