We're Hiring!

What Is In-App Protection?

Mobile phone cybersecurity concept; Hand holding mobile phone with lock and app icons

In-app protection refers to the security features built into mobile apps. These features help protect the app and the data it contains from unauthorized access, theft, or tampering. Below, we discuss in-app protection and why it’s crucial for mobile app development.

In-app protection is vital for two reasons: first, because mobile apps are increasingly becoming targets for hackers; and second, because users trust more and more of their personal information to mobile apps. 

Reasons for In-App Protection

There are several reasons why mobile app developers should build in-app protection into their products. They include:

  • Eight and a half minutes: It takes only eight and a half minutes to download a company app, reverse engineer it, and gain access to back-end systems. This was first recorded in a study published back in 2019, which also found a raft of vulnerabilities in mobile financial apps. 

Digital.ai table showing vulnerabilities in financial services apps

(Image source: Digital.ai)

Sadly, there have been a collection of other security research reports since this one which have confirmed that the situation has not improved much at all, and may even have become worse due to the increased use of mobile as the service delivery mechanism of choice.

  • Vulnerabilities in applications using Fast Healthcare Interoperability and Resources (FHIR) APIs: Healthcare providers are increasingly moving to mobile apps to provide care and services for their patients. Many of these apps use FHIR APIs to access Electronic Health Records (EHRs) stored in back-end systems, either directly or via 3rd party data aggregators. However, platforms and apps based around FHIR APIs are vulnerable to attack as they are not well-protected, according to research published by Approov.

  • Insecure mobile device environments: Mobile devices are becoming increasingly popular targets for hackers. One reason is that mobile devices are easily manipulated, with limited security software installed. A second reason is that mobile apps are readily available to download from the app stores by anyone. Finally, mobile device environments are very complex, with many different free tools that hackers can utilize to implement a wide range of attack vectors. 

In-App Protection Best Practices

There are several best practices that mobile app developers should follow to protect their apps from unauthorized access and theft. These include:

  • Using secure coding practices: Mobile app developers should use safe coding practices to protect their apps from hackers. This includes using coding techniques that obfuscate/harden your code to make it more difficult for hackers to reverse engineer it.
  • Restricting access to sensitive data: Apps should restrict access to sensitive data to only authorized users and mitigate man-in-the-middle (MitM) attacks. This can be done by certificate pinning your API connections.
  • Protect mobile apps when installed, when launched, and when running: This can be done by using mobile-centric security services. It's not a once-only check to make sure the app is legitimate – this needs to be done on an ongoing basis because bad actors may hijack ongoing app sessions using readily available hooking tools.
  • Ongoing protection and verification of the mobile device and its OS: This can be accomplished by employing a tool that detects hazardous operating environments such as rooted/jailbroken devices, applications executing with debuggers or emulators/simulators, or apps running on devices where hacking tools are active.
  • Protect against the impersonation of mobile app traffic by scripts: Mobile app developers should protect their business against this by using security measures designed to prevent bypassing of the app by scripts which impersonate or manipulate API requests from genuine apps, for example traffic signing and encryption to ensure requests are not being manipulated and mobile app attestation to verify its presence and authenticity.

In-app protection is essential for mobile-centric businesses, but it is not enough on its own. Developers must also protect the mobile device environment and the API service. Otherwise, it’s like locking the front door while leaving the back door and windows open.

Approov Mobile App Protection verifies your app's authenticity and run-time safety. This prevents tampering with your app and provides complete protection against a huge range of threats. To try it for yourself, sign-up for a free trial.


David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.