Skip to main content

Introduction

Zero Trust API Bind (TAB) works on the principle of “never trust, always verify”. It binds each API call to a trusted app instance and runtime context.

When TAB is enabled with Defender, every API request from the mobile app includes a unique token generated by Defender. The server validates this token and only processes requests that have a valid one. Without this token, the request is rejected. In practice, this means moving beyond static credentials (like API keys) to a dynamic, real-time verification process. Each request carries a dynamically generated security token which is validated by the server side before processing the call. TAB is designed to strengthen the runtime security of mobile applications and prevent any bugs or loopholes to enter attackers.

This establishes a continuous trust verification model across:

  • The mobile application.
  • The backend APIs.
  • The server.
  • Bugsmirror cloud validation services.

How TAB works:

TAB is implemented as a layered communication scheme between the mobile app and its server side. Key steps include:

Token-based request validation:

For each API call, Defender generates a unique, one-time token generated for each request. The server processes only requests carrying a valid or a missing token. Invalid tokens are rejected. Because tokens are short-lived and request-specific, replaying them results in automatic denial.

Runtime-bound token generation:

Tokens are generated within the application using secure logic and device-bound secrets that cannot be replicated externally. Each token is uniquely tied to the app instance, ensuring that only protected applications integrated with Defender can successfully communicate with backend APIs.

Embedded security claims:

Each TAB token carries metadata about the execution environment and timing which avoid runtime manipulation of API requests. For instance, a secure nonce or timestamp can prove freshness (preventing replay. A TAB token might encapsulate these “trust signals" (along with a timestamp or nonce)) so that the backend sees real-time evidence of whether the app has been tampered, the device is rooted/emulated, or the request is delayed beyond acceptable limits.

Customisable validation logic:

On the server side, the organisations can define the validation policy for tokens. This can include threshold values for timing drifts, required device integrity levels, or acceptable app versions. For instance, the server may reject any token older than a few seconds or only accept requests from devices with up-to-date security patches. These policy decisions allow fine-grained control: high-value transactions might require a stricter posture (e.g. minimal drift), whereas lower-risk calls can accept looser conditions. In effect, TAB makes the API gateway and backend enforcement point aware of the API’s real-time security posture.

Documentation ImageDocumentation Image

Key security advantages

Protection Against Runtime Manipulation

Attempts to tamper with the app at runtime (e.g., via Frida or Xposed) can be detected through abnormal request patterns and blocked at the API level.

Replay Attack Resistance

Each API interaction requires fresh runtime validation, making captured requests ineffective for reuse.

Continuous Runtime Trust Verification

Every API request is verified using live runtime trust signals, enabling dynamic, context-aware security decisions.

Resilient against token farming

TAB prevents token farming by binding each token to the app’s live runtime state and session context. Tokens are generated per request and tied to real-time execution signals, making them unusable outside the protected environment. Ensure, token cannot be reused.

Runtime-to-API Binding

TAB binds API requests to a trusted mobile runtime, ensuring only genuine app instances can communicate with backend systems. If protection (Defender) is removed, token generation fails and API request is denied.

Eliminate API exploitability even if exposed

API endpoints alone are no longer exploitable, requests without valid runtime verification are automatically rejected.

Business Impact

Implementing TAB substantially strengthens an organisation's mobile security posture. By ensuring only genuine app instances can use the API, organisations can prevent fraud and abuse that often stem from credentials theft or malware.

TAB is designed to handle Trickystore-style key leaks and is much stronger than relying on Play Integrity alone. The weakness we observed in Play Integrity-based flows is that tokens/signals can be farmed or reused when the trust is not tightly bound to the app’s live runtime state. TAB reduces this risk by using v_state and Defender-side runtime checks, so the trust proof is tied to the protected app session, not just a device attestation response.

TAB directly reduces fraud risk, unauthorized API access, and automated financial abuse. For business applications, this means stronger protection against payment fraud, account takeover attempts, and bot-driven transaction abuse.

Most relevant for:

  • Banking and financial applications.
  • Healthcare platforms.
  • Insurance apps.
  • Enterprise mobility solutions.
  • Government and citizen-service applications.

Sensitive transactions (financial payments, personal data access, in-app purchase) gain added protection reducing the risk of costly breaches. Mobile API incidents have direct business consequences: executives know that breaches can trigger hefty fines (under GDPR/CCPA), customer churn, and even class-action lawsuits.

Organisations can define validation policies aligned with their own operational and security requirements

Conclusion

The rise of mobile apps has drastically expanded the API attack surface. Traditional controls (API keys, TLS, network firewalls) are no longer enough in an environment where every device is potentially hostile. Zero Trust API Bind provides a robust, forward-looking solution: it enforces that each API request comes from a verified, untampered app running on a trusted device.

By generating per-request tokens tied to real-time app and device context, TAB ensures that trust is continuously established, not assumed. In effect, API endpoints are removed from the realm of “forgotten attack surfaces” and become as secure as the backend logic itself.

Adopting TAB aligns mobile security with modern zero-trust principles and gives organisations confidence that their mobile channels and the valuable data they carry are protected against even the most sophisticated attacks.

How to enable TAB in the MASST Portal

To enable TAB, you must create a new config.

Refer to: How to make a config