Distil’s software development kit (SDK) helps protect your API servers by placing advanced bot detection directly inside your mobile app. Once integrated with it, the Distil SDK generates a unique mobile token that identifies the device on the server side using encryption and tamper proofing.
In order for your mobile app to perform a request to your API server, a token must be submitted along with the request as an HTTP header. To obtain such a token, the SDK performs a challenge-response authentication with the Distil server. The token is valid for a limited time. After it expires, the token authentication must take place again before successfully accessing your API endpoint.
Distil mobile app security with the Distil SDK requires:
- A Distil instance (on-premise Distil appliance, on-premise customer appliance, cloud CDN, private cloud, or a Connector type integration) protecting your API endpoints.
- A mobile application that has integrated the Distil SDK.
Supported Operating Systems
The Distil SDK currently supports the following operating systems:
- iOS v10.3.1+
- Android v4.2+ and applications built with API level 17
As outlined in the diagram below, the SDK-integrated application calls getToken to initiate the authentication. In case a valid (non-expired) token is available in the local SDK cache, it can be returned immediately to the application. If not, the SDK performs a GET /challenge request.
The Distil server provides the SDK with a challenge and the client sends a response back to the Distil server. This response may also contain device-specific parameters. The Distil server verifies the response and issues a token, valid or invalid, depending on validity of the challenge response. The validity of the token is opaque to the client.
On subsequent API calls, the Distil proxy intercepts the request along with the token added by the application and the request is either allowed or denied depending on the token.