Approov Overview: Addressing the Security Trust Gap in a Mobile World

Traditional Measures Don’t Provide Enough Protection

While web browsers typically manage security-sensitive operations on the backend, the need to provide a frictionless experience for mobile users has resulted in business-sensitive code shifting to the mobile apps themselves. Consequently, the complexity and sensitivity of the data flow between mobile apps and the corresponding backend APIs has increased and this introduces additional security challenges. Criminals exploit vulnerabilities by reverse engineering API protocols, enabling fraudulent transactions and unauthorized access to valuable digital assets.

The current security approaches for mobile apps are insufficient. These approaches include signature-based behavioral methods, anti-tampering solutions, Transport Level Security (TLS), certificate pinning, and API key embedding. While these methods offer some level of protection, they have significant limitations. Signature-based approaches struggle to detect new attack styles, anti-tampering efforts can be bypassed by sophisticated attackers, and TLS and API key embedding are susceptible to reverse engineering. To address these shortcomings and ensure robust security, a more advanced approach is needed—one that establishes definitive authentication at the source and employs measures to safeguard sensitive server assets accessed via APIs.

How Approov Works

The key to establishing a secure API channel is for genuine apps to be able to prove their identity to backend servers i.e a positive trust framework for authenticating legitimate apps. Approov utilizes a challenge-response cryptographic protocol to verify the legitimacy of a connecting client app, without relying on embedded secrets within the app. This approach dynamically assesses the app's integrity rather than its static secrets.

Approov focuses on authenticating app instances, not users. Integrating the Approov SDK into a mobile app allows API requests to include a unique token in the header. This token-based protection ensures that API requests lacking a valid token are rejected, enhancing security and preventing unauthorized access or probing attempts by hackers.

Figure 1. Approov protects digital assets exposed by APIs

The Approov platform is comprised of three main components:

1. A cloud service that handles requests from apps and determines the authenticity of the app.

2. A simple SDK built into the app itself. This is easily added to the app development project and quickstart guides are provided for a wide range of different app development frameworks.

3. If you are using Approov tokens, a simple verification check in your backend API server responsible for checking the token authenticity.

Figure 2. Approov architecture

Based on the concept of software attestation, Approov enables your mobile applications to identify themselves as the authentic, untampered versions you released. The app receives a token, which is then presented to your API alongside each request. Your server-side setup can thus differentiate between recognized app requests, featuring valid tokens, and those originating from unknown sources.

Mobile App Integration

Integrating Approov into your iOS or Android app is simple - we offer support for a wide range of platforms through our Quickstart guides. The app integration process is shown in the diagram below:

Figure 3. Integration into an app

1. When you sign up for an Approov account, you'll receive an initialization code to access the Approov CLI for account administration and an account identifier for initializing the Approov SDK in your app.

2. To integrate the SDK, follow one of our mobile app Quickstarts. App integration typically involves only minor code changes.

3. Register your app with the Approov Cloud Service using the CLI tool. This generates the same signature for the app as the SDK does at runtime and is used as a basis for verifying that an attestation request comes from a genuine app.

4. Once registered, the app can be published as normal (for each app release, re-register to maintain security).

Backend API Integration

This only necessary if you have your own API backend and are using Approov tokens. No Backend API integration is needed if you are using Approov to protect API keys using Runtime Secrets Protection. Approov tokens are integrated into API request headers and some adjustment to your Backend API is necessary in order to validate these tokens.

You can choose how to handle invalid or missing Approov tokens - options include request rejection, access rate limiting, or implementing extra security measures. Tokens are in the industry standard JWT format so token verification is simple. Your code just needs to check that the token is correctly signed for your account and that the token is valid.

Figure 4. Integration into the Backend API

Integrating Approov into backend services is straightforward, and we provide Quickstart guides for a wide range of platforms.

Benefits and Key Attributes

• Low Overheads
• Minimal Backend Latency Impact
• Scalability
• Security
• Ease of Integration

Approov can be deployed for a range of use cases; such as anti-automation, API key protection and app legitimacy. It addresses security vulnerabilities and fraud attacks that stem from servers' inability to authenticate communication from genuine mobile apps.

Anti-automation

Sophisticated bots capable of attacks such as data harvesting, probing for server-side vulnerabilities and automated account takeovers using stolen credentials can evade behavioral analysis-based protection by mimicking human behavior, making existing methods less effective and more prone to false positives.

Approov offers a secure way for apps to establish their identity to your API, enhancing backend server traffic filtration. Valid apps which have been registered with the Approov Service are dynamically issued a short-lived JWT; this is then sent with each request to your API enabling prioritization of known app traffic.  As Approov doesn't rely on embeded API keys, it prevents extraction and reuse by automated systems, only granting tokens to pre-registered, untampered apps to prevent automated scraping.

API Key Protection

API keys and secrets that are stolen or accidentally exposed can be exploited to access sensitive data from backend servers, impersonate your app or make calls on its behalf. 

Approov enables you to validate your app's authenticity and integrity during runtime, ensuring that only legitimate, unaltered versions of your mobile app, operating within a secure environment, can connect to your backend API. This blocks malicious entities such as bots, scripts, fake, and tampered apps from the outset.

App Legitimacy

Attackers are able to manipulate apps or perform rooting/jailbreaking of devices, enabling them to acquire live access to personal and financial data. Approov positively identifies traffic from genuine apps which means that any attempts to access the backend API by repackaged or tampered apps will be blocked. Approov also detects unsafe operating envirnoments on the client device such as rooted or jailbroken devices, debuggers and emulators and the presence of malicious frameworks.

Conclusion

The evolving landscape necessitates a shift from conventional security measures, as they prove inadequate in safeguarding mobile API connections. These connections remain vulnerable to exploits like Man-in-the-Middle attacks, API key extraction, and reverse engineering. Conventional methods focus on blocking attacks that are already in progress.

Approov takes a proactive stance by initiating protection where the request originates —the app itself. Working with other security protocols, Approov builds a comprehensive end-to-end API environment, instilling trust. It accomplishes this by identifying, validating, and certifying only genuine instances of your untamered mobile apps, operating within secure settings and communicating via protected channels.