You need to have 2 separate ASM policies - one for browsers and a separate one for the smartphone app. The browser policy will have full bot detection features enabled and the smartphone app policy will have JavaScript-requiring options in bot/anomaly detection switched off and relying more on IP-based anomaly detection features of ASM.
I assume you already have a separate Virtual Server for the mobile app, but if not then you can easily route the incoming traffic to two different ASM policies depending on the User-Agent header using Local Traffic Policy.
Hope this helps,
Sam