Approov Trial Guide

How to Setup and Run a Successful Trial

Before you start the trial

Things to think about before you signup and the 30 day clock starts ticking:

  • Define your integration strategy: Before signing up, look at the Quickstart guides which we have created for native environments as well as for popular development platforms/languages. You may find that we have already done much of the integration work for you, and usually it only takes a few lines of code to include Approov, import and start using it in your mobile app code. You need to look into both frontend and backend Quickstart guides:
    • Frontend Quickstarts. Here you will find the details of how to integrate Approov into your app using mobile app development platforms we support out of the box. This includes native Android and iOS development using various network stacks. If your platform does not have an associated Quickstart guide, don’t worry because the generic integration process is easy. You can read about it here.
    • Backend Quickstarts. Here you will find the details of how to integrate the Approov token check into the backend platforms we support out of the box. If your platform does not have an associated Quickstart guide, don’t worry because the generic token check integration process is easy. You can read about it here.
  • If you require security approvals before starting the Approov trial use the Approov Security and Compliance Guide here to explain how the Approov solution operates securely in your environment.

Sign Up for an Approov Trial

You can gain access to the Approov service by signing up on our website here. A 30 day free no obligation trial to the full Approov service will be yours and only requires you to provide your details - using a professional email address - and answer a few questions about your project. Once you have received confirmation that your service is available, you can move to the next step. If in doubt at any stage, please remember that a full set of Approov documentation is available to you. You can upgrade to a paid plan at any time during the trial period. No additional technical setup is needed when you move from trial to a paid subscription ensuring that the whole process is seamless.

Initializing the Approov CLI

All management of the Approov account is done using a Command Line Interface (CLI) tool available for Linux, MacOS and Windows and downloaded from here. Examples, showing how to use this tool, are provided throughout the documentation and a detailed reference for all the commands can be found in the Approov CLI Tool Reference.

The first step in using Approov is to install this tool on your system and then initialize it using the information provided in the Approov Onboarding email. If you are the account owner, initialization will grant account access with dev (development) and admin (administration) level roles available. Most operations can be carried out using the dev role, but the admin role is necessary for certain operations needing elevated privileges. If you received your Approov Onboarding email as a result of being added to an existing Approov account then you will be provided with a specific access role.

Find full instructions on how to install the Approov CLI here. Once you have done this can proceed with the remainder of these instructions.

Initialize access to your Approov account using the information from the Approov Onboarding email. Copy and paste the instruction from the email into the CLI.

If approov cannot be found then there has been an issue with the OS specific installation.

Initializing access grants access to your Approov account from your machine. The parameter myaccount is the identifier of your allocated Approov account. The next parameter is a time limited onboarding code for your account.

You will normally be invited to choose a password for your access to Approov. If your onboarding included a dev role then this will be automatically selected for subsequent uses of the Approov CLI. You will be invited to type in the password again on first usage, and after every one hour session expires.

Note that you are also provided with a PIN number. You should make a note of this somewhere private and secure, it will be needed if you ever need to recover access to your account via email. The PIN provides an additional level of protection for your Approov account in case access to your email account is compromised.

Integrate and Deploy

Now you can download the latest Approov SDKs using our Command Line Interface (CLI) and follow the Quickstart guides or generic integration instructions you identified in step 1.

Obviously you need to follow the appropriate Quickstarts for both Android and iOS apps if you want to have the full experience.

You will need to define the APIs you want to protect with Approov and you can find details on that here. When you add an API to Approov it will automatically benefit from the Approov built-in dynamic pinning capability functionality. You can also choose to set it manually.

Once your frontend and backend integrations are complete you will want to check everything out before you deploy updated versions of your apps.

Once you are comfortable that your app functionality and customer experience is unchanged by the inclusion of Approov, you are ready to go live. We recommend that you go live but do not block traffic based on the Approov token initially. Monitor the traffic closely (see next step) and please let the Approov Customer Service Team know when you intend to push the updated app into the wild. We’ll keep an eye on it, ensuring that everything looks good and we’ll let you know if we see anything which needs to be tweaked.

Monitor your API traffic with Approov Metrics

Now you’ve deployed Approov with your apps you can now gather lots of interesting information about the real sources of all the traffic on your APIs. For an overview of our Metrics dashboards, you can check out this blog, and for a deeper dive into all the options, our documentation covers it here.

In order to get a clear picture of what is happening within your platform, you need to monitor the API traffic at your endpoint (where you do the Approov token check) as well as within the Approov Metrics. This is because our metrics only see authentication requests and the subsequent pass/fail results.

Test your platform

Another way you can check out Approov is to try and beat it! Pentesting your platform, either using a 3rd party pentesting company or your own internal resources, is an excellent way to build confidence in Approov and generate additional evidence for your evaluation report.

As you try different approaches to try and breach the Approov solution, you can monitor the Approov Metrics and you should be able to see app authentication failures and the associated reasons for those failures. You may also want to look at the wide range of Approov security policies which are available and which can be applied using our over-the-air dynamic configuration capability. Varying security policies during pentesting can really help you understand how to monitor and react to specific threats as they emerge and evolve. More good material for your report.

Advanced Features

For the testing and verification there are a range of capabilities open to you:

These features will allow you to establish that the flow is working as intended.

Once you have established the effectiveness of the core functionality you can test advanced features, for example:

  • Update your Security Policy to change the conditions under which an app will be given a valid Approov token.
  • Learn how to Manage Devices to apply custom policies to specific devices (useful for enabling debug on your development devices).
  • Learn how to Manage Key Sets to managing additional keys for signing or encrypting Approov tokens, and to allow access to a wide range of JWT algorithms beyond the default HS256 signing method.
  • Understand User Management so you can add and remove access for others to your Approov account.
  • Employ Automated Approov CLI Usage to enable integration of Approov with Continuous Integration (CI) systems.
  • Use the Metrics Graphs to see live and accumulated metrics of devices using your account and any reasons for devices being rejected and not being provided with valid Approov tokens. You can also see your billing usage which is based on the total number of unique devices using your account each month.
  • Use Service Monitoring emails to receive monthly (or daily) summaries of your Approov usage. You can also manage the API domains to be continuously monitored to ensure they are accessible and that the pins match those added to your account.
  • Investigate advanced features, such as: