Integrating AWS WAF Mobile SDK in iOS

Note: This article represents my personal opinion and has not been vetted by AWS peers.

In this article, I will share with you the steps I went through to integrate and use the AWS WAF Mobile SDK in a sample iOS mobile app.

Create an AWS WAF WebACL

Create an AWS WAF WebACL with a Global (CloudFront) scope
First add the AWS Bot Control Managed rule. Edit its configuration, choose the Targeted Level inspection which uses the SDK, change the version to the latest one, and for the demo purpose Override all rule actions to Count.
Add a subsequent rule, that blocks requests without a valid token acquired by the Bot Control SDK. For simplicity, you can use the following JSON for the rule definition:

Then contact AWS so they can enable the Mobile SDK for download in your AWS Account for the specific WebACL. The process usually takes a few days.

Create the test API

Create a CloudFront distribution, use any available API on the web as origin (e.g. api.ipify.org) for testing purposes, use the Managed-CachingDisabled caching policy, and the Managed-AllViewerExceptHostHeader origin request policy.

Note the CloudFront domain (e.g. d2xhz6r79zrxyr.cloudfront.net) and verify it's working, and returning a valid response (e.g. api.ipify.org will return an IP).

Associate the AWS WAF WebACL to the distribution to enable the WAF token validation on requests to this API. Test it again, it will fail, returning 403.

Prepare your dev environment for building iOS apps

Ideally use a Mac laptop
Create an Apple Developer Account
Download and install Xcode

Create the iOS mobile app

Open Xcode, create a new Xcode project using App under iOS templates, and fill the project details (e.g. Product Name: APIFetcher ; Interface: SwiftUI; Language: Swift, Team: Your Apple Developer Account, etc..), then choose where to save your project.
Open ContentView.swift and replace the code with the below.

You need to modify two values in the above code. First, change the CloudFront domain to your own distribution domain (in two places). Change the WAF integration url to the one associated with your WAF WebACL. You can find it in the Application Integration page in the AWS WAF Console.
In the Application Integration page, click on your WebACL, and download the latest version of the associated iOS SDK. Unzip the downloaded file, and create the following Package.swift file in the unzipped directory:

Click on the root of your project in XCode, and then navigate to the Package Dependencies tab. Click on + then click on Add Local then select the unzipped directory containing the iOS SDK. Add the package to the project.
Create the info.plist file if it's not already there. Modify it so it allows external network calls from the app:

Test the app

Run an iOS simulator by clicking on the Play button. Click on the Fetch data button, and wait for the data to be displayed.

You can check the logs of the WAF SDK to observe the behavior of the configure token background check.

Conclusion

In this article you have learned how to wrap requests to a Bot Control protected API using the AWS WAF Mobile SDK from a sample iOS app. Only requests with a valid token generated by the mobile SDK are allowed by the API.

Site Terms, Privacy, and more.