What We’ve Been Building at Approov: A Preview of Approov 3.6

Since our last release, the first half of 2026 has been a busy period for the Approov team.

Mobile API security is moving quickly. AI-assisted reverse engineering, runtime instrumentation, automated scraping, fake apps, emulators, and increasingly realistic bot traffic are changing how attackers operate. At the same time, mobile development teams are building across more frameworks, more platforms, and more complex networking environments than ever before.

Very shortly, we will release Approov 3.6, a comprehensive update to the Approov platform. This update expands where Approov can be used, improves how teams integrate it, and introduces new controls to help customers operate mobile API protection more safely at scale.

Broader Support for Modern Mobile Development

Over the past six months, we have continued to broaden support for the platforms and networking stacks developers use every day. These open source packages are available now.

For Flutter teams, we introduced Approov Service for Flutter Dio HTTP/2. This gives Flutter developers a smoother path to protecting modern app traffic, with support for token handling, certificate pinning validation, message signing, and secure string substitution.

For React Native teams, we have continued improving the Approov service layer, including better support for modern React Native and Expo workflows. Recent work has focused on initialization, diagnostics, compatibility with newer React Native architectures, and more consistent behavior across Android and iOS.

We also introduced a Unity service layer, helping teams protect mobile game and app traffic through UnityWebRequest and HttpClient. This is especially important as mobile gaming, betting, and interactive experiences become more attractive targets for automation, cheating, scraping, and API abuse.

We’ve also continued improving support for iOS URLSession, Android HttpsURLConnection, and WebView-based app traffic. These updates are designed to meet developers where they already are, whether they are building fully native apps, hybrid WebView experiences, cross-platform apps, or mobile games.

Safer WebView Protection

WebView-based apps are increasingly common, but they bring a unique security challenge. Sensitive API requests may be triggered from embedded web content, while the app still needs native-level protection and control.

In the past few months, we released and improved Approov service layers for both Android WebView and iOS WebView. These updates help protect selected fetch and XMLHttpRequest traffic through native request handling, while keeping sensitive headers and secrets out of page JavaScript.

Recent WebView releases also introduced important safety improvements. On iOS, configuration now requires explicit allowed origins, making the bridge trust boundary a conscious choice. On Android, protected WebView requests now default toward safer fail-closed behavior, reducing the chance that protected traffic is silently sent without Approov protection.

We also fixed cookie handling issues so session cookies from protected requests are more reliably carried forward into subsequent protected requests. This makes WebView-based login, session, and API flows more predictable for developers and users.

Stronger Defaults and Clearer Trust Boundaries

A recurring theme in recent Approov work has been safer configuration by default.

That means making trust boundaries explicit, keeping sensitive response headers away from page scripts, ensuring certificate validation behaves correctly, and making it clearer when a request should proceed, retry, or be blocked.

Several recent releases reflect this direction. We have improved fail-closed behavior, tightened handling around protected WebView bridges, added clearer origin controls, improved cookie persistence, and refined certificate validation behavior in bypass scenarios.

These are not always the flashiest changes, but they matter. They help teams integrate Approov in real-world apps with more confidence, fewer surprises, and a stronger security posture from the start.

Coming in Approov 3.6: More Resilience, More Control, More Visibility

Alongside the open source service layer updates already available, next week, we will release Approov 3.6. Approov 3.6 introduces important platform and backend capabilities in next week’s release.

More regions, less latency

One of the most visible changes is the addition of further Approov attestation regions. Approov will deploy to new regions, helping reduce latency for users operating in Central America, the southern United States, Southern Europe, the Middle East, and parts of Africa.

Security policy adoption

Approov 3.6 also introduces security policy rollout control. Security policy changes are powerful, and they need to be handled carefully. With 3.6, enterprise customers will be able to control adoption of new security policies by managing the update flow themselves. This reduces the risk that a policy change could unexpectedly affect legitimate users in production.

Alerting and service monitoring improvements

We are also adding the initial implementation of service monitoring and alerting. This notifies you if failures increase above configured thresholds. It provides additional layers of defense against issues that may increase invalid tokens. Customers can also join our customer portal to submit service requests, and see the status of all service requests they've submitted to Approov.

Internally, we have improved our own metrics and alerting. Approov now has additional monitoring across overall pass and fail statistics, helping detect significant shifts in behaviour across accounts. A separate automatic alerting system can also trigger if multiple accounts experience a significant rise in failures within close proximity, prompting on-call engineers to investigate.

ARC decoding

In a key update, Approov 3.6 brings new configuration improvements, including access to local ARC decode capability. By adding token secrets to the account keyset, our users can access both pass and fail keys for their tokens. This helps distinguish between valid Approov-signed tokens, invalid Approov-signed tokens, and attacker-minted tokens.

For tokens signed by Approov, teams can decode the ARC embedded in the token locally. This makes it easier to store Approov detection results alongside other request data and feed them into SIEM, analytics, or investigation workflows.

Backend configuration improvements

Approov 3.6 also supports more automation around backend configuration. Customers can configure their backend to periodically retrieve the full set of backend configuration variables from the Approov admin service. This JSON configuration includes what is needed to decode tokens, helping backend systems adapt automatically to secret rotation or updates to encoded ARC flags.

Helping Teams Understand the Threat Landscape

Alongside product work, we have also been publishing more educational content for the community. We’ve recently released a new white paper on Zero Secrets Architecture which showcases how traditional defenses fail against agentic AI.

Recent articles on our blog have explored how AI is changing mobile API abuse, why runtime instrumentation tools like Frida matter, and why app attestation is becoming more important across sectors including e-commerce, government, healthcare, travel, and gaming.

The message across this content is consistent: mobile API security is no longer just about protecting the app binary. It is about proving that API requests come from genuine, untampered apps running in trustworthy environments, and doing that in a way developers can actually integrate and operate.

What This Means for Approov Users

Approov 3.6 brings increased visibility, alerting, and resilience. For developers, these updates mean broader framework support, clearer setup paths, better diagnostics, safer defaults, and more predictable behaviour across common app architectures.

For security teams, it provides a careful rollout of security policy changes, better controls around protected requests, and more ways to understand what is happening in production.

Approov 3.6 is another step toward our broader goal: making mobile app and API protection strong, adaptable, and practical for the way modern teams actually build, ship, and operate apps.

The open source service layer updates described here are available now. The additional Approov 3.6 platform and backend capabilities will be released later this week.

In the meantime, stay up to date with our latest releases by following us on GitHub or by checking out our Changelog.