Approov API Protection
Free Trial

A Guide to the Five Pillars of Effective Mobile API Security

App Integrity

App Integrity

Don't: Allow your API keys to be used by bots, scripts and fake apps to access your backend data and services

Do: Attest your apps to ensure only truly authentic apps are authorized to make API calls

Device Integrity

Device Integrity

Don't: Allow your app to run in compromised environments which can expose vulnerabilities and exfiltrate sensitive data

Do: Adopt comprehensive fine-grained device integrity checks enforced outside of the untrusted device environment

Channel Integrity

Channel Integrity

Don't: Allow man-in-the-middle attacks by assuming that plain TLS is good enough

Do: Employ securely certificate-pinned TLS with dynamic pin update

Credential Integrity

Credential Integrity

Don't: Allow scripts to access your APIs and conduct credential stuffing attacks on your login endpoints

Do: Require frequent app authentication for strong trusted user on trusted app API authorization

Service Integrity

Service Integrity

Don't: Allow zero-day threats to compromise your defenses and rely on new app releases to update protections

Do: Shield your APIs from exploitation of vulnerabilities with over-the-air updates for instant reaction to threat intelligence

Some of the Businesses We Protect


How API Attacks Impact Your Business

Approov API Protection

Account Takeover

Approov API Protection

Fake Account Creation

Approov API Protection

Denial of Service

Approov API Protection

Credit Fraud

Approov API Protection

App Impersonation

Approov API Protection

Man in the Middle

Approov API Protection

API Security Breach

Approov API Protection


Introducing Approov

How Approov Protects Your Business

  • Ensures that only genuine mobile app instances, running in safe environments, can use your API.
  • Blocks scripts, bots, modified apps and fake apps from your API.
  • Integrates easily into your existing technology stack.
  • Delivers immunity from the most common API attacks.

How Approov Works

Approov consists of three components:

  • The Approov cloud service which makes all security decisions off device
  • An SDK that drops into your iOS or Android app
  • Short-lived security tokens to authenticate API traffic at your backend
How Approov Works

Short lived JSON Web Tokens (JWT) are signed with a custom secret only known to the Approov cloud service and the backend API. The secret is never contained within the app itself, so it cannot be extracted.

Only apps that have been registered with the Approov service and which meet the runtime environmental criteria are issued with valid JWT Approov tokens. Only apps with valid tokens can access protected API services.

App signatures can be removed from the Approov service at any time, allowing tight control of which app versions can access your API.

Approov Features

Positive app authentication
Man-in-the-middle attack prevention
User authorization binding
Dynamic certificate pinning
Easy app SDK integration
JWT backend token verification
Selective security policies
DeviceCheck integration
SafetyNet integration
Emulator detection
Debug detection
Root detection
Jailbreak detection
Magisk detection
Frida detection
Xposed detection
Cydia detection
Clone app detection
App automation detection
Memory dump detection
Real-time metrics access
Over-the-air security updates
DevOps tooling
Help desk support

Integrate Your App

Integrating Approov into mobile applications is straightforward, and quickstart guides are provided for the popular platforms:

Approov API Protection


Approov API Protection


Approov API Protection


Approov API Protection

React Native

After integration Approov tokens are automatically added to your API calls. The integration handles all of the analysis and measurement necessary to identify the app and the runtime environment to the Approov Cloud Service.

After integrating the SDK into your app, register each app version with the Approov Cloud Service using the Approov command line tool. This extracts and registers the “DNA” of the app with the cloud service so that your app can be positively attested. Your app is then published as normal, and the enhanced security is transparent to your users.

Pin Your API Connections

Even though modern apps communicate using a secure TLS connection they are still vulnerable to eavesdropping by a Man-in-the-Middle (MitM) attacker. Such attacks are used to reverse engineer an API protocol.

Employing certificate pinning prevents such attacks. Unfortunately, this can be complex to implement in the app and requires coordination with the backend API services. Approov builds pinning right into the integration with support for updating pinning over the air with no app update needed. Certificate rotations can be handled cleanly, with no risk of interruption to your customers.

Dynamic Pinning

Verify Your API Traffic

Integrating Approov into backend services is straightforward too, and quickstart guides are provided for popular platforms:

Token verification is simple due to the adoption of the industry standard JWT. You simply check that each token has been correctly signed with the secret for your account, and that it has not expired.

Once the SDK has been integrated into your app, live tokens are added to your API request headers, and your backend API systems are enhanced to verify these tokens.

Operate With Confidence

We continuously use the aggregated and anonymized data that we have from all of our customers to identify new threats and enhance Approov's security capabilities accordingly.

Monitor and Analyze Attestation Traffic

Live metrics are accumulated regarding device usage, attestation forensics, and billing information. Both graphical and email based reporting is available.

Live Metrics

Update Your Security Live

Approov detects potentially unsafe mobile device environments including device rooting/jailbreaking, emulator or debugger usage, malicious instrumentation frameworks, and cloned apps. Customers specify which policies should be enforced. Changes to security policies roll out immediately to active apps.

Hackers continuously evolve their run time penetration techniques, and Approov keeps pace by providing security detection updates over the air without requiring app store updates. This live update service is also used to manage trust certificates and security policies.

Try Approov For Free

Free 30-Day Evaluation • Access to All Features • No Credit Card Needed

By clicking Submit, you agree to our Terms of Service and that you have read our Privacy Policy. CriticalBlue needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.

Copyright © 2021 CriticalBlue, Ltd. All Rights Reserved.