Skip to content
  • There are no suggestions because the search field is empty.

Open Source Software and Licensing Policy

A technical and legal overview of Open Source Software (OSS) usage and compliance within Approov for iOS, Android, and HarmonyOS.

Approov delivers commercial, proprietary mobile SDKs and also provides open-source integration examples and service layers to help developers adopt Approov quickly and transparently. (GitHub)

This page explains how we use open source software (OSS), how we manage licensing obligations, and what it means for your application’s intellectual property.

What is Proprietary vs. Open Source

Proprietary Components

The Approov Mobile SDK is a proprietary product.

Open-Source Components we Publish

Approov also publishes open-source “Quickstarts” and service-layer libraries in our GitHub. These repos provide working examples and reusable integration layers that show how to use the proprietary SDK in common environments.

Many of these repos use permissive licenses (for example, MIT in approov-service-httpsurlconn, and Apache-2.0 in react-native-cert-pinner). (GitHub)

How We Use Open Source Software

Approov may use third-party OSS in:

  1. Our published open-source integration repos, and/or
  2. Our internal build tooling and development workflows, and/or
  3. Deliverables that we distribute, where the license is compatible with our distribution model.

Where OSS is used, we aim to:

  • Prefer well-maintained, widely used components
  • Prefer permissive licenses for distributed client components
  • Preserve and comply with license requirements (notices, attribution, etc.)
  • Track and address known security vulnerabilities in dependencies

License Categories and What They Mean for Your App

Open source licenses generally fall into categories:

Permissive Licenses (MIT, Apache-2.0, BSD, ISC)

These licenses are commonly used in commercial software. They allow modification and redistribution within proprietary applications without publishing the source code of the application or any changes that were made to the component. They usually require that copyright and license notices are preserved. 

Weak Copyleft Licenses (e.g., MPL, LGPL, EPL)

These licenses can impose obligations if you modify and redistribute the covered component but the obligations apply only to component changes (not your whole application). Use of weak copyleft components requires additional review to ensure all obligations are met.

Strong Copyleft Licenses (e.g., GPL, AGPL)

These licenses can impose broader reciprocal obligations in certain distribution scenarios. Approov’s practice is to avoid strong copyleft dependencies in all distributed client deliverables.

Protecting Your Intellectual Property

Using the proprietary Approov SDK does not require you to open-source your application code. Your organization retains ownership of its software and IP.

If you use Approov’s open-source quickstarts or service libraries, their licenses do not require you to publish your proprietary source code, but you may need to preserve attribution and license notices as required by the license.

Third-Party Notices and Attribution

When license terms require attribution (for example, MIT/Apache notice requirements), we preserve the relevant license texts and attribution in the appropriate distribution artifacts and/or repositories.

Some Approov open-source repos also include adapted third-party source code and explicitly document the upstream origin and license terms (including copying upstream license files into the relevant directories). 

Security and Compliance Practices

Approov maintains an OSS compliance policy and process designed to:

  • Track third-party components used in deliverables and published repos
  • Review licenses for compatibility with intended use/distribution
  • Monitor security advisories and vulnerabilities with Software Composition Analysis (SCA) tools
  • Enforce internal compliance deadlines for resolving identified issues
  • Ensure required notices and attributions are included where applicable
  • Evaluate the maintenance status, community activity, security history and posture of OSS before adoption
  • Educate developers working on Approov products of the risks associated with OSS adoption

Questions

If you have licensing or compliance questions related to Approov SDKs or Approov open-source repositories, contact Approov Support.

This page is provided for informational purposes and does not constitute legal advice.