Approov is first and foremost an API protection solution for bot mitigation, securing mobile businesses against automated traffic and other attempts to gain unauthorized access to backend services, data and assets. However, while delivering this service Approov also gives valuable insight into the types and state of devices that are communicating with the protected services via the API. For example, do you know the proportion of connections coming from unauthorized software: bots, scripts, or repackaged apps? Do you know if your communications are being intercepted, if the mobile device is rooted/jailbroken, if your app is running in an emulator, if there is a debugger or framework attached, or even if your app is running in a cloned environment? Read on to find out you can get at these nuggets before the end of your free Approov trial.
One of our customers managed to go from initial contact to deployment in 8 days (you can read about their experience here). While that is not a typical evaluation-to-deployment timescale, it got me thinking about the most efficient path through the Approov exploration, evaluation and adoption process. With a little planning, you can have Approov live in your platform very quickly, and you can then learn a lot about the activity on your API without giving us a cent! Here I give you my 5 step plan to making the most of your first 30 days:
Define your integration strategy: Before signing up, look at the Quickstart guides which we have created for native environments as well as for popular development platforms/languages. You may find that we have already done much of the integration work for you. You need to look into both frontend and backend Quickstart guides:
Backend Quickstarts. Here you will find the details of how to integrate the Approov token check into the backend platforms we support out of the box. If your platform does not have an associated Quickstart guide, don’t worry because the generic token check integration process is easy. You can read about it here.
Sign up for an Approov trial: You can gain access to the Approov service by signing up on our website here. A 30 day free no obligation trial to the full Approov service will be yours and only requires you to provide your details - using a professional email address - and answer a few questions about your project. Once you have received confirmation that your service is available, you can move to the next step. If in doubt at any stage, please remember that a full set of Approov documentation is available to you.
Obviously you need to follow the appropriate Quickstarts for both Android and iOS apps if you want to have the full experience.
You will need to define the APIs you want to protect with Approov and you can find details on that here. You’ll also want to set up certification pinning for those APIs - either using your own static pinning setup or taking advantage of Approov built-in dynamic pinning capability.
Once your frontend and backend integrations are complete you will want to check everything out before you deploy updated versions of your apps. For the testing and verification there are a range of capabilities open to you, e.g. long lived tokens, loggable tokens, auto-expiration of app registrations, whitelisted devices, etc. These features will allow you to establish that the flow is working as intended without the Approov security blocking you!
Once you are comfortable that your app functionality and customer experience is unchanged by the inclusion of Approov, you are ready to go live. We recommend that you go live but do not block traffic based on the Approov token initially. Monitor the traffic closely (see next step) and please let the Approov Customer Service Team know when you intend to push the updated app into the wild. We’ll keep an eye on it, ensuring that everything looks good and we’ll let you know if we see anything which needs to be tweaked.
In order to get a clear picture of what is happening within your platform, you need to monitor the API traffic at your endpoint (where you do the Approov token check) as well as within the Approov Metrics. This is because our metrics only see authentication requests and the subsequent pass/fail results. Scripts/bots which bypass your app do not attempt to authenticate themselves with the Approov service so we don’t see them. However they will not present an Approov token to you endpoint so you can get some interesting insights into the demographics of your traffic by monitoring the endpoint closely. Specifically, you should capture the % of your traffic which has no Approov token (coming from bots/scripts) and the % of your traffic which has an invalid Approov (from modified apps or genuine apps running in unsafe environments).
All of this analysis will be useful when you come to compile a report on Approov and the Return on Investment (RoI) of using it
As you try different approaches to try and breach the Approov solution, you can monitor the Approov Metrics and you should be able to see app authentication failures and the associated reasons for those failures. You may also want to look at the wide range of Approov security policies which are available and which can be applied using our over-the-air capability. Varying security policies during pentesting can really help you understand how to monitor and react to specific threats as they emerge and evolve. More good material for your report.
There you have it, an approach that will help you find out what’s using your API before being charged for the account you create - and with zero cost. All of the steps described above and the data you will capture can easily be achieved within your 30 day free trial. In addition, the knowledge of what percentage of your API traffic is not coming from genuine mobile app instances running in clean environments will be useful and scary in equal measure.
Of course, once you start using Approov we don't think you will want to stop. We believe that the RoI outlined in your evaluation will be compelling. In fact, we expect that you will love the experience of using Approov. Protecting your API from bad actors, reserving your cloud resources for your real users, securing their data, and protecting your revenue streams. What's not to love?
If you have any issues we didn’t cover in this article, please contact us and ask.