The Threat
Sophisticated emulators can easily mimic software environments to generate valid security headers.
The Impact
Automated attacks bypass traditional WAFs by spoofing legitimate device signatures.
Legacy Failure
Static headers verify the secret, not the physical hardware behind the request.
The Solution
TrustSig performs deterministic hardware attestation to verify physical silicon presence.
Static headers like JWT tokens only verify the 'what'—the secret key or token. They do not verify the 'where'—the actual hardware. Because emulators can easily copy or generate these headers, they can appear as legitimate traffic to traditional security systems.
TrustSig moves beyond software-based checks. We analyze hardware telemetry to confirm the presence of physical silicon. Since emulators lack the unique, deterministic hardware layout of genuine consumer devices, they cannot pass our attestation process.
The Anatomy of the Emulator Gap
In 2026, the reliance on static headers—such as JWT tokens or custom API signatures—has become a standard practice for securing mobile and web APIs. While these methods are effective at ensuring a request is "authorized," we think they are fundamentally flawed when it comes to bot mitigation.
The problem is simple: a static header verifies the secret, not the device. If an attacker can reverse-engineer your mobile application or intercept a valid token, they can replay that header from any environment. In our opinion, this creates a massive "Emulator Gap" where your security infrastructure assumes a request is coming from a genuine user, when it is actually originating from a headless emulator running on a cloud server.
Why Static Headers Fail
Many organizations rely on WAF-based solutions to validate tokens. While these tools are excellent at blocking malformed requests, they struggle to distinguish between a real mobile device and a sophisticated emulator.
- Software Mimicry: Modern emulators are designed to perfectly replicate the software environment of a mobile device. They can spoof user agents, device IDs, and even the cryptographic signatures required for your headers.
- The "What" vs. The "Where": A static header is just data. It tells the server that the request should be trusted, but it provides no proof of the physical environment. If the attacker has the "what" (the valid token), they have successfully bypassed the gate.
- Cloud-Scale Automation: Because emulators run in virtualized environments, attackers can spin up thousands of instances to test credentials or scrape data, all while presenting a perfectly valid, signed header to your API.
Moving from "What" to "Where"
At TrustSig, we believe the future of bot mitigation lies in deterministic hardware attestation. Instead of asking the client to prove they have a secret, we ask the client to prove they are running on physical silicon.
By analyzing hardware-level telemetry—such as rendering fingerprints, CPU concurrency, and audio context evaluation—we can mathematically determine if the requesting client is a genuine consumer device.
This process is invisible to the user and happens out-of-band. Even if an attacker manages to steal a valid token or spoof a header, they cannot fake the physical hardware characteristics of a real device. When our system detects the absence of physical silicon, we block the request instantly, regardless of how "valid" the header appears to be.
By shifting the focus from verifying the token to verifying the hardware, we help you close the Emulator Gap and ensure that your API is only accessed by the devices you intend to serve.
References
Secure your endpoints today
Deploy hardware-level attestation in minutes. Eradicate bot traffic with zero user friction and absolute GDPR compliance.
Start protecting free