Release Notes

Version 2.3

New Features:

  • Simplified support for Android App Bundles. There is no longer any need to download the base.apk from the Play Store for production registration. It is now possible to register .aab files directly after having added the app signing certificate for your apps.
  • SDK optimizations to improve the latency of token fetching on both iOS and Android.
  • Added detection on Android of cloned multiapps (such as Parallel Space), as these undermine the security of running apps. Cloned apps are now rejected in the standard security policies. Note that this policy is retrospectively introduced in prior versions via an over-the-air update to SDKs.

Version 2.2

New Features:

  • Significant improvements to the hardening of the iOS SDK, especially with regard to attacks using a debugger. The additional debugger defences may prevent you from attaching a debugger at all on a real device during iOS development unless you specifically whitelist the device.
  • Improvements to the detection of Magisk Manager on Android devices. Detection is now possible even when using all manager hide features in the latest (20.3) release.
  • Support for multiple mobile provisioning files in an iOS IPA. The Approov CLI will automatically choose the one relevant for your overall app registration.
  • Availability of the backend API integration example walk-throughs.
  • Detection of the automated launching of an app on Android and inclusion of a flag in the annotations to show this. This can be used to combat some app automation attacks.
  • Introduction of the Approov monitoring service that sends monthly (and optionally daily) email updates on your usage of the service.
  • Email alerts when management tokens you have created are about to expire.
  • New getDeviceID() method in the SDK to obtain the device upon which the SDK is running.
  • Some improvements to the metrics that are collected for the account and accessible through the CLI, approov metrics.
    • SDK metrics now show the Approov SDK ID and architecture that is being used.
    • Certain metrics that simply showed as error previously are now shown more explicitly as fail-bad-request.
    • Fail metrics for hourly, daily and monthly are now restricted to only showing those metrics that are relevant as causes of the failure.
    • App related metrics now show the platform of the app, as either ios or and (for Android).
  • Offline measurements are now restricted to being performed on API domains restricted with encrypted (JWE) tokens, as an additional security precaution.
  • Introduction of the health checking endpoint for a specific account, showing if the primary Approov service is operating normally.
  • Significant improvements to the pinning management commands in the approov command line tool. It is now possible to individually remove and add pins on a specific API domain.
  • New mechanism to signal to a running app that the latest pin updates provided in an updated configuration must be applied. This is for app integrations that are only able to set the pins during the startup of the app. This allows the app to be signalled that it must update its pins, even if that means prompting the user to allow an app restart. An additional isForceApplyPins property is provided on the token fetch result to support this and a new approov CLI command can initiate the force action.
  • The approov policy -get option is enhanced to provide more detailed description of the different aspects of the currently selected security policy.
  • The range of approov secret -get options are expanded to get the secret in base64, base64url or JWK format. An option is also provided to restrict a new secret to printable characters and to retrieve that form. This is required for some JWT libraries that are unable to accept secrets containing non-printable characters.
  • A new facility is provided whereby a keyID can be set for the Approov tokens in the account. This is included in the kid header of JWS tokens. This allows easier integration for certain backend token checking systems.

Bug fixes:

  • Fix issue with approov CLI when using the approov devicecheck -add command and a certificate path not in the current directory.
  • Fix problem whereby some requests that failed due to very poor connectivity were showing as sdk-result-no-approov in the SDK metrics.
  • Correctly handle approov token -check for loggable tokens on Windows, whereby the single quotes suggested in the documentation where insufficient.

Version 2.1

New Features:

  • New account level metrics facility showing both live, hourly, daily and monthly metrics on the usage of the account. This provides insight into the reasons for any attestation rejections, the status of different app versions being run and the total usage on the account. The dashboards can be reached using the new approov metrics command. This new facility is designed to replace the graphs previously available using the approov usage, although these remain available but will be removed in a future release.
  • Capability to ban particular iOS devices using the Apple DeviceCheck facility. This is setup using the new approov devicecheck command.
  • Ability to fetch Approov tokens when running on the iOS simulator.
  • Direct control over the stance regarding the collection of end user IP addresses and their inclusion in the Approov tokens. The IP tracking settings are available in the approov policy command.
  • Enhancements to the obfuscation of the SDK code to further protect against reverse engineering.

Version 2.0

New Features:

  • New SDK architecture allowing dynamic updates of runtime app threat analysis
  • Various security enhancements in the SDKs and facilities for gathering of threat analysis from live installations
  • Changes to SDK interfaces to create more consistency between the iOS and Android versions
  • Improved error reporting and status logging from Approov token fetching
  • Optimization of SDK network access to reduce number of transactions and size of data transmitted
  • New dynamic pinning approach leveraging standard public key pinning, allowing easier app integration and availability of pins on app startup without network access
  • Range of administration tool features to gather and manage public key pins
  • Over the air secure updates to pins and Approov networking rules
  • Migration to a new command line tool for administration of accounts
  • Support for registration of iOS and Android apps across all OS platforms (no dependency on Android Studio or iOS Xcode installation)
  • Option for single command deletion of multiple unused app registrations
  • Direct user adminstration of security policies
  • Per device setting of security policies and pinning modes, including blacklisting and whitelisting specific devices
  • Access to latest SDKs via administration tool with upgrade messages when new versions available
  • Facilities for creating example Approov tokens for testing
  • Facilities to check the validity of particular Approov tokens
  • Facilities for generating customized long lived Approov tokens
  • User issuance and revocation of management tokens to administrate the account
  • Option for user initiated update of Approov token secret
  • Support for encrypted (JWE) Approov tokens
  • New offline measurement mode functionality to allow attestation of app to a remote device when neither is Internet connected

Version 1.12

New Features:

  • Added payload capability to add your content to the generated token

Fixes:

  • Change Android APK registration to avoid the v2 signing block while generating the app signature. This makes new registrations work with the soon-to-be-released Google Play signing behaviour

Version 1.11

New Features:

  • Architecture banning
  • Emulator detection
  • SDK hardening

Version 1.10

New Features:

  • Man in the Middle detection
  • Improved rooted device detection
  • Detect function hooking frameworks
  • Android 8 (Oreo) support
  • New ‘did’ token claim containing device ID.

Deprecations:

  • The fetchApproovToken() and fetchApproovTokenandWait() interfaces without URL/hostname parameters are deprecated on all platforms. You should now supply a valid hostname string or null when fetching a token.
  • The ‘ad’ token claim is now obscolete.

Version 1.9

New Features:

  • Internal SDK library improvements

Version 1.8

New Features:

  • Time limited registrations
  • Removed dependency on external tools for registration
  • Admin Portal support for Safari browsers on macOS/OSX
  • Bug fixes for Admin Portal on Microsoft Edge browsers
  • Deprecation of app-repackaging support in Android and iOS SDKs
  • Client side bug fixes and stability improvements

Version 1.7

New Features:

  • Failover mechanism on both server and client side enabling more robust service
  • Client side bug fixes and stability improvements

Version 1.6

New Features:

  • Breaking change: New callback-based API for Approov token fetch notifications in Android and iOS clients
  • Synchronous Approov token fetch API in Android and iOS clients
  • Client-side iOS support for iOS 10, Xcode 8 and Swift 3

Version 1.5

New Features:

  • Server-side bug fixes, stability and performance improvements

Version 1.4

New Features:

Improve Android notification mechanism, alter registration mechanism so that registration of BroadcastReceiver is done via the ApproovAttestation class Server-side bug fixes, stability and performance improvements Known Issues:

Version 1.2

New Features:

  • Health Check API added
  • Server-side bug fixes, stability and performance improvements

Known Issues:

  • Token Intents are broadcast globally

Version 1.0

Initial version