Runtime Secrets
      Back to home
      1. Approov Mobile Security Knowledge Base
      2. Mobile API Security
      3. Runtime Secrets

      Do I need to remove my API keys from my mobile apps?

      Comparing Approov's Secure API Authentication (Token Based) with Runtime Secrets Protection

      Yes or No. Approov actually provides both options.

      Secure API Authentication:

      No, you do not need to remove API keys when using Approov's JSON tokens, where the backend API is updated. We suggest you use the Approov token, from attested app, as the second factor alongside the API key to access the data. The backend API then needs to authenticate both in order to allow access to your backend services. This method is best for securing first party API keys (i.e. those associated with the organization or developer that owns the mobile app).

      Runtime Secret Protection:

      Yes, you can also remove all API keys, and it is generally recommended to remove API keys from your mobile apps for security reasons. Storing API keys directly in your app's code or configuration files poses a security risk because when an attacker gains access to the app, they can potentially extract the API keys and misuse them. With Approov Runtime Secrets Protection the API key is only delivered “just-in-time” to the mobile app if it passes the Approov checks, so it cannot be reverse engineered out of the app. This method is compatible with both first party and third party API keys.

      Comparing the Approaches:

      Let's discuss the similarities and differences between Approov's Runtime Secret Protection and Secure API Authentication:

      Similarities:

      • Protection of Secrets: Both runtime secret protection and secure API authentication provided by Approov reinforce the security of mobile apps and their APIs.
      • Focus on API Key Security: Both approaches address the security of API keys, which are the security credentials used to authenticate and authorize API requests.
      • Mitigating Unauthorized Access: Both mechanisms will prevent unauthorized access to APIs and protect against misuse of API keys.
      Differences:
      1. Runtime Secret Protection: Approov's runtime secret protection focuses on securing app secrets and API keys in the cloud. This approach involves managing and rotating secrets securely, delivering them just-in-time to fully attested apps at runtime. It provides a way to protect and manage secrets outside of the app's code, enhancing security and control.
      2. Secure API Authentication: Approov's secure API authentication provides an authentication mechanism used to authorize API requests. This involve token-based techniques for authentication. Secure API authentication ensures that only authorized and authenticated requests are allowed to access the APIs by performing attestation on the mobile app to make sure that it has not been altered or tampered with.
      3. First Party and Third Party API Keys: Approov's solutions can handle both first-party and third-party API keys. First-party API keys are those associated with the organization or developer that owns the mobile app, while third-party API keys are used to access external services or APIs provided by other organizations. Approov's approaches provide mechanisms to securely manage and authenticate both types of API keys.
      To get more detailed information about how Approov handles runtime secret protection, secure API authentication, and the management of first-party and third-party API keys, it's recommended to read the QuickStart Guides or the  Approov Development Docs as they will provide specific insights into each solutions and how to address these aspects of mobile app security and API authentication.