The Threat
Automated scripts and malicious apps impersonating your official client to scrape data or commit fraud.
The Impact
API abuse, account takeovers, and severe infrastructure load from unauthorized traffic.
Legacy Failure
Traditional WAFs and CAPTCHAs cannot distinguish between a real app and a spoofed request.
The Solution
Deterministic hardware attestation that validates the app instance at the edge.
It is a security strategy where you only allow traffic from known, verified sources—in this case, your official mobile application—and block everything else by default.
Attackers can easily decompile mobile apps to extract API keys or use headless emulators to mimic legitimate traffic, bypassing IP-based rate limiting and visual CAPTCHAs.
TrustSig uses hardware-level attestation to verify the integrity of the client environment. We mathematically prove that the request is coming from your genuine, unmodified app instance.
The Shift to Positive Security
In the world of API security, most organizations rely on a negative security model. They try to identify and block "bad" traffic—known malicious IPs, suspicious user agents, or automated patterns. However, as attackers become more sophisticated, this approach is failing.
We believe the most effective way to stop API abuse is to adopt a positive security model. Instead of trying to keep up with an infinite list of bad actors, you should only allow traffic from your verified, official app. If a request does not originate from a genuine instance of your software, it should be rejected immediately.
Why Legacy Defenses Are Not Enough
Mobile apps are often treated as public clients. Because they run on devices you do not control, attackers can decompile your binary, extract your API keys, and use scripts to interact with your backend.
If you rely on traditional tools, you face several risks:
- Impersonation: Malicious apps can register the same protocol handlers or use the same client IDs as your genuine app to receive authorization responses.
- Secret Extraction: If your app stores API secrets in insecure locations, attackers can extract them and use them to build custom clients that bypass your security entirely.
- Bot Sophistication: Modern AI-driven bots can mimic human behavior, making it impossible for standard rate-limiting or CAPTCHA-based systems to tell the difference between a real user and a script.
Deterministic Bot Mitigation
At TrustSig, we believe security should be deterministic. We do not rely on guessing whether a user is a human or a bot. Instead, we challenge the client's environment.
By using hardware-level attestation, we verify the integrity of the app and the device. We look at WebGL rendering fingerprints, CPU thread concurrency, and other hardware telemetry to ensure the request is coming from a genuine consumer device running your official code.
This process happens invisibly at the edge. Because we validate the environment rather than the user, we eliminate the need for intrusive CAPTCHAs. If the request does not meet our strict attestation criteria, it is blocked before it ever reaches your database.
Building a Trust Chain
To truly secure your mobile-to-backend communication, you must ensure that your API only accepts requests that can prove they are coming from your official app. By combining this with secure token handling and least-privilege access, you create a robust defense that protects your infrastructure from the industrialization of cyber threats.
TrustSig provides the gatekeeper your APIs need. By moving to a positive security model, you stop worrying about the next wave of bots and start focusing on your users.
References
Secure your endpoints today
Deploy hardware-level attestation in minutes. Eradicate bot traffic with zero user friction and absolute GDPR compliance.
Start protecting free