If you publish a mobile app that uses an API then you may have just inadvertently opened that API to the world. Pokemon Go grabbed headlines as hackers rapidly reverse engineered its private API and built an army of unapproved bots and mapping tools. There is a lesson for us all here. Exposing rich APIs which may attract the attention of bots designed with the intention of scraping valuable data from your backend servers or abusing your API in a myriad of different ways. Using Pokemon Go as an example, this presentation will explain the cat and mouse games with bots that can emerge when you deploy a successful app, and what steps you should take to protect your mobile API in those circumstances.