- Added new optional Attestation Response Code (ARC) claim to Approov tokens. This will be enabled by default for new accounts, and can be enabled by the Approov CLI for existing account holders. It provides an encoded form of the device properties that the token was issued for, and also whether the token was valid or not. The encoding is such that it is not possible to determine the device properties or status without access to the Approov backend to decode it.
- Approov CLI command to enable/disable ARC encoding on an account.
- Added a new method in the SDK to get the ARC encoding for any particular token. This provides the option of displaying the ARC encoding to the user for support purposes.
- Provide a new API endpoint that can be called directly by Approov account holder backend systems to decode an ARC claim into the device properties that are encoded.
- Provide a new API endpoint that can be called directly by Approov account holder backend systems to obtain additional information about an Approov token. This also provides an option to report a particular token if there is reason to think it is being misused, or it is believed there has been a token failure in error.
- Reorganize documentation around Device Properties for improved readability.
- Provide conjunction filters that match when a set of input filters are matching for a given attestation.
- Provide a filter option to mark a device as risky if there is a match.
- Provide a filter option to just reject a device on a filter match without a permanent device ID ban.
- Provide regular expression support for filtering matching.
- Make execution of the custom filtered security policy conditional on a filter option to allow finer grain control.
- Change filtered security policy selection so that an app does not need to continue to execute it once it has been selected once.
- Support -getInfo filtered option to get the device information for recent devices that matched one or more filters that use a new -captureDeviceInfo flag.
- Provide a setUserProperty method in the SDK that provides an arbitrary string that can be seen in the device information and is subject to filtering.
- Support message signing as an advanced option. Provide a primitive in the SDK to sign an arbitrary message with a secret account key that is only transmitted to app instances that pass attestation. Additional CLI options to get, clear and change the secret key used. New Approov token claim indicates if signing is available and the current key.
- Provide Approov CLI option to list all of the available SDK libraries.
- Various security enhancements in the SDK, especially on Android with further advanced memory analysis features added.
- Basic Appium detection for iOS apps.
- Execution time regression in
getIntegrityMeasurementProof on Android, related to App Bundle Support added in 2.3.
- New branding for documentation and monitoring emails.
- MacOS Approov CLI binary is now notarized with Apple so there are no longer any warnings on first use on Catalina.
- Android app bundle registration support now includes verity signing algorithms.
- General support for the banning (and unbanning) of specific device IDs with the
approov device commands. It is no longer specific to the user of the Apple only DeviceCheck functionality and can be used on either iOS and Android, and without use of DeviceCheck.
- Improved DeviceCheck support so that the device check token fetch (which can take several seconds) is only performed on the first invocation of an app after initial installation.
- Add support for Google SafetyNet via the new
approov safetynet commands.
approov device commands to obtain the persisted state for a particular device. Also a command to completely clear all persisted device state for an account.
- Ability to reinitialize the SDK to support the use of multiple different Approov accounts associated with an app.
- New delegate management token that can be provided to the developer of an app, with their own Approov account, who is then able to manage registrations in the account.
- Registration cloning option used in conjunction with the delegate management token to copy permanent registrations from one account to another.
- Added SDK command to get the list of URLs the SDK may access to make it easier to setup firewall rules when running an app inside a private network.
- Provide option to set a user specified label for a particular device that has a custom policy.
- Improved error information from the Approov CLI when attempting to get pins for a domain with an untrusted certificate chain.
- Ability to specific ports when obtaining certificate chains or leaf pins using the Approov CLI to support API endpoints not served on the normal https 443 port.
- New live metrics graph showing the causes of rejections and also the current rejection policy that is being applied.
- Facility for 2.4 SDKs to obtain the pins for the certificate chain as seen by the SDK on a particular device for an arbitrary URL specified by the user in the approov device command set.
- Capability for 2.4 SDKs to always perform a pinning integrity check when the device ID is first used to verify that the pinning support libraries on the device have not been compromised.
- Approov CLI device command to get more detailed information associated with a device ID that has had a custom device policy set. This also provides the same information for up to the last 100 new devices added to an account.
- Approov CLI device command to obtain the stream of device IDs (and timestamps) for up to the last 1000 token fetches performed on the account.
- Approov CLI filter commands added to perform matching on the attributes of devices fetching tokens, and to show matches in a new graph in live metrics and to optionally ban devices that match.
- Ability to execute a custom security policy on devices which match one or more filters.
- Enhanced detection of attempts to spoof the IP address being presented to the Approov cloud servers.
- Generate warnings from the Approov CLI if pinning to a certificate not supported by iOS pinning implementations.
- Fix issue whereby an app would always show
app-not-registered after it has been launched, even if the registration was subsequently added with
approov registration (previously the app needed to be relaunched to match the newly added registration).
- Fix app package name reporting when running in the iOS simulator.
- Simplified support for Android App Bundles. There is no longer any need to download the
base.apk from the Play Store for production registration. It is now possible to register
.aab files directly after having added the app signing certificate for your apps.
- SDK optimizations to improve the latency of token fetching on both iOS and Android.
- Added detection on Android of cloned multiapps (such as Parallel Space), as these undermine the security of running apps. Cloned apps are now rejected in the standard security policies. Note that this policy is retrospectively introduced in prior versions via an over-the-air update to SDKs.
- Significant improvements to the hardening of the iOS SDK, especially with regard to attacks using a debugger. The additional debugger defences may prevent you from attaching a debugger at all on a real device during iOS development unless you specifically whitelist the device.
- Improvements to the detection of Magisk Manager on Android devices. Detection is now possible even when using all manager hide features in the latest (20.3) release.
- Support for multiple mobile provisioning files in an iOS IPA. The Approov CLI will automatically choose the one relevant for your overall app registration.
- Availability of the backend API integration example walk-throughs.
- Detection of the automated launching of an app on Android and inclusion of a flag in the annotations to show this. This can be used to combat some app automation attacks.
- Introduction of the Approov monitoring service that sends monthly (and optionally daily) email updates on your usage of the service.
- Email alerts when management tokens you have created are about to expire.
getDeviceID() method in the SDK to obtain the device upon which the SDK is running.
- Some improvements to the metrics that are collected for the account and accessible through the CLI,
- SDK metrics now show the Approov SDK ID and architecture that is being used.
- Certain metrics that simply showed as
error previously are now shown more explicitly as
- Fail metrics for hourly, daily and monthly are now restricted to only showing those metrics that are relevant as causes of the failure.
- App related metrics now show the platform of the app, as either
and (for Android).
- Offline measurements are now restricted to being performed on API domains restricted with encrypted (JWE) tokens, as an additional security precaution.
- Introduction of the health checking endpoint for a specific account, showing if the primary Approov service is operating normally.
- Significant improvements to the pinning management commands in the
approov command line tool. It is now possible to individually remove and add pins on a specific API domain.
- New mechanism to signal to a running app that the latest pin updates provided in an updated configuration must be applied. This is for app integrations that are only able to set the pins during the startup of the app. This allows the app to be signalled that it must update its pins, even if that means prompting the user to allow an app restart. An additional
isForceApplyPins property is provided on the token fetch result to support this and a new
approov CLI command can initiate the force action.
approov policy -get option is enhanced to provide more detailed description of the different aspects of the currently selected security policy.
- The range of
approov secret -get options are expanded to get the secret in
JWK format. An option is also provided to restrict a new secret to printable characters and to retrieve that form. This is required for some JWT libraries that are unable to accept secrets containing non-printable characters.
- A new facility is provided whereby a keyID can be set for the Approov tokens in the account. This is included in the
kid header of JWS tokens. This allows easier integration for certain backend token checking systems.
- Fix issue with approov CLI when using the
approov devicecheck -add command and a certificate path not in the current directory.
- Fix problem whereby some requests that failed due to very poor connectivity were showing as
sdk-result-no-approov in the SDK metrics.
- Correctly handle
approov token -check for loggable tokens on Windows, whereby the single quotes suggested in the documentation where insufficient.
- New account level metrics facility showing both live, hourly, daily and monthly metrics on the usage of the account. This provides insight into the reasons for any attestation rejections, the status of different app versions being run and the total usage on the account. The dashboards can be reached using the new
approov metrics command. This new facility is designed to replace the graphs previously available using the
approov usage, although these remain available but will be removed in a future release.
- Capability to ban particular iOS devices using the Apple DeviceCheck facility. This is setup using the new
approov devicecheck command.
- Ability to fetch Approov tokens when running on the iOS simulator.
- Direct control over the stance regarding the collection of end user IP addresses and their inclusion in the Approov tokens. The IP tracking settings are available in the
approov policy command.
- Enhancements to the obfuscation of the SDK code to further protect against reverse engineering.
- New SDK architecture allowing dynamic updates of runtime app threat analysis
- Various security enhancements in the SDKs and facilities for gathering of threat analysis from live installations
- Changes to SDK interfaces to create more consistency between the iOS and Android versions
- Improved error reporting and status logging from Approov token fetching
- Optimization of SDK network access to reduce number of transactions and size of data transmitted
- New dynamic pinning approach leveraging standard public key pinning, allowing easier app integration and availability of pins on app startup without network access
- Range of administration tool features to gather and manage public key pins
- Over the air secure updates to pins and Approov networking rules
- Migration to a new command line tool for administration of accounts
- Support for registration of iOS and Android apps across all OS platforms (no dependency on Android Studio or iOS Xcode installation)
- Option for single command deletion of multiple unused app registrations
- Direct user administration of security policies
- Per device setting of security policies and pinning modes, including blacklisting and whitelisting specific devices
- Access to latest SDKs via administration tool with upgrade messages when new versions available
- Facilities for creating example Approov tokens for testing
- Facilities to check the validity of particular Approov tokens
- Facilities for generating customized long lived Approov tokens
- User issuance and revocation of management tokens to administrate the account
- Option for user initiated update of Approov token secret
- Support for encrypted (JWE) Approov tokens
- New offline measurement mode functionality to allow attestation of app to a remote device when neither is Internet connected
- Added payload capability to add your content to the generated token
- Change Android APK registration to avoid the v2 signing block while generating the app signature. This makes new registrations work with the soon-to-be-released Google Play signing behaviour
- Architecture banning
- Emulator detection
- SDK hardening
- Man in the Middle detection
- Improved rooted device detection
- Detect function hooking frameworks
- Android 8 (Oreo) support
- New ‘did’ token claim containing device ID.
- The fetchApproovToken() and fetchApproovTokenandWait() interfaces without URL/hostname parameters are deprecated on all platforms. You should now supply a valid hostname string or null when fetching a token.
- The ‘ad’ token claim is now obscolete.
- Internal SDK library improvements
- Time limited registrations
- Removed dependency on external tools for registration
- Admin Portal support for Safari browsers on macOS/OSX
- Bug fixes for Admin Portal on Microsoft Edge browsers
- Deprecation of app-repackaging support in Android and iOS SDKs
- Client side bug fixes and stability improvements
- Failover mechanism on both server and client side enabling more robust service
- Client side bug fixes and stability improvements
- Breaking change: New callback-based API for Approov token fetch notifications in Android and iOS clients
- Synchronous Approov token fetch API in Android and iOS clients
- Client-side iOS support for iOS 10, Xcode 8 and Swift 3
- Server-side bug fixes, stability and performance improvements
Improve Android notification mechanism, alter registration mechanism so that registration of BroadcastReceiver is done via the ApproovAttestation class
Server-side bug fixes, stability and performance improvements
- Health Check API added
- Server-side bug fixes, stability and performance improvements
- Token Intents are broadcast globally