MOBILE APP SECURITY CONFERENCE 3 - 4 November 2025 , Prague - Capacity is limited,
apply NOW for complimentary ticket!
HomePremium ProductsTalsec Portal

AppiCryptWeb

Protect web APIs from bots and tampering using request-bound threat flags, browser fingerprints, and integrity proofs that travel with every API call. Each cryptogram contains browser fingerprinting

Value at glance

  • Block scripted abuse and tampered requests before they consume resources by attaching integrity flags to each API call.

  • Accurate threat intelligence combining bot detection, tampering flags and incognito state delivered per request.

  • Reliable user tracking and session correlation through persistent browser fingerprinting that works across tabs and sessions.

Key Protections and Use Cases

AppiCryptWeb delivers robust defenses against a wide range of threats, enabling secure API interactions for diverse applications. Here's how it protects:

  • Bot and Automation Detection: Flags scripted bots, headless browsers, and automation frameworks to prevent API scraping, credential stuffing, and DDoS-like abuse.

  • Tampering Prevention: Detects native object manipulation and request alterations, safeguarding against injection attacks and modified payloads.

  • Incognito Mode Monitoring: Tracks private browsing to enforce policies on anonymous sessions, reducing fraud in high-risk scenarios.

  • Self-Integrity Checks: Ensures the agent's own code hasn't been bypassed, providing verifiable runtime health per request.

These protections power critical use cases, including:

  • AI Scrapers and Data Harvesting: Stop large language models and crawlers from extracting proprietary data via APIs.

  • Content Protection: Secure media delivery and prevent unauthorized downloads or embeds in video streaming or publishing platforms.

  • Ads Revenue Safeguarding: Block ad blockers, scripted views, and fake traffic to maintain accurate monetization metrics.

  • DRM Enforcement: Verify legitimate browser environments for digital rights management in software distribution and content access.

  • Scalping and Inventory Abuse: Prevent automated ticket or product grabs on e-commerce sites by flagging high-velocity bot activity.

  • API Scraping Defense: Protect endpoints from bulk data exfiltration in financial, healthcare, or research APIs.

How it works

A WebAssembly agent generates a signed cryptogram per API request containing browser fingerprint, threat flags, and a caller-provided nonce bound to that specific call.

The backend evaluator verifies signatures, validates freshness and nonce binding, extracts the browser fingerprint and threat data, computes a risk score, and returns detailed assessment context for customer decision logic.

Why it's different

  • Request-bound attestation: nonce binding and signed cryptograms with embedded fingerprints give strong replay resistance and user correlation per call.

  • WebAssembly performance: near-native execution speeds with minimal overhead, achieving fast cryptogram generation while running heavy operations off the main thread without blocking UI.

  • Hacking resistance: WebAssembly's isolated execution, dual-agent architecture, message channel separation, and cryptographic module signatures make bypassing or tampering extremely difficult, with self-checks and backend provenance verification ensuring integrity.

Integration

Frontend: include the WebAssembly agent using JavaScript glue, initialize once with the magic file, then call getCryptogram with a short nonce and send it in a header such as appicrypt.

Backend: install the evaluator to decrypt and verify signatures, extract browser fingerprint and threat flags, check freshness and nonce, compute risk score, and pass the assessment context to existing business logic.

What's included

  • Browser fingerprint: stable imprint for persistent user identification across sessions and tabs.

  • Threat flags: tampering of native objects, automation traits, user-agent spoofing, incognito mode, and agent self-integrity.

  • WebAssembly advantages: small compressed footprint, asynchronous operation that doesn't block the UI thread, and cryptographically signed modules with backend-verifiable provenance traces.

Broad Compatibility

AppiCryptWeb works seamlessly across all major mobile and desktop browsers, engines, and environments, ensuring consistent protection without compatibility headaches:

  • Desktop Browsers: Chromium 80+ (Chrome, Brave), Edge 80+, Opera 66+, Firefox 114+, Safari 15+.

  • Mobile Browsers: Android WebView (Android 11+, Android 10 with updated WebView), iOS WKWebView 15+ (covering Safari Mobile, Chrome Mobile, Firefox Mobile).

  • Rendering Engines: Full support for Blink (Chromium-based), Gecko (Firefox), and WebKit (Safari/iOS).

  • Hybrid & Embedded: Electron (for desktop apps), Tizen 6.5+, webOS 22+ for smart TVs and embedded web views.

This wide coverage means you can deploy it confidently on web apps, PWAs, SPAs, and hybrid mobile experiences.

Get started

Add the WebAssembly package, initialize with the magic file, generate a fresh nonce plus cryptogram per request, and send it in a custom header.

Install the evaluator at backend or edge, verify and score the cryptogram, extract fingerprint and threat data, and use the assessment context in existing authorization and fraud logic.

PreviousAppiCryptNextMalware Detection

Last updated