Automated purchasing bots, also known as “sneaker bots,” “click bots,” “Instacart bots” and other names, are ruining the online shopping and gig economy experience for both consumers and workers. These bots can cause considerable damage to a mobile business’ reputation and bottom line.
As their namesake indicates, these bots were originally developed to automate the purchase of sneakers, enabling collectors and hoarders (who will resell them at a 10x or more markup) to buy mass quantities of the latest releases and squeeze out ordinary customers. As a result, for example, when Nike releases a new shoe, it can be almost impossible for individuals to beat the bots and purchase a pair for themselves online.
But these automated transaction bots are now used for far more than just sneakers. Airlines, e-commerce and events sites, and even rideshare companies all suffer from bots that scrape information and hoard products, damaging the targeted company’s brand and making it difficult for consumers to buy goods and services.
These bots are easy to get. Both the Apple App Store and Google Play provide them for downloading, along with many other websites. For example, Instacart bots are third-party apps that run alongside the legitimate Instacart app and claim the best orders immediately as they are posted on the app, making it practically impossible for human shoppers to get access to most lucrative orders.
The problem is growing. According to Imperva, bad bots made up nearly a quarter of overall website traffic in 2019. Although laptops can certainly run bots, apps are where the action is. Pew Research Center reports that 74 percent of households own a computer and 84 percent have a smartphone. But when it comes to usage, mobile dominates. More than half of worldwide Internet traffic last year came from mobile devices, and U.S. consumers spent about 40 percent more time using their smartphones than they did their desktops and laptops.
General In-App Security Measures
An ounce of prevention is worth a pound of cure. E-tailers can and should take a number of measures to protect their mobile apps from sneaker bot apps.
For starters, they can protect their apps so that the developers of automated transaction, or auto-clicker bots, can’t install the malicious app on the same device as the good app. They can also prevent the good app from being reverse engineered, a process that allows the bot developer to understand how or where to insert the bot.
Standard security methods such as app shielding, app hardening, preventing emulators and simulators, preventing debugging, preventing overlays, obfuscation and targeted encryption can prevent the development or usefulness of sneaker bots that target a specific app. Likewise, preventing a mobile app from running on rooted or jailbroken phones can also slow down or stop sneaker bots from carrying out their predesigned ends.
The goal of adding generalized security protections inside the good mobile app is to block common pathways that sneaker bot apps and auto-clicking apps need to function. Other general methods, such as obfuscation and app shielding, a set of processes used to block tampering, running programs on behalf of the good app, make it extremely hard for developers of sneaker bots to know when or how to click and execute actions on behalf of the app.
These methods can be added to the next release of the mobile app to prevent the creation and stop the usefulness of sneaker bots.
Targeted In-App Security Measures
At this point you may think, “Yes, but what if I already released my app without these protections?” In other words, what if hackers already understand the ordering process inside the app and built a sneaker bot or auto-clicker to take advantage of it? Also, to make it more complicated, “What if I have no intention of changing the way my app functions?”
Generally speaking, if there is a sneaker bot, Instacart bot, or similar app used to generate automatic actions against or “inside” your app from the same device, it’s a pretty good guess that the good mobile app lacked the protections necessary to block the creation of the bot in the first place.
Adding new methods like obfuscation and app shielding, methods designed to block static and dynamic analysis in a new app, won’t help the existing app (i.e., the app on the devices in the hands of your users) block the existing bot. The bot is out there, and the app is out there, and the bot is made to function with the currently published app.
The only thing you may be able to do to protect the existing app from an existing bot operating on the same device — assuming no other changes to the existing app — is to update the app backend, using techniques such as rate limiting purchases. However, this has limited usefulness if, say, your app is an on-demand delivery app. How could you guarantee that real purchasers aren’t the ones simply buying and clicking more? You don’t want to block legitimate purchase actions in your app.
So, what can you do?
Obfuscation by itself is of little use, since the developer of the good app isn’t going to change how the app functions, and the developer of the sneaker bot already understands how the app works and has built the malicious bot to take advantage of it.
Nevertheless, depending on the strength of the solution, methods such as app shielding and hardening, jailbreak and root prevention, antitampering and other methods can provide an effective defense inside an existing app to an existing bot. So, follow the advice above and release a new app as quickly as possible.
Additional Best Practices
Can you go deeper? Of course, you can.
The key is to understand the methods used in the bot, i.e., understand what you’re “blocking” and what you’re “protecting” against inside your app.
For example, the bot may gain or require root access on the device to function. Or, it may require an overlay, mirroring, keylogger or other method. It may rely on memory injection, a malicious program running in the background, or need to be installed from unknown sources.
There are literally hundreds of methods well-designed sneaker bots use to carry out their ends. Don’t rely on scanning for bundle IDs to block these bots. Bundle IDs can be easily changed and some sneaker bots and practically every form of malware change bundle IDs automatically. Besides, scanning for bundle IDs is like whack-a-mole, too much effort for too little impact.
The best practice here is meet the threat by zeroing in on the methods used by the sneaker bot to infiltrate your app’s processes. You may need to engage your or an external security research team to understand the particular sneaker bot plaguing your business, but it’s doable.
Note, some of these sneaker bots protect themselves with the same methods too. Still, it’s entirely achievable to block sneaker bots from destroying your business without complex systems and back-end upgrades. Don’t hesitate — the answer can be in your app.