clock menu more-arrow no yes

Shape Security Brings Its Bot-Blinding Technology to Mobile Apps

The same tricks used against bot armies on the Web can now help fend off attacks against mobile APIs.

file404 / Shutterstock

Two years ago, the startup Shape Security emerged from stealth mode with an interesting new idea for protecting websites from some of the most common forms of attack. Today it announced it has applied the same ideas to protecting mobile apps.

Many Web security issues arise from known technical problems surrounding the process used to sign in to the site: Typing in account names and passwords. Attackers know about this vulnerability so they use software called bots to automatically scan the Web for these weaknesses and then attack sites by the thousands. Most hacking attacks have become automated in this way.

When it first launched, Shape created Shapeshifter, hardware that handles the complicated behind-the-scenes computing work of constantly changing the source code of the sections of a website that are responsible for creating a sign-in interface. The constant changes — a technique known as polymorphism — are invisible to human users but have the effect of blinding the bots that hackers use to carry out their automated attacks. The website becomes a moving target to which the evil bots can’t adapt.

Today the company says it has adapted its polymorphic techniques to protect mobile apps. The same tricks that make attack bots blind on the Web are now blinding them when they attack mobile APIs.

It’s the next logical step in the process, said Shape co-founder and VP for product management Sumit Agarwal. “As soon as someone deploys Shape the attacks on their traditional website stop almost immediately. Then just as suddenly they shift toward the mobile environment,” he said.

Agarwal is a former Google exec who ran its North American mobile products, then spent 18 months in the Obama Administration including a stint as Deputy Assistant Secretary of Defense where he worked on cyber-innovation issues.

The new mobile service is already in use by several customers including one that Shape describes as “one of the top five largest mobile commerce apps in the world” and is protecting more than 10 million individual users. (Security companies almost never name their customers because those customers don’t want their attackers to know what kind of protection they’re using.)

Alongside the mobile service, Shape said it has raised $25 million in new funding from Northern Light Venture Capital, a firm based in Beijing. That brings its total capital raised to $91 million. The new money will help fund an expansion into the Chinese market.

This article originally appeared on Recode.net.