Things to think about before you signup and the 30 day clock starts ticking:
You can gain access to the Approov service by signing up on our website here. A 30 day free no obligation trial to the full Approov service will be yours and only requires you to provide your details - using a professional email address - and answer a few questions about your project. Once you have received confirmation that your service is available, you can move to the next step. If in doubt at any stage, please remember that a full set of Approov documentation is available to you. You can upgrade to a paid plan at any time during the trial period. No additional technical setup is needed when you move from trial to a paid subscription ensuring that the whole process is seamless.
All management of the Approov account is done using a Command Line Interface (CLI) tool available for Linux, MacOS and Windows and downloaded from here. Examples, showing how to use this tool, are provided throughout the documentation and a detailed reference for all the commands can be found in the Approov CLI Tool Reference.
The first step in using Approov is to install this tool on your system and then initialize it using the information provided in the Approov Onboarding email. If you are the account owner, initialization will grant account access with dev (development) and admin (administration) level roles available. Most operations can be carried out using the dev role, but the admin role is necessary for certain operations needing elevated privileges. If you received your Approov Onboarding email as a result of being added to an existing Approov account then you will be provided with a specific access role.
Find full instructions on how to install the Approov CLI here. Once you have done this can proceed with the remainder of these instructions.
Initialize access to your Approov account using the information from the Approov Onboarding email. Copy and paste the instruction from the email into the CLI.
If approov cannot be found then there has been an issue with the OS specific installation.
Initializing access grants access to your Approov account from your machine. The parameter myaccount is the identifier of your allocated Approov account. The next parameter is a time limited onboarding code for your account.
You will normally be invited to choose a password for your access to Approov. If your onboarding included a dev role then this will be automatically selected for subsequent uses of the Approov CLI. You will be invited to type in the password again on first usage, and after every one hour session expires.
Note that you are also provided with a PIN number. You should make a note of this somewhere private and secure, it will be needed if you ever need to recover access to your account via email. The PIN provides an additional level of protection for your Approov account in case access to your email account is compromised.
Now you can download the latest Approov SDKs using our Command Line Interface (CLI) and follow the Quickstart guides or generic integration instructions you identified in step 1.
Obviously you need to follow the appropriate Quickstarts for both Android and iOS apps if you want to have the full experience.
You will need to define the APIs you want to protect with Approov and you can find details on that here. When you add an API to Approov it will automatically benefit from the Approov built-in dynamic pinning capability functionality. You can also choose to set it manually.
Once your frontend and backend integrations are complete you will want to check everything out before you deploy updated versions of your apps.
Once you are comfortable that your app functionality and customer experience is unchanged by the inclusion of Approov, you are ready to go live. We recommend that you go live but do not block traffic based on the Approov token initially. Monitor the traffic closely (see next step) and please let the Approov Customer Service Team know when you intend to push the updated app into the wild. We’ll keep an eye on it, ensuring that everything looks good and we’ll let you know if we see anything which needs to be tweaked.
Now you’ve deployed Approov with your apps you can now gather lots of interesting information about the real sources of all the traffic on your APIs. For an overview of our Metrics dashboards, you can check out this blog, and for a deeper dive into all the options, our documentation covers it here.
In order to get a clear picture of what is happening within your platform, you need to monitor the API traffic at your endpoint (where you do the Approov token check) as well as within the Approov Metrics. This is because our metrics only see authentication requests and the subsequent pass/fail results.
Another way you can check out Approov is to try and beat it! Pentesting your platform, either using a 3rd party pentesting company or your own internal resources, is an excellent way to build confidence in Approov and generate additional evidence for your evaluation report.
As you try different approaches to try and breach the Approov solution, you can monitor the Approov Metrics and you should be able to see app authentication failures and the associated reasons for those failures. You may also want to look at the wide range of Approov security policies which are available and which can be applied using our over-the-air dynamic configuration capability. Varying security policies during pentesting can really help you understand how to monitor and react to specific threats as they emerge and evolve. More good material for your report.
For the testing and verification there are a range of capabilities open to you:
These features will allow you to establish that the flow is working as intended.
Once you have established the effectiveness of the core functionality you can test advanced features, for example: