Frequently Asked Questions

What is Approov?

Approov establishes a trusted environment that protects your APIs and your business. Only your authorized mobile apps, running in untampered environments and communicating over secured channels, can access your APIs and backend services. Botnets, fraudulent transactions, malicious scripts, and fake apps are blocked at the source.

How does Approov work?

Approov provides a run-time shielding solution which is easy to deploy and protects your mobile apps and the APIs that service them from any automated attack. It uses a cryptographically signed “Approov token” to allow the app to provide proof that it has passed the runtime shielding process. Integration involves including an SDK in your mobile app and adding an Approov token check in your backend API implementation.

For more information, see "How does Approov Work" in our Knowledge Base.

What are the benefits of Approov?

Bots, automated scripts and modified apps allow you to block without falsely rejecting any valid app, reducing the costs of fraud in your business.
Frequent run time checks allow you to block app tampering and block masked fraudulent transactions which are not caught at install or launch time.
Enhanced TLS security allows you to block fraudsters from getting between your app and your service, preventing both the design and execution of fraudulent attacks.
Over-the-air security updates allow continuous enhancement of security capabilities against emerging threats without the need to release a new app.

What makes Approov better than other mobile application security software?

Approov was built with the mobile application community in mind. It was not designed from a web application platform and later transitioned to mobile application but was envisioned and developed in the mobile application environment. Approov has a mode that does not require a constant Internet connection. Further, it protects both your mobile app and the APIs that service it.

What threats does Approov protect against?

Approov protects against the main threats that target mobile apps and the APIs behind them. That includes fake or tampered apps pretending to be your real app, reverse engineering that exposes API keys or other secrets, bots and scripts abusing your APIs for things like credential stuffing and fake account creation, man-in-the-middle and replay attacks, and requests coming from unsafe environments such as rooted or jailbroken devices, emulators, debuggers, and hooking tools. In simple terms, Approov helps make sure your APIs only trust requests from a genuine app running in a safe environment.

How does Approov compare with mobile app hardening solutions?

Approov was built specifically to protect both the apps and the APIs which service them. App hardening solutions are designed to protect just the apps. There are situations where these are complementary solutions and some of our customers use both. It really depends on the threats that you want to protect against and how sensitive the data is that is held in the app itself, compared to the data in your backend servers. We can provide guidance on this issue.

How do you determine if my app is running in a safe environment?

Approov examines the runtime environment of the device and detects many different characteristics of it which may be relevant, i.e. root, jailbreak, emulator, simulator, debugger, Frida, Xposed, Magisk, etc. A safe environment is defined by you, so you can choose which of these detections represent a red flag on your platform. You can also change the security instantly through the Approov command line interface as often as you like.

Doesn't my WAF or API Gateway block automated traffic?

WAFs and API Gateways have rate limiting, IP lookup and bad signature recognition capabilities but these will only block brute force automated traffic. Correctly formed automated API traffic which is constructed for fraud and data scraping purposes and deployed through scripts will pass through these defenses. Approov is integrated into many WAF and API Gateway solutions for this reason.

I have a web channel as well as a mobile one. Can you protect both?

We don't directly protect web sites/apps, but we do have integrations with 3rd party web security solutions which do, such as Google reCaptcha, hCaptcha and FingerprintJS. This enables a single Approov token check at the API endpoint regardless of whether the API request came from the web or mobile channel. Other 3rd party integrations will be added over time.

Do you have pentest reports for Approov?

30-40% of our customers run their own pentests and that is the best test of Approov. It's unlikely that those pentest reports can be made available to other customers. However, it will give you confidence that Approov is regularly tested by 3rd parties.

Who else is using the Approov Solution?

We have dozens of customers, big names and small, covering the fintech, mobility, retail and healthcare sectors among others. Not all of our customers are prepared to be public references because they are sensitive about revealing their security arrangements; others consider that demonstrating their commitment to security is good for their brand. You can read some of our customer stories here.

How easy is it to get up and running with Approov?

Approov can easily be integrated, tested and deployed within the free 30 day trial. You do not need to be a security expert. Quickstarts are available for fast integration with various Android and iOS development platforms as well as many backend server, serverless, WAF and API gateway platforms. Full Approov documentation is available here: https://approov.io/docs/

What type of support is included with Approov?

There is a support portal through which you can get technical questions answered at any time, both during integration/test and once you have deployed. The full user documentation is available at https://www.approov.io/docs/. Further, the Approov production is monitored 24/7 and we will inform you if we see anything unexpected within your service. You can also check with us if you see anything which looks suspicious..

What development platforms do you support?

A whole range of them. For mobile app development, we support native Android and iOS of course - with various network stacks - and a collection of other 3rd party development platforms such as ReactNative, Cordova, Xamarin, etc. For the backend (API endpoint environment) we support even more languages and environments. For a full list check out our resources page: https://approov.io/resource/

Are you saying I need to remove my API keys out of my apps?

No. Consider the app as a second factor alongside the API key - you need to authenticate both in order to allow access to your backend services. The important thing is to protect your API key so that it can not be used at scale from inside a script which is impersonating your app traffic to use your APIs.

If an API request has the valid API key and valid user credentials, I have 2 factors - is that not enough?

No, because both factors can be compromised from the app or the API traffic. You need 2 independently authenticated factors such as an OAuth token alongside an Approov token, i.e. don't rely on user authentication alone.

What's included in my free trial plan?

You have access to the full range of Approov features and the full Approov service in your free trial. This allows you to transition seamlessly into production at the end of your trial.

Do I need to enter my credit card info to sign up?

A credit card is not required to sign up to the free trial. When you convert to a paid subscription at the end of your trial, you will be prompted to enter a credit card at that time.

What happens at the end of my free trial?

At the end of your trial, you can choose to move to a paid plan, or if you need more time to test our product, you can get in touch for a trial extension.

Are there any setup fees?

No, you can fully onboard and integrate Approov during your free trial.

What is a unique device? How does billing work?

An active device (or unique device) is the unit by which the usage of the services is measured. An active device is a mobile device on which a registered app has been launched or is running. Each mobile device on which any registered app has been launched is considered a separate active device for billing purposes.

An active device is measured per registered app, therefore:

a single mobile device with two registered apps which have been launched during the billing period will be counted as two active devices;
a person using a registered app which has been launched on four different devices during the billing period will be counted as four separate active devices.

Billing is based on unique devices counted within each billing period (the period between the date on which the services were first provided to you and the same date in the next month). The minimum charge in a billing period is 198 USD, this includes the first 9900 monthly active devices. For more information, please see our Terms of Service https://approov.io/terms/

What if I am flooded with fake traffic? Do I have to pay for all these useless transaction requests?

The simple answer is no. Unlike many API-centric security solutions, you only pay for successful mobile app authentications (genuine customers using genuine apps on safe devices). So, you don't pay for any API requests which are rejected either because they don't present a valid Approov token (modified apps or apps running in unsafe environments) or don't present an Approov token at all (scripts)

Am I locked into a contract? What if I want to cancel?

The standard business model arrangement allows you to cancel at any time, and if you need to do this for any reason, we will work with you to make the transition as smooth as possible.

Approov Frequently Asked Questions

General