Before you signup, and the 30 day clock starts ticking, your may wish to define your integration strategy. Have a look at the Quickstart guides which we have created for native environments as well as for popular development platforms/languages. You may find that we have already done much of the integration work for you, and usually it only takes a few lines of code to include Approov, import and start using it in your mobile app code.
If you require security approvals before starting the Approov trial use the Approov Security and Compliance Guide to explain how the Approov solution operates securely in your environment.
You can gain access to the Approov service by signing up on our website here. A 30 day free no obligation trial to the full Approov service will be yours and only requires you to provide your details (using a professional email address) and answer a few questions about your project. Once you have received confirmation that your service is available, you can move to the next step.
If in doubt at any stage, please remember that a full set of Approov documentation is available to you.
You can upgrade to a paid plan at any time during the trial period. No additional technical setup is needed when you move from trial to a paid subscription, ensuring that the whole process is seamless.
We recommend that the first thing you do is to follow our Frontend Quickstarts to integrate Approov into your mobile app.
The quickstart provides the details of how to integrate Approov into your app using mobile app development platforms we support out of the box. This includes native Android and iOS development using various networking stacks. If your platform does not have an associated quickstart guide, don’t worry because the generic integration process is easy. You can read about it here.
For most of our quickstarts you will be able to integrate just using the configuration string provided in your onboarding email, without any need to install the Approov CLI tool. Follow the specific instructions for your platform.
At the end of the integration process you should be able to see live metrics, using the link also provided in the onboarding email. At this point you can even consider going live in production with your app. This won’t provide any blocking capability but will give you deep insights into the composition of your user base and the environments that the apps are running in.
The information will show
app-not-registered because you have not registered the version of the app you are using with the Approov service. To do that you need to install the Approov CLI as discussed in the next section.
Obviously you need to follow the appropriate quickstarts for both Android and iOS apps if you want to have the full experience.
If you’ve deployed Approov with your apps you can now gather lots of interesting information about the real sources of all the traffic on your APIs. For an overview of our metrics dashboards, you can check out this blog, and for a deeper dive into all the options, our documentation covers it here. This is also where you will see your billing graphs.
In order to get a clear picture of what is happening within your platform, you need to monitor the API traffic in your backend (where you do the Approov token check) as well as within the Approov metrics. This will require the backend integration step described below.
Find full instructions on how to install the Approov CLI (Command Line Tool) here. All management of the Approov account is done using the Approov CLI. Examples, showing how to use this tool, are provided throughout the documentation and a detailed reference for all the commands can be found in the Approov CLI Tool Reference.
If you are the account owner, initialization will grant account access with
dev (development) and
admin (administration) level roles available. Most operations can be carried out using the
dev role, but the
admin role is necessary for certain operations that require elevated privileges.
To get valid Approov tokens you will need to register your apps. This is covered in the appropriate quickstarts, but you can also read an overview here.
You will need to define the APIs you want to protect with Approov and you can find details on that here. This will automatically cause Approov tokens to be added as a header for the appropriate API calls (presuming, of course, that you are using the Approov enabled integration in your app for those calls).
When you add an API to Approov it will automatically benefit from the Approov built-in dynamic pinning capability functionality. You can also choose to set it manually.
Follow one of our Backend Quickstarts. Here you will find the details of how to integrate the Approov token check into the backend platforms we support out of the box. If your platform does not have an associated quickstart guide, don’t worry because the generic token check integration process is easy. You can read about it here.
For the testing and verification there are a range of capabilities open to you:
These features will allow you to establish that the flow is working as intended.
Once your frontend and backend integrations are complete you will want to check everything out before you enable live blocking of API calls that do not provide valid Approov tokens.
Once you are comfortable that your app functionality and customer experience is unchanged by the inclusion of Approov, you are ready to go live. We recommend that you go live but do not block traffic based on the Approov token initially. Monitor the traffic closely using the metrics.
We have a Go Live Checklist that you can go through to make sure you have considered all the likely issues.
Another way you can check out Approov is to try and beat it! Pentesting your platform, either using a 3rd party pentesting company or your own internal resources, is an excellent way to build confidence in Approov and generate additional evidence for your evaluation report.
As you try different approaches to try and breach the Approov solution, you can monitor the Approov metrics and you should be able to see app authentication failures and the associated reasons for those failures. You may also want to look at the wide range of Approov security policies which are available and which can be applied using our over-the-air dynamic configuration capability. Varying security policies during pentesting can really help you understand how to monitor and react to specific threats as they emerge and evolve. More good material for your report.
Once you have established the effectiveness of the core functionality you can test advanced features, for example: