
SIXT
Customer
Story
Minimizing the
Business Impact of
Data Scraping
.webp)

SIXT, established in 1912, was the first car rental company in Germany. The company has grown worldwide, has always focused on great customer service and has continually improved their offering to meet changing market needs.
In the early days of car sharing, we saw some aggregators popping up and displaying the availability and location of our vehicles. Reviewing our API security arrangements, we realized how straightforward it was to extract this level of data and we worried about the possibility that 3rd parties might be able to take a further step and reserve and access our cars via our API.
We looked around for a solution which could authenticate when API requests were coming from our mobile apps and when they were coming from 3rd party mobile apps, and that’s when we came across Approov. I’d like to emphasize that we are not opposed to sharing data at all, but rather we want to control which data we share and who we share it with - in order to maintain our brand image and direct connection with our customers. Approov gives us that granularity of control.
'- Nico Gabriel, President SixtX'

The Challenge
Because car sharing relies on mobile apps for reservations and access to dynamic and up-to-date data on vehicle availability, characteristics, and location, SIXT realized they needed a more secure API to protect their customer data.
How Approov Mobile App Protection Helped
Aggregators are difficult to lock down because most enterprise security protocols rely principally on user authentication. However, most consumers willingly give up their user credentials to an aggregator in order to access the services that the aggregator offers. The aggregator can thus assume the customer's role.
The SIXT approach was to use Approov to deploy mobile app authentication first and then to switch on specific security capabilities and optional features over time. The first deployment of Approov brought vehicle availability and location data back under SIXT control.
Over time additional security layers were added, including:
- Man-in-the-Middle (MitM) detection to ensure that bad actors were not monitoring SIXT API traffic.
- Instrumentation framework detection (for example, Frida) to ensure that hackers were not using these tools to reverse engineer the SIXT mobile app
- Use of the Approov custom claim capability to bind user sessions to tokens to minimize the risk of at-scale attacks.
With their API environment now stable and secure, SIXT chooses what data to share with aggregators and at what level. They also have a foundation to continue strengthening their API security and remain vigilant of changes and needs in their business.
Nico summarizes their experience:
Read on


App and API Level Security for Connected Car Platforms
In 2009, the app economy officially kicked off with the Apple trademarked refrain “There’s an app...

Addressing Security Threats in Connected Car Mobile Apps with Approov
In today's increasingly connected world, the automotive industry has not been immune to the...

Enhancing Mobile Payment Security: A Comprehensive Approach with Approov
Mobile payment systems are increasingly popular, offering convenience and speed for consumers and...

Why the OWASP Mobile Application Security Project is Critical
The OWASP MAS project continues to lead the way in mobile application security. This article...

Can You Protect E-Scooters from Vandalism and Fraud?
E-scooters are becoming an increasingly popular mode of transportation in cities around the world,...

Empowering Mobile Payments: Approov's Security and PCI MPoC Mastery
In the ever-evolving landscape of mobile applications, especially those dealing with sensitive...

How Does Your App Rate Against the 2024 OWASP Mobile Top Ten Risks?
In case you didn't notice, the OWASP Mobile Top 10 List was just updated, for the first time since...

Securing Electric Vehicle Charging Platforms
Spikes in the prices of fossil fuels have provided yet another incentive for consumers to move...
Request a Demo
Give us 30 minutes and our security experts will show you how to protect your revenue and business data by deploying Approov to secure your mobile apps and your.
Get a Trial
Approov offers a complimentary 30 day trial (no credit card necessary) to give you immediate and valuable insight into the security risks of your mobile apps and the devices they run on.