Skip to content
  • There are no suggestions because the search field is empty.

Approov Data Handling & Global Privacy Compliance

Ensuring Runtime API Integrity and Global Privacy Engineering Standards for Mobile Applications

Overview

Approov is a comprehensive mobile application security platform that protects mobile apps and their backend APIs from unauthorized access, API abuse, and malicious attacks.

This article explains how the Approov service handles data, with particular focus on Personal Data (PD), Personal Information (PI), and Personally Identifiable Information (PII) as defined by major global privacy regulations, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), China's Personal Information Protection Law (PIPL), and Brazil's Lei Geral de Proteção de Dados (LGPD).

Approov is designed around the principle of data minimization, collecting only the information necessary to establish application trust while minimizing privacy and regulatory risk.

Service Architecture

A standard Approov deployment consists of three primary components.

High-level-architecture-for-a-standard-Approov-deployment

Approov SDK

Embedded within the mobile application, the Approov SDK verifies the integrity of the runtime environment and attests that the application is an authentic, untampered version.

The SDK collects runtime measurements and application signatures and securely sends them to the Approov Cloud Service. If the application is verified, the cloud returns a signed JSON Web Token (JWT), which the app includes with subsequent API requests.

Approov Cloud Service

The Approov Cloud Service validates the attestation data received from the SDK and determines whether the application can be trusted.

It is responsible for:

  • Verifying application authenticity
  • Generating signed attestation tokens
  • Producing aggregate security metrics
  • Maintaining operational and engineering logs
  • Tracking unique application installations for licensing and usage purposes

Protected APIs

Backend APIs validate the Approov token accompanying each request. Requests containing a valid, correctly signed token are processed normally, while requests with missing or invalid tokens can be rejected according to the application's security policy.

Data Communication and Protection

Most communication occurs between the Approov SDK and the Approov Cloud Service.

All communications are protected using Transport Layer Security (TLS) with dynamic certificate pinning, preventing Man-in-the-Middle (MITM) attacks and ensuring endpoint authenticity.

The data transmitted falls into two primary categories.

Application Integrity Measurements

These include cryptographic signatures and integrity measurements related to:

  • Application package structure
  • Application signing certificates
  • Code integrity
  • Runtime environment

These measurements allow Approov to determine whether the application has been modified or tampered with.

Runtime Threat Indicators

Approov evaluates indicators associated with known runtime threats, including:

  • Rooted or jailbroken devices
  • System file modifications
  • Runtime hooking frameworks
  • Malicious memory manipulation
  • Debugging or instrumentation tools

Where possible, these values are represented as simple pass/fail indicators or cryptographic signatures rather than raw device information.

Core Identifiers and Privacy Engineering

Install ID

Approov maintains an anonymized Install ID to distinguish repeated attestations originating from the same application installation.

The Install ID is derived from an operating system identifier that is anonymized before being accessed by the Approov SDK, ensuring it cannot reasonably be linked to an identifiable individual.

Approov does not use the Install ID for:

  • User profiling
  • Behavioral analytics
  • Advertising
  • Cross-application tracking
  • Cross-service correlation

Because the identifier is anonymized and never associated with user accounts, it has negligible value even in the unlikely event of unauthorized disclosure.

IP Address Handling

IP addresses are an unavoidable component of Internet communications and are required for standard network routing.

Approov adopts a privacy-first approach to IP address handling.

Default Anonymization

IP addresses are anonymized before being logged to ensure that stored data cannot be used to reconstruct the original IP address. This allows Approov engineers to verify specific IP references when requested by an Approov account holder, without exposing actual IP addresses. Approov uses the following anonymization method:

AnonymizedIP = HMAC(Secret, Date, IP address)

This method ensures that the original IP address cannot be retrieved from the anonymized value.

Proxy Deployment Option

Organizations with strict regulatory or data residency requirements may route SDK traffic through an intermediate proxy that removes or anonymizes client IP addresses before requests reach the Approov Cloud Service.

This deployment option enables organizations to eliminate direct exposure of client IP addresses to third-party cloud infrastructure.

Global Privacy Regulation Alignment

Regulation
Approov Data Handling
GDPR (EU/UK)
 Technical identifiers are anonymized wherever possible. Where processing is required, it is performed under the Legitimate Interests legal basis (Article 6(1)(f)) for cybersecurity and infrastructure protection.
CCPA / CPRA (California)
 Technical identifiers cannot reasonably identify an individual or household and therefore generally fall outside the definition of Personal Information.
PIPL (China)
 Technical measurements are designed to avoid directly or indirectly identifying natural persons, supporting PIPL's data minimization principles.
LGPD (Brazil)
 The anonymized and non-attributable nature of Approov's technical identifiers generally places the collected data outside the scope of regulated personal data.
PDPA (Singapore, Thailand, Malaysia, etc.) & Other Laws
 The same privacy-by-design principles apply. The Install ID is anonymized and used solely for application security and attestation. It is not used to identify individuals, profile users, or track behavior across applications, and therefore generally does not constitute personal data or personal information under these frameworks.

Developer Privacy Controls

Approov provides several mechanisms that help developers maintain strong privacy protections.

Token "pay" Claim

Applications may include a pay claim to bind an Approov token to the authenticated user.

Before transmission to the Approov Cloud Service, the value is automatically transformed using a SHA-256 hash. As a result, Approov never receives the original identifier or any personally identifiable information.

App-Specific Secure Strings

Approov enables applications to securely store application secrets or cryptographic material directly on the device.

These secure strings:

  • Remain encrypted while stored
  • Never leave the device
  • Are never transmitted to or managed by the Approov Cloud Service

Custom JWT Claims

Developers can configure custom JWT claims for application-specific authorization requirements.

Approov processes and signs these claims during token generation but does not persist their contents in operational logs, analytics systems, or metrics databases, minimizing the risk of accidental data exposure.

Summary

Approov is architected with privacy by design and data minimization as core principles.

The platform collects only the technical information required to establish application trust and defend backend APIs against abuse. Through anonymization, secure communication, cryptographic processing, and configurable deployment options, Approov minimizes exposure to personal data while helping organizations meet the requirements of global privacy regulations.

This architecture enables organizations to strengthen mobile application security without introducing unnecessary privacy or compliance risk.

© Approov Limited 2026 | All rights reserved