We're Hiring!

Approov Blog
TLS (2)

Practical API Security Walkthrough — Part 4

January 18, 2018

Editor's note: This post was originally published in January 2018 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in May 2021. Welcome back! This is the fourth and final part of a mini series which uses a fictional product, “ShipFast”, to walk you through the process of defending against various exploits in a mobile application to gain access to data on a remote server allowing real users of the system to gain an unfair business advantage at the expense of the company. In this post, I'll dive into the third API security attack scenario and what is required to effectively defend against it. Read Full Story

Practical API Security Walkthrough — Part 3

January 17, 2018

Editor's note: This post was originally published in January 2018 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in September 2020. Welcome back! This is the third part of a mini series which uses a fictional product, “ShipFast”, to walk you through the process of defending against various exploits in a mobile application to gain access to data on a remote server allowing real users of the system to gain an unfair business advantage at the expense of the company. Read Full Story

Practical API Security Walkthrough — Part 2

January 16, 2018

Editor's note: This post was originally published in January 2018 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in May 2021. Welcome back! This is the second part of a mini series which uses a fictional product, “ShipFast”, to walk you through the process of defending against various API security exploits in a mobile application to gain access to data on a remote server allowing real users of the system to gain an unfair business advantage at the expense of the company. Read Full Story

Practical API Security Walkthrough — Part 1

January 12, 2018

Editor's note: This post was originally published in January 2018 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in September 2020. Welcome! A quick question: Do you know what’s using your API? Really? Read Full Story

Strengthening OAuth2 for Mobile

January 3, 2018

Editor's note: This post was originally published in January 2018 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in October 2022. OAuth2, often combined with OpenID-Connect (OIDC), is a popular authorization framework that enables applications to protect resources from unauthorized access. It delegates user authentication to an authorization service, which then authorizes third-party applications to access the protected resources on the user’s behalf. OAuth2 provides authorization flows for both web and mobile applications. Read Full Story

Toughen Up Soft Certificate Pinning With Approov

December 14, 2017

Devops just mailed to say they will rotate the certificates on all of the endpoints today, mentioned the Engineering Manager at one of our customers, that’s unexpected, I wonder what happened. Read Full Story

Adding OAuth2 to Mobile Android and iOS Clients Using the AppAuth SDK

October 23, 2017

Editor's note: This post was originally published in October 2017 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in October 2022. OAuth2, often combined with OpenID-Connect, is a popular authorization framework that enables applications to protect resources from unauthorized access. It delegates user authentication to an authorization service, which then authorizes third-party applications to access the protected resources on the user’s behalf. OAuth 2 provides authorization flows for both web and mobile applications. Read Full Story

The Problem with Pinning

July 13, 2017

Certificate or Public Key Pinning is an extension to TLS that is highly effective for bot mitigation by protecting the HTTPS connection between your app and API from snooping by third parties (otherwise known as a Man in the Middle attack). The technique makes use of the TLS protocol which requires the server to provide a certificate containing its public key. If the client has a copy of the expected certificate (or just the public key) and checks for a match before completing the TLS handshake then the client is considered pinned to the server. Read Full Story

Hands on Mobile API Security: Pinning Client Connections

May 31, 2017

Add TLS and Certificate Pinning While Removing Client Secrets The Hands On Mobile API Security: Get Rid of Client Secrets tutorial demonstrates how to improve API security by removing vulnerable API secrets from mobile apps. In the tutorial, you work with a simple photo client which requires an API key to access NASA’s picture of the day service. An API Proxy, introduced between your client and the picture service, removes the need for storing and protecting the API key on the client itself. Read Full Story

Hands on Mobile API Security - Using a Proxy to Protect API Keys

May 11, 2017

Editor's note: This post was originally published in May 2017 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in September 2022. API keys and other secrets poorly hidden inside mobile apps are a common source of mobile insecurity. You can do much better. In this tutorial, you will work with a simple Android mobile app which uses an API key to access the NASA picture of the day service. An API Reverse Proxy introduced between your mobile app and the NASA picture service will remove the need for storing and protecting the API key on the mobile app itself. In addition to improved API security, this approach offers some benefits in manageability and scalability. Alternatively, you may choose the approach discussed in the Runtime Secrets Protection article which doesn’t require any API backend work to be done - a significant positive if you don’t have a backend team immediately available and need a solution ASAP. Read Full Story