How to protect your brand's mobile apps against sneaker bots
by Tom Tovar
The bots, created initially to buy large quantities of sneakers, let collectors and unscrupulous people to gobble up newly released products, which they sometimes resell at huge markups. They go by many names such as sneaker bots, click-bots and Instacart bots. Whatever we call these automated ordering bots, they are a serious threat to the online shopping and gig economy experience, damaging mobile businesses’ reputation and hurting sales.
Created initially to purchase large quantities of new sneakers automatically, sneaker bots enable collectors and unscrupulous individuals to gobble up new releases, sometimes reselling them at huge markups and squeezing out ordinary customers who want a pair for themselves. So, when the new Nike Air is finally released, it can be almost impossible to buy a pair online.
These bots have expanded to target a much wider array of goods and services. Events, air travel, grocery shopping and even rideshare companies are all falling prey to bots that enable individuals to hoard their products and scrape information that hackers can use to make their bots even more effective. Plus, they’re not hard to find. There are plenty to choose from on the Apple App Store, Google Play and alternative app stores. The number and scope of automated ordering bots continue to grow. According to Imperva’s 2019 Bad Bot report, “bad bots” account for just under a quarter of all internet traffic. And while bots can, of course, run on laptops, consumers are much more likely to use their mobile devices. According to the Pew Research Center, 74% of households own a computer and 84% have smartphones. However, mobile dominates usage: more than half of worldwide internet traffic last year came from mobile devices, and U.S. consumers spent about 40% more time using their smartphones than they did their desktops and laptops.
General in-app security measures to fight bots
Thankfully, there are measures that developers can take to protect their mobile apps from automatic ordering bots. For starters, they can design their apps so that they won’t function in the presence of a malicious app on the same device. Likewise, developers can implement protections to prevent hackers from reverse engineering their original app, enabling bot developers to understand the ordering process and create bots that take advantage of the good apps’ vulnerabilities. To do this, developers should employ standard security methods such as app shielding, app hardening, obfuscation and targeted encryption can reduce the usefulness of sneaker bots that target a specific app. Additionally, measures that prevent emulators and simulators, debugging and overlays, and not allowing a genuine mobile app from running on rooted or jailbroken phones can slow down or stop sneaker bots.
These measures aim to close off the pathways automated ordering apps use to function and make it extremely hard for developers of sneaker bots to know when or how to click and execute actions on behalf of an app. Developers can add these methods to the next mobile app release to prevent sneaker bots’ creation and reduce their usefulness.
Targeted in-app security measures
Of course, not every consumer will update to the latest version, so it’s not in the retailer’s interest to disable all previous, unprotected versions. Also, if hackers already understand the back-end ordering process, they may still produce a viable bot. After all, very few organizations will change their entire back-end ordering process; it’s not only expensive and complex, but it would also break all previous versions of their apps. Adding new protections like obfuscation and app shielding designed to block static and dynamic analysis in a new app won’t help an existing app (i.e., the app on the devices in the hands of your users) block an existing bot.
In this case, your best bet to protect apps already in the field is to add protections to the back end, such as rate-limiting purchases to prevent mass ordering by a single individual. Yet this measure won’t help much if your app is an on-demand delivery app. It would be best if you protected against automated ordering without blocking legitimate customers.
Obfuscation won’t help protect your app if it’s already in the field because the reverse engineering ship has long since sailed. The automated ordering bot developer already knows exactly how the app and its ordering system works, so unless developers substantially change the architecture of new releases—an unlikely prospect—even updated releases will be vulnerable. But other methods can still help prevent bots from wreaking maximum havoc. Some bots, for example, may gain or require root access on the device to function. Preventing good apps from running on phones that are rooted or jailbroken provides protection. Some security measures rely on blocking bots based on their BundleID codes, which Apple uses to identify apps uniquely. It’s not a bad measure to take and may provide some protection. But BundleIDs are changeable and some bots change their BundleID automatically. Ultimately, blocking bots based on their BundleID is like playing a game of whack-a-mole, providing minimal impact for a lot of effort. The best practice is to address the threat from automated ordering by disabling the methods the bots use to infiltrate your app’s processes, but as outlined, the methods they use are varied. Achieving maximum protection—especially if you have a popular app already in the field—may require engaging with an external security research team. Still, it’s possible to block these programs from destroying your business without complex systems and back-end upgrades.