SIXT Customer Story
Minimizing the Business Impact of Data Scraping
SIXT, established in 1912, was the first car rental company in Germany. The company has grown worldwide, has always focused on great customer service and has continually improved their offering to meet changing market needs.
In the early days of car sharing, we saw some aggregators popping up and displaying the availability and location of our vehicles. Reviewing our API security arrangements, we realized how straightforward it was to extract this level of data and we worried about the possibility that 3rd parties might be able to take a further step and reserve and access our cars via our API.
We looked around for a solution which could authenticate when API requests were coming from our mobile apps and when they were coming from 3rd party mobile apps, and that’s when we came across Approov. I’d like to emphasize that we are not opposed to sharing data at all, but rather we want to control which data we share and who we share it with - in order to maintain our brand image and direct connection with our customers. Approov gives us that granularity of control.
- Nico Gabriel, President SixtX
Like much of the travel industry, car sharing (or ride sharing) tends to attract aggregator partners who offer promotions to help increase traffic and book services.
Because car sharing relies on mobile apps for reservations and access to dynamic and up-to-date data on vehicle availability, characteristics, and location, SIXT realized they needed a more secure API to protect their customer data.
How Approov Mobile App Protection Helped
Aggregators are difficult to lock down because most enterprise security protocols rely principally on user authentication. However, most consumers willingly give up their user credentials to an aggregator in order to access the services that the aggregator offers. The aggregator can thus assume the customer's role.
The SIXT approach was to use Approov to deploy mobile app authentication first and then to switch on specific security capabilities and optional features over time. The first deployment of Approov brought vehicle availability and location data back under SIXT control.
Over time additional security layers were added, including:
- Man-in-the-Middle (MitM) detection to ensure that bad actors were not monitoring SIXT API traffic.
- Instrumentation framework detection (for example, Frida) to ensure that hackers were not using these tools to reverse engineer the SIXT mobile app
- Use of the Approov custom claim capability to bind user sessions to tokens to minimize the risk of at-scale attacks.
With their API environment now stable and secure, SIXT chooses what data to share with aggregators and at what level. They also have a foundation to continue strengthening their API security and remain vigilant of changes and needs in their business.
Nico summarizes their experience: