How is the Approov SDK protected from attacks?

Does the Approov cloud service authenticate the Approov SDK?

The Approov SDK itself is built in accordance with the OWASP Mobile Application Security Verification Standard (MASVS) as a guide for best practices. The Approov SDK utilizes the following tactics (and others):
  • Code obfuscation/hardening: The Approov SDK itself is extensively hardened, so the it's code is more difficult for an attacker to understand in terms of both structure and functionality.
  • Encryption: Strong encryption algorithms are used to protect all network traffic, data storage, and other sensitive information exchanged between the Approov SDK and the Approov cloud service, as well as communication to the backend APIs.
  • Anti-tampering measures: These measures are designed to detect and prevent tampering with the SDK's code and data. Anti-tampering measures extend beyond basic checksum validation, and include data integrity checks, and other binary protections.
  • Runtime protection: Approov monitors the app's behavior at runtime and detects and responds to suspicious activity. Runtime protection measures include detecting and preventing memory manipulation, detecting and blocking malicious code injection, and detecting and responding to unusual network activity.
  • Code minimization: Utilizing the Approov SDK reduces the perimeter needed to defend the application, and reduces the overall size and complexity of the attack surface. By minimizing the code, it becomes more difficult for an attacker to understand its structure and functionality.
  • Attestation of the SDK: As part of the app authentication process, the SDK is itself attested for authenticity before the rest of the app is attested for complete authenticity. 

By using a combination of these tactics, mobile app developers can make it more difficult for attackers to reverse engineer and tamper with their apps, improving the overall security and protecting sensitive data. The Approov SDK security used is much stronger than a static API key, that can easily be de-obfuscated through static analysis or at runtime.