Skip to content

Five Pillars of Effective Mobile API Security

App integrity icon
App Integrity

Don't: Allow your API keys to be used by bots, scripts and fake apps to access your backend data and services

Do: Attest your apps to ensure only truly authentic apps are authorized to make API calls

Device integrity icon
Device Integrity

Don't: Allow your app to run in compromised environments which can expose vulnerabilities and exfiltrate sensitive data

Do: Adopt comprehensive fine-grained device integrity checks enforced outside of the untrusted device environment

Channel integrity icon
Channel Integrity

Don't: Allow man-in-the-middle attacks by assuming that plain TLS is good enough

Do: Employ securely certificate-pinned TLS with dynamic pin update

 

Credential integrity icon
Credential Integrity

Don't: Allow scripts to access your APIs and conduct credential stuffing attacks on your login endpoints

Do: Require frequent app authentication for strong trusted user and API authorization

Service integrity icon
Service Integrity

Don't: Allow zero-day threats to compromise your defenses and rely on new app releases to update protections

Do: Shield your APIs from exploitation of vulnerabilities with over-the-air updates for instant reaction to threat intelligence

Some of the Businesses We Protect

Papara logo
Deindeal logo
felyx logo
BMW logo
Sixt logo
Genopets logo
MetalPay logo
MV logo
Scoffable logo
Temi logo

How API Attacks Impact Your Business

Account Takeover

Form of identity theft using techniques like session hijacking, password cracking, or credential stuffing using mass log in attempts to verify the validity of stolen username/password pairs.

Fake Account Creation

Generation of fake accounts as a prelude to spamming, denial of service attacks, or credential stuffing attacks with stolen account info.

Denial of Service

Targets resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS), effectively preventing real customers from reaching the service or ruining the customer experience.

Credit Fraud

Multiple payment authorization attempts with small payments used to verify the validity of bulk stolen payment card data and identify missing start/expiry dates and security codes for stolen payment card data by trying different values.

App Impersonation

Tampered or impostor app enabling attacker to exploit and misdirect user actions and gather (Personally Identifiable Information) PII for future attacks or customer manipulation.

Man in the Middle

Intercepting and/or manipulating API traffic via a Man-in-the-Middle attack enables an attacker to gather Personally Identifiable Information (PII) or perform malicious actions through the API.

API Security Breach

Exploitation of any API security flaws to exfiltrate confidential enterprise or customer data or damage business operations.

How confident do you feel with where the company is going?

We will begin in this chapter by dealing with some general quantum mechanical ideas. Some of the statements will be quite precise, others only partially precise. It will be hard to tell you as we go along which is which, but by the time you have finished the rest of the book, you will understand in looking back which parts hold up and which parts were only explained roughly.

Scraping

Collection of large amounts of data via APIs in order to reuse or resell that data, often by aggregating data from multiple sources to provide an unofficial alternate marketplace.

Locker

Introducing Approov

How Approov Protects Your Business

  • Data breach mitigation - ensures only genuine mobile app instances, running in safe environments, can use your API.
  • API abuse prevention - blocks all scripts, bots, modified apps and fake apps from exploiting your API.
  • Instant protection - integrates easily into your existing technology stack.
  • Fraud reduction - provides immunity from the most common API attacks.
Free eBook • Generic API Security Backgrounder

How Approov Works

Approov consists of three components:

  • Approov cloud service which makes all security decisions off device - delivers uncompromisable security
  • An SDK that drops into your iOS or Android app - delivers fast deployment
  • Short-lived security tokens to authenticate API traffic at your backend - delivers rapid time to protection

App and device integrity are checked repeatedly every five minutes. Channel integrity is checked continuously.

Only apps that have been registered with the Approov service and which meet the runtime environmental criteria are issued with valid JWT Approov tokens.

Approov JSON Web Tokens (JWT) are signed with a custom secret only known to the Approov cloud service and the backend API. The secret is never contained within the app itself, so it cannot be extracted.

App registration can be immediately added and revoked from the Approov service, allowing tight control of which app versions can access your API.

Approov architecture
Zoomed Image

Approov Capabilities

  • Easy app SDK integration
  • SafetyNet integration
  • Jailbreak detection
  • Cydia detection
  • Real-time metrics
  • Easy app SDK integration
  • SafetyNet integration
  • Jailbreak detection
  • Cydia detection
  • Real-time metrics
  • Easy app SDK integration
  • SafetyNet integration
  • Jailbreak detection
  • Cydia detection
  • Real-time metrics
  • Easy app SDK integration
  • SafetyNet integration
  • Jailbreak detection
  • Cydia detection
  • Real-time metrics
Free 30-Day Evaluation • Access to All Features • No Credit Card Needed • Immediate Protection

Integrate Your App

Integrating Approov into mobile applications is straightforward, and quickstart guides are provided for the popular platforms:

After integration Approov tokens are automatically added to your API calls. The integration handles all of the analysis and measurement necessary to identify the app and the runtime environment to the Approov Cloud Service.

After integrating the SDK into your app, register each app version with the Approov Cloud Service using the Approov command line tool. This extracts and registers the “DNA” of the app with the cloud service so that your app can be positively attested. Your app is then published as normal, and the enhanced security is transparent to your users.

Free 30-Day Evaluation • Access to All Features • No Credit Card Needed • Immediate Protection

Pin Your API Connections

Even though modern apps communicate using a secure TLS connection they are still vulnerable to eavesdropping by a Man-in-the-Middle (MitM) attacker. Such attacks are used to reverse engineer an API protocol.

Employing certificate pinning prevents such attacks. Unfortunately, this can be complex to implement in the app and requires coordination with the backend API services. Approov builds pinning right into the integration with support for updating pinning over the air with no app update needed. Certificate rotations can be handled cleanly, with no risk of interruption to your customers.

Pining api connections
Zoomed Image
Free 30-Day Evaluation • Access to All Features • No Credit Card Needed • Immediate Protection

Verify Your API Traffic

Integrating Approov into backend services is straightforward too, and quickstart guides are provided for popular platforms:

Token verification is simple due to the adoption of the industry standard JWT. You simply check that each token has been correctly signed with the secret for your account, and that it has not expired.

Once the SDK has been integrated into your app, live tokens are added to your API request headers, and your backend API systems are enhanced to verify these tokens.

Free 30-Day Evaluation • Access to All Features • No Credit Card Needed • Immediate Protection

Operate With Confidence

We continuously use the aggregated and anonymized data that we have from all of our customers to identify new threats and enhance Approov's security capabilities accordingly.

Monitor and Analyze Attestation Traffic

Live metrics are accumulated regarding device usage, attestation forensics, and billing information. Both graphical and email based reporting is available.

Attestation traffic live metrics
Zoomed Image

Update Your Security Live

Approov detects potentially unsafe mobile device environments including device rooting/jailbreaking, emulator or debugger usage, malicious instrumentation frameworks, and cloned apps. Customers specify which policies should be enforced. Changes to security policies roll out immediately to active apps.

Hackers continuously evolve their run time penetration techniques, and Approov keeps pace by providing security detection updates over the air without requiring app store updates. This live update service is also used to manage trust certificates and security policies.

Free 30-Day Evaluation • Access to All Features • No Credit Card Needed • Immediate Protection

Request a Demo

Give us 30 minutes and our security experts will show you how to protect your revenue and business data by deploying Approov to secure your mobile apps and your.

Request a Demo

Get a Trial

Approov offers a complimentary 30 day trial (no credit card necessary) to give you immediate and valuable insight into the security risks of your mobile apps and the devices they run on.

Get a Trial