We're Hiring!

Approov Backend Quickstarts

Approov backend quickstarts

Photo by Ankush Rathi from Pexels

Editor's note: This post was originally published in April  2020 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in September 2020.

Approov lets your mobile app prove to a backend API that it really is the official mobile app making the call, and that it is not running in an environment that may be compromised. Only requests from the apps that you specifically allow can make successful requests.

To achieve this Approov uses industry standard JSON Web Tokens (JWT). The default signing algorithm we use is HS256, meaning that the tokens are signed using a secret that is specific to your Approov account. Our cloud service will only correctly sign these tokens if it is satisfied that they are being provided to an valid app instance, from where the app can pass the token along to your backend API via an additional request header. This provides proof of authorization from the Approov service that the app is valid. The signing secret is never passed to the app itself, so it can never manufacture its own valid tokens. As an additional security measure these tokens also have an expiry time of only a few minutes.

So once you’ve integrated Approov into your mobile app(s), you will need to integrate a check on your backend API to make sure that the Approov JWT being supplied is valid. This might be done in your server code itself, or perhaps in an API management layer that protects accesses before it even hits your servers. We have a variety of customers using various different methods, technologies and languages. We even have some customers doing the check in a CDN on the edge. Use of the industry standard JWT format makes this integration easy, there are a huge number of different JWT verification libraries and HS256 is a very common signing algorithm.

We also have walkthrough guides to help you integrate on the backend:

We regularly add more integrations for API management and gateway solutions.

If there is a particular backend technology that isn’t listed, and it’s not clear how you can verify your Approov JWT tokens then please just get in touch, and we’d be happy to help you out.

 

Richard Taylor

- CTO and Co-Founder at Approov Ltd
Chief Technical Officer with more than 30 years of industry experience. Background in compiler optimization and processor architecture, working more recently in application security and cloud computing technologies. Richard Co-Founded and is CTO of Approov Mobile Security (previously Critical Blue Ltd) and has led a number of innovative product developments in the area of EDA, software optimization and remote software attestation.