Jae Hossell
Approov provides a comprehensive runtime security solution for mobile apps and their APIs, unified across iOS and Android. Approov immediately stops any automated tools or compromised apps from manipulating any part of the end-to-end mobile platform, turning away unauthorized access attempts by scripts, bots and fake or tampered apps.
By eliminating false positives and providing runtime application self-protection (RASP) as well as just-in-time-management of API keys, secrets and certificates, Approov delivers both exceptional operational convenience and highly robust security at scale.
An Approov 30 day trial allows you to validate the effectiveness of the solution in your own environment. In addition, an Approov trial can also give valuable insight into the types and state of devices that are communicating with the protected services via the API. For example, do you know the proportion of connections coming from unauthorized software: bots, scripts, or repackaged apps? Do you know if your communications are being intercepted, if the mobile device is rooted/jailbroken, if your app is running in an emulator, if there is a debugger or framework attached, or even if your app is running in a cloned environment? Read on to find out you can get at these nuggets before the end of your free Approov trial.
One of our customers managed to go from initial contact to deployment in 8 days (you can read about their experience here). While that is not a typical evaluation-to-deployment timescale, it got me thinking about the most efficient path through the Approov exploration, evaluation and adoption process. With a little planning, you can have Approov live in your platform very quickly, and you can then learn a lot about the activity on your API without giving us a cent! Here I give you my 5 step plan to making the most of your first 30 days:
-
Plan your trial: Before signing up, work out which use-cases you are going to test. See here https://approov.io/blog/what-can-you-test-with-an-approov-30-day-free-trial.
Look at the Quickstarts guides which we have created for native environments as well as for popular development platforms/languages. You may find that we have already done much of the integration work for you. You need to look into both frontend and backend Quickstart guides:
- Frontend Quickstarts. Here you will find the details of how to integrate Approov into your app using mobile app development platforms we support out of the box. This includes native Android and iOS development using various network stacks. If your platform does not have an associated Quickstart guide, don’t worry because the generic integration process is easy. You can read about it here.
-
Backend Quickstarts. Here you will find the details of how to integrate the Approov token check into the backend platforms we support out of the box. If your platform does not have an associated Quickstart guide, don’t worry because the generic token check integration process is easy. You can read about it here. If you are only trying out Approov runtime secrets or dynamic pinning to protect the communications channel, you don't need the backend integration.
If you are going to test run-time secrets protection, then you should decide which secrets in your mobile app will be managed by Approov and prepare to replace them in the code by calls to the SDK. See here and the “SECRETS PROTECTION” README file in your appropriate app quickstart.
If you are going to use Approov dynamic certificate pinning to protect the channel then use the following to prepare your approach: https://approov.io/docs/latest/approov-usage-documentation/#public-key-pinning-configuration
2. Sign up for an Approov trial: You can gain access to the Approov service by signing up on our website here. A 30 day free no obligation trial to the full Approov service will be yours and only requires you to provide your details - using a professional email address - and answer a few questions about your project. Once you have received confirmation that your service is available, you can move to the next step. If in doubt at any stage, please remember that a full set of Approov documentation is available to you.
3. Integrate and deploy: Just follow the mobile app quickstart you identified in step 1.
You will need to define the APIs you want to protect with Approov and you can find details on that here. You’ll also want to set up certification pinning for those APIs - either using your own static pinning setup or taking advantage of Approov built-in dynamic pinning capability.
Once your frontend and backend integrations are complete you will want to check everything out before you deploy updated versions of your apps. For the testing and verification there are a range of capabilities open to you, e.g. long lived tokens, loggable tokens, auto-expiration of app registrations, whitelisted devices, etc. These features will allow you to establish that the flow is working as intended without the Approov security blocking you!
Once you are comfortable that your app functionality and customer experience is unchanged by the inclusion of Approov, you are ready to go live. We recommend that you go live but do not block traffic based on the Approov token initially. Monitor the traffic closely:
4. Monitor your API traffic with Approov Metrics: Now you've deployed Approov with your apps you can now gather lots of interesting information about the real sources of all the traffic on your APIs. For an overview of our Metrics dashboards, you can check out this blog, and for a deeper dive into all the options, our documentation covers it here.
In order to get a clear picture of what is happening within your platform, you need to monitor the API traffic at your endpoint (where you do the Approov token check) as well as within the Approov Metrics. This is because our metrics only see authentication requests and the subsequent pass/fail results. Scripts/bots which bypass your app do not attempt to authenticate themselves with the Approov service so we don’t see them. However they will not present an Approov token to you endpoint so you can get some interesting insights into the demographics of your traffic by monitoring the endpoint closely. Specifically, you should capture the % of your traffic which has no Approov token (coming from bots/scripts) and the % of your traffic which has an invalid Approov (from modified apps or genuine apps running in unsafe environments).
All of this analysis will be useful when you come to compile a report on Approov and the Return on Investment (RoI) of using it.
5. Test your platform: Another way you can check out Approov is to try and beat it! Pentesting your platform, either using a 3rd party pentesting company or your own internal resources, is an excellent way to build confidence in Approov and generate additional evidence for your evaluation report.
As you try different approaches to try and breach the Approov solution, you can monitor the Approov Metrics and you should be able to see app authentication failures and the associated reasons for those failures. You may also want to look at the wide range of Approov security policies which are available and which can be applied using our over-the-air capability. Varying security policies during pentesting can really help you understand how to monitor and react to specific threats as they emerge and evolve. More good material for your report.
Wrapping Up
There you have it, an approach that will help you find out what’s using your API before being charged for the account you create - and with zero cost. All of the steps described above and the data you will capture can easily be achieved within your 30 day free trial. In addition, the knowledge of what percentage of your API traffic is not coming from genuine mobile app instances running in clean environments will be useful and scary in equal measure.
Of course, once you start using Approov we don't think you will want to stop. We believe that the RoI outlined in your evaluation will be compelling. In fact, we expect that you will love the experience of using Approov. Protecting your API from bad actors, reserving your cloud resources for your real users, securing their data, and protecting your revenue streams. What's not to love?
