Bot Manager Premier SDK

Bot Manager Premier


The Akamai Bot Manager Premier software development kit (BMP SDK) takes the fundamental technology of Akamai Bot Manager and applies it to native mobile apps. The BMP SDK collects behavioral data while the user is interacting with the application. This behavioral data, also known as sensor data, includes the device characteristics, device orientation, accelerometer data, touch events, etc. Akamai BMP SDK provides a simple API to detect bot activities and defend against malicious bot and account takeover.

Note: This SDK is an optional add-on to Akamai Bot Manager Premier. If you'd like to add it, contact your Akamai account rep.

A. Human Request


Human Request

B. Bot Request


Bot Request

Integrate the BMP SDK Into Your Mobile App

Before you can start mitigating bot traffic you need to integrate the SDK in your mobile app, configure Bot Manager Premier in the control panel, and then monitor traffic so you can have actionable intelligence.

Integrate BMP into your Mobile App

  1. Download the SDK for each platform.
  2. Follow the integration instructions using the links immediately below.
DownloadVersionIntegration Instructions

Android SDK 

checksum: bce765f4fc9a957af28d58d20f6a4578a311027c7ae48e56713398a61a493ad8 



checksum: 71e9dd1d5b691d1d3c64431ce09e1e31a6bf5aa592d3482671f7f763c0e39c8a

Cordova and Ionic SDK2.2.2Documentation
React Native SDK2.2.2Documentation

Configure Bot Manager Premier

  1. Open the Luna Control Center and review your Bot Manager policy, make sure the hostname of your protected endpoint is covered by one of them.
  2. Define a new protected endpoint and associated with the relevant policy. Keep the new endpoints to monitor mode.
  3. Define the characteristics of your mobile app traffic: Mobile apps typically have a specific user agent, for example “MyMobileApp/1.0”. It’s important we clearly identify the app traffic for both iOS and Android as well as the app version so that we can apply the correct detection workflow to the request, this is especially important during the initial rollout. This definition will also help take independent action for each mobile app type.
  4. Deploy the new Bot Manager configuration to the Akamai production network.

For more details to complete these steps, please review Chapter 5 of the Bot Manager integration guide. For assistance with the integration, please contact your Akamai representative who can arrange for the Professional Services team help

Release Your New Mobile App

  1. Publish your new app to the Apple app stores and Google Play.
  2. Monitor user adoption.
  3. Review the bots detected.
  4. Once you’re satisfied with the accuracy of the detection, you can start mitigating bot traffic. Bot Manager offers flexible mitigation strategies based on the app version or the app type (Android or iOS) to reduce dependencies on users adopting the new app or delays in the implementation lifecycle for one of the apps.


Protecting Endpoints

For each request you want to protect, you will need:

  • The full URL.
  • The method (POST, GET).
  • For POST request, include any POST element that would more specifically define the request to protect (only necessary if the endpoint identified by the above URL and method has multiple purposes).
  • Identify whether the endpoint only supports native app traffic or also handles web traffic.

In order to prevent false positives, only requests that are triggered by users interacting with the application, and that may be abused by bots to carry out an attack, should be protected with this technology.

Typical use cases include:

  • Account login
  • Account signup
  • Search queries
  • Add to cart
  • Checkout
  • Reward and gift card programs

Identifying the App OS and Version In the User-agent

In order to prevent false positives during the initial rollout, you need to be able to identify the application version so that you can conditionally apply bot detection logic to requests that are expected to send the behavior data. Once enough users have upgraded to the latest version of the application, this condition can easily be removed by updating the Bot Manager configuration in the Luna Control Center.

Also, because the development lifecycle of the iOS and the Android application may not follow the same cadence and speed, you also need to be able to identify which requests come from iOS and Android apps. This strategy may help mitigate bot traffic quicker without having to wait for both apps to be at the same level of maturity and user adoption.

The edge server uses the User-Agent HTTP header to identify the application that is integrated with the SDK. So we recommend using a standard format like Application-Name/Version-Number (Platform-Information) for the User-Agent header in the REST API request.


HelloApp/1.2.3 (iPhone; iOS 11.2.1)

MyFirstApp/1.1.2 (Android 7.0; Build/NRD90U)


Request Flow

Once the SDK has been implemented and the protected endpoints added into the Bot Manager configuration, the protected request is processed as follows:

  1. The user interacts with the mobile device to log into the application. While this happens, the behavior data (device orientation, device acceleration, device characteristics, and touch events) is recorded by the SDK.
  2. When the user presses the submit button:

    1. A.  The application queries the SDK to retrieve sensor data.
    2. B.  The sensor data is added to the request as a header.
    3. C.  The request is sent to the closest available edge server.
  3. The Akamai edge server intercepts the REST API request and inspects X-acf-sensor-data header to determine if the request is from a BOT or a human user. After evaluating the sensor data, it takes the predefined action on the request:

    1. A.  If no threat is found in the sensor data, the request is classified as human and forwarded to the origin web server.
    2. B.  If a threat is detected, the bot manager rule fires and the associated action executed.

These responses are covered in more detail in the following section.

Akamai Edge Response

If the request is classified as human, the traffic continues to the origin server and the response is sent back to the app. If the request is BOT, there are two possible actions, monitor and deny.

  • If the action is monitor, the traffic is allowed and the request is sent to the origin server.

  • If the action is deny, a 403 HTTP response is sent back to the app, and the app should handle the situation and take appropriate action.
    Hint: To differentiate a 403 response from your own origin server, check for AkamaiGHost in the Server HTTP response header, which would be a response from Akamai Edge server; your origin server will have a different value.

Request Flow and Edge Response

When Bots Attack

If you’re under an active attack, the Bot Analysis and Bot Activity tools in the Luna control security center give you full visibility of bot traffic over the last 90 days. You can filter on the protected hostname, and the behavior anomaly detection method.


Bots Detected

The Bot analysis tools provide more granular information about the attack traffic for the last 15 days, such as the top IP address, top country, top BotNet ID, etc. For example:

Top IP Address

Top IP address

Top IP address provides visibility on the most persisting IP address sending malicious requests.

Top Country

Top Country

Top country shows where the traffic is coming from and helps evaluate how distributed the attack is.

Top Botnet ID

Top Botnet ID

Top Botnet ID is tied to the botnet signature and provides a good view of the botnets targeting the endpoints.