We're Hiring!
We're Hiring!

Best Practices for Secure Access of Third-Party APIs from Mobile Apps

Mobile apps increasingly depend on third-party API access, employing them for many reasons, including payment, location, social media and other services. Access is validated via API keys but these keys are being stolen, either from the mobile app code itself or from cloud repositories. If APIs are abused using keys you have not protected you could be exposed to financial losses, fines, and reputational damage due to:

  • Hackers using your API keys to access a third-party service you pay for.
  • Data breaches executed via third-party API traffic interception.
  • DDoS attacks on APIs using your keys, causing services to stop responding either because service allocation limits are used up, or service rate limits are triggered.

API Key Challenges

API keys are commonly used to secure backend API access. However, exposing API keys poses risks, including unauthorized access, data manipulation, and quota depletion. Accidental exposure of API keys in source code, tools trawling repositories, and man-in-the-middle attacks are general concerns.

Third-Party API Access from Mobile

When mobile apps access third-party APIs, they extract API keys from code and transmit them over the network. Tools like MobSF, Apktool, and Burp Suite can extract secrets, and man-in-the-middle attacks can compromise communication.

Approov diagram attack vectors used to extract secrets

MitM Attack

Attackers can intercept app-backend communication through a proxy tool and extract API keys using device-rooting techniques, undermining security.

Risks of Stolen API Keys

The risk obviously depends on the capabilities of the particular API whose key has been compromised. Stolen API keys can lead to data exfiltration, skewed analytics, and denial of service attacks. Pay-per-use APIs may incur unauthorized costs.

Approov Diagram Showing Risks of Stolen API Keys

Existing Protection Methods

Obfuscation, code hardening, and pinning offer some protection but have limitations against runtime extraction and MitM attacks.

Approov's First-Party API Protection

Approov secures first-party APIs using a unique, short-lived cryptographic token, evaluating app and device integrity. Cloud-based checks ensure proper app identity and protection against various threats.

The Approov SDK agent embedded within a user's app conducts continuous monitoring to detect any suspicious activities, such as function hooking that might attempt to extract app data. Additionally, it enhances the security of the API channel, effectively preventing any potential Man-in-the-Middle attacks.

Approov Architecture (no background)

3rd Party APIs and Approov

Applying Approov directly to third-party APIs is challenging due to backend control limitations. Some users opt for a proxy solution, though latency and complexity arise.

Approov Runtime Secrets Protection

Approov's Runtime Secrets Protection extends third-party API safeguarding. Integration involves adding the Approov SDK, app registration, and securing secrets in the Approov cloud. Secrets are shielded from reverse engineering by removal from the app's build environment. During runtime, the Approov integration verifies the app's integrity, transmitting obfuscated secrets to the cloud only upon successful checks. These secrets are stored securely in memory and added to network requests, further protected against theft. Failed checks prevent secret transmission, optionally notifying users. This approach ensures that only valid, uncompromised app instances can access stored API keys and secrets in the Approov cloud, without altering backend APIs.

Managed Trust Roots

Approov's "Managed Trust Roots" enhances channel protection by checking certificates within device and Approov trust stores.

Approov Managed Trust Roots Diagram

Quickstart Integrations

Approov offers app quickstart integrations, simplifying the process by substituting secrets with placeholders and automating authenticity checks.


Approov Runtime Secrets Protection prevents API key exposure in mobile apps. Valid app instances in uncompromised environments access securely stored API keys. Managed trust roots ensure secure communication, and backend APIs remain unchanged. Dynamic secret updates enhance flexibility and security.


Download the full version of the white paper

 Cover of Approov Best Practices Whitepaper


Download the full version of the white paper


Cover of Approov Best Practices Whitepaper



Contact us for a live demo

Our security experts will show you how to protect your revenue and business data by deploying Approov Mobile Security.




Subscribe to
Approov Newsletter

To be informed of the up-to-date industry news, the latest technology trends, and beyond.