Before you signup, and the 30 day clock starts ticking, your may wish to define your integration strategy. Have a look at the Quickstart guides which we have created for native environments as well as for popular development platforms/languages. You may find that we have already done much of the integration work for you, and usually it only takes a few lines of code to include Approov, import and start using it in your mobile app code.
If you require security approvals before starting the Approov trial use the Approov Security and Compliance Guide to explain how the Approov solution operates securely in your environment.
You can gain access to the Approov service by signing up on our website here. A 30 day free no obligation trial to the full Approov service will be yours and only requires you to provide your details (using a professional email address) and answer a few questions about your project. Once you have received confirmation that your service is available, you can move to the next step.
If in doubt at any stage, please remember that a full set of Approov documentation is available to you.
You can upgrade to a paid plan at any time during the trial period. No additional technical setup is needed when you move from trial to a paid subscription, ensuring that the whole process is seamless.
We recommend that the first thing you do is to follow our Mobile App Quickstarts to integrate Approov into your mobile app.
The quickstart provides the details of how to integrate Approov into your app using mobile app development platforms we support out of the box. This includes native Android and iOS development using various networking stacks.
If your platform does not have an associated quickstart guide, don’t worry because a direct SDK integration is possible and we can assist you with this.
For most of our quickstarts you will be able to integrate just using the configuration string provided in your onboarding email, without any need to install the Approov CLI tool. Follow the specific instructions for your platform.
At the end of the integration process you should be able to see live metrics, using the link also provided in the onboarding email. At this point you can even consider going live in production with your app. This won’t provide any blocking capability but will give you deep insights into the composition of your user base and the environments that the apps are running in.
The information will show app-not-registered
because you have not added your app signing certificates to the Approov service. To do that you need to install the Approov CLI as discussed in the next section.
Obviously you need to follow the appropriate quickstarts for both Android and iOS apps if you want to have the full experience.
If you’ve deployed Approov with your apps you can now gather lots of interesting information about the real sources of all the traffic on your APIs. For an overview of our metrics dashboards, you can check out this blog, and for a deeper dive into all the options, our documentation covers metrics graphs. This is also where you will see your billing graphs.
In order to get a clear picture of what is happening within your platform, you need to monitor the API traffic in your backend (where you perform the Approov token check) as well as within the Approov metrics. This will require the backend integration step described below.
Find full instructions on how to install the Approov CLI (Command Line Tool). All management of the Approov account is done using the Approov CLI. Examples, showing how to use this tool, are provided throughout the documentation and a detailed reference for all the commands can be found in the Approov CLI Tool Reference.
If you are the account owner, initialization will grant account access with dev
(development) and admin
(administration) level roles available. Most operations can be carried out using the dev
role, but the admin
role is necessary for certain operations that require elevated privileges.
To get valid Approov tokens or secure strings you will need to add the app signing certificate with auto-registration. This is covered in the appropriate quickstarts.
Alternatively you can add individual app registrations. In this case, each app build will need to registered before it will receive valid Approov tokens unless the device performing the attestation is forced to pass, see Forcing a DeviceID to Pass.
You will need to manage the API domains you wish to protect with Approov. Adding the API domain will automatically cause Approov tokens to be added as a header for the appropriate API calls.
When you add an API to Approov it will automatically benefit from the Approov built-in dynamic pinning functionality.
Follow one of our Backend API Quickstarts. Here you will find the details of how to integrate the Approov token check into the backend platforms we support out of the box.
If your platform does not have an associated quickstart guide, don’t worry because the backend integration process is easy.
For the testing and verification there are a range of capabilities open to you:
These features will allow you to establish that the flow is working as intended.
Once your frontend and backend integrations are complete you will want to check everything out before you enable live blocking of API calls that do not provide valid Approov tokens.
Once you are comfortable that your app functionality and customer experience is unchanged by the inclusion of Approov, you are ready to go live. We recommend that when you initially go live you do not block traffic based on the Approov token. Monitor the traffic closely using the metrics.
We have a Go Live Checklist that you can go through to make sure you have considered all the likely issues.
Another way you can check out Approov is to try and beat it! Pentesting your platform, either using a 3rd party pentesting company or your own internal resources, is an excellent way to build confidence in Approov and generate additional evidence for your evaluation report.
As you try different approaches to try and breach the Approov solution, you can monitor the Approov metrics and you should be able to see app authentication failures and the associated reasons for those failures. You may also want to look at the wide range of Approov security policies which are available and which can be applied using our over-the-air dynamic configuration capability. Varying security policies during pentesting can really help you understand how to monitor and react to specific threats as they emerge and evolve. More good material for your report.
Once you have established the effectiveness of the core functionality you can test other features. See Exploring Other Approov Features for information about additional Approov features you may wish to try.