Skip to content
  • There are no suggestions because the search field is empty.

Open Source Software and Licensing Policy

A technical and legal overview of Open Source Software (OSS) usage and compliance within Approov for iOS, Android, and HarmonyOS.

At Approov, we are committed to providing a secure, high-performance, and transparent mobile attestation solution. To achieve this, our SDKs leverage industry-standard open-source libraries for specific functions such as cryptographic primitives, networking, and JSON parsing.

This article outlines our approach to open-source integration and provides legal reassurance regarding the impact on your application's intellectual property.

Our Philosophy on Open Source

The Approov SDK is a proprietary product, but we recognize that "reinventing the wheel" for established protocols (like OKHttp for networking or libSodium for cryptography) can introduce security vulnerabilities. By utilizing mature, peer-reviewed open-source components, we ensure that the core building blocks of our SDK meet the highest standards of reliability and security.

Core License Categories

The open-source components utilized within the Approov SDK are governed by Permissive or Weak Copyleft licenses. We specifically exclude "Strong Copyleft" licenses (such as the GPL) to ensure there is no risk to our customers' proprietary codebases.

License Type

Examples in Approov SDK

Impact on Your Application

Permissive

Apache 2.0, MIT, ISC, Unlicense

Zero risk. These licenses allow the code to be included in proprietary software without requiring the "host" application to be open-sourced.

Weak Copyleft

Eclipse Public License (EPL)

Zero risk. These require that modifications to the library itself be disclosed, but they do not extend to the application using the library.

Intellectual Property & "Viral" Licensing Protection

A common concern for legal teams is the "viral" nature of certain open-source licenses, where the use of a single library might legally mandate the disclosure of the entire application’s source code.

The Approov SDK does not utilize any "Strong Copyleft" (Viral) licenses.

  • No GPL/AGPL Dependencies: We do not use any libraries licensed under the GNU General Public License (GPL) or the Affero GPL.
  • Permissive Foundation: The vast majority of our third-party components (e.g., Alamofire, AFNetworking, OkHttp, and libSodium) use MIT, Apache 2.0, or ISC licenses. These are specifically designed for commercial use and explicitly allow the software to be integrated into proprietary, closed-source products.

  • Isolation of Copyleft: In the rare case of using a Weak Copyleft library (like JUnit for internal testing), the license requirements are contained strictly within that module. There is no legal mechanism by which these licenses can "leak" into your application's source code.

Security and Compliance

All open-source libraries used within the Approov SDK undergo a rigorous vetting process:

  1. Vulnerability Scanning: We monitor all dependencies for known CVEs (Common Vulnerabilities and Exposures).
  2. License Auditing: We perform regular audits to ensure no incompatible licenses are introduced into the build pipeline.
  3. Static Linking Safety: For our C-based attestation layer (used across iOS, Android, and HarmonyOS), we utilize minimalistic, high-performance libraries (e.g., tiny-aes-c, jsmn) that are either in the Public Domain (Unlicense) or use the MIT license to ensure seamless static linking without legal friction.

Summary for Legal Review

The Approov SDK is a commercial, proprietary product. The inclusion of open-source components is restricted to libraries that:

  • Allow for commercial redistribution in binary form.
  • Do not require the disclosure of the parent application's source code.
  • Are widely recognized as industry standards for secure mobile development.

By integrating the Approov SDK, your organization retains full and exclusive ownership of its intellectual property.