AllTrails Secures its Mobile Apps, Website, & API From Bad Bots With DataDome

Uniform protection across all endpoints.

A better and safer user experience.

Industry-leading false positive rate.

Credential stuffing Scraping Tech platforms

AllTrails is a popular hiking app that offers outdoor enthusiasts a vast selection of crowdsourced trail maps, photos, and reviews. Potential scraping and credential stuffing attacks were driving up the company’s infrastructure cost, and dealing with major attacks could take up days of developer time. DataDome now protects AllTrails’ content and user accounts from all types of bot-driven fraud, and the infrastructure team can focus on delivering a stellar user experience.

DataDome is very reliable, and we no longer are consumed with worry about bots stealing trail data. We’re also very satisfied with the false positive rate; it’s half of the industry standard, a small, small fraction of a percent.

Kat Leipper, Senior Software Engineer at AllTrails

The problem: Bot attacks threaten security and inflate costs.

As one of the top global apps in its segment, AllTrails is a target for malicious actors hoping to piggyback off its vast content database. Every few weeks, the infrastructure team could observe huge traffic spikes in their logs, often hitting the same endpoint over and over again.

“There were many different categories of bad bots,” explains Kat Leipper, Senior Software Engineer at AllTrails. “Many were targeting content, such as map downloads.”

For some time, the team worked overtime to mitigate the attacks as best they could via their WAF. But blocking IPs would often turn into a frustrating whack-a-mole game.

The solution: Efficient, mobile-focused bot management.

After a couple of particularly aggressive attacks, the team decided it was no longer sustainable to deal with the issue manually. They needed a solution.

Ideally, the tool should be easy to implement. Given that the majority of AllTrails’ users access the platform through the mobile app, it was crucial to have high-performing iOS and Android SDKs as well.

Most importantly, unlike the WAF which required constant intervention, the new solution needed to take the work off the team.

“DataDome matched all our criteria,” says Kat. “We took a phased approach, starting by protecting our API, and then gradually turning on more and more protection. It was a careful process, but it felt good to know that a large chunk was already covered with the protection of the API.”

The results: Reliable protection, savings, and peace of mind.

Today, DataDome fully protects AllTrails’ mobile apps, website and API against all bot-driven threats, with the same efficiency and granularity on all endpoints. Malicious requests are blocked before they hit AllTrails’ various load balancers, and as a result, their infrastructure costs have been significantly reduced.

And just as they had hoped, the team no longer is stretched too thin worrying about malicious bots stealing trail data from their app or site. They no longer spend unnecessary hours manually dealing with attacks, and real users enjoy a hassle-free experience.

“After the initial implementation and fine-tuning, it’s been seamless”, Kat confirms. “We do have semi-regular check-ins with the DataDome team, but on a daily basis, it just does its thing. We’re also very satisfied with the false positive rate; it’s half of the industry standard or average, a small, small fraction of a percent.”

Finally, Kat appreciates the detailed dashboard and being able to explore the powerful threat analytics and notifications across all endpoints.

“DataDome has turned out to be a really useful tool in addition to our other logging,” she notes. “It’s a good source of observability information; I can go in and quickly understand why somebody might be having issues, or what a particular source of requests might be.”