What Is It?
Runtime Secrets is an innovative technology that allows API keys and other secrets to be completely removed from the app package shipped to the app store. Instead, secrets are securely delivered to valid app instances at runtime, improving the security posture and providing significantly enhanced operational flexibility.
- Eliminate dangerous hardcoded secrets from release app packages
- Improved operational flexibility by rotating secrets on demand
- Implement with no changes needed to backend APIs
Just-in-Time Secrets From The Cloud
Approov Runtime Secrets Protection can be used to protect and manage all the secrets a mobile app uses, including API keys used to authenticate against various backend services. With Approov you no longer need to hardcode these in your app, where they were both fixed and subject to reverse engineering extraction.
The Approov cloud service delivers secrets “just-in-time” to the app only at the moment they are required to make an API call, and only when the app and its runtime environment has passed attestation. This ensures that sensitive secrets cannot be extracted from the app package or via Man-in-the-Middle (MitM) attacks.
Secure Secrets Delivery
Shift left with Approov and integrated runtime secrets management, giving you complete operational flexibility and observability. Rotate secrets as needed and eliminate the risk of secrets exposure damaging your business.
All secrets are stored by the Approov cloud service and are easy to manage dynamically. Certificates, pins, and API keys can easily and immediately be updated across all deployed apps. In this way, if secrets are ever stolen from cloud repositories or acquired through other means, or if a third-party API used by your app changes keys, they can immediately be rotated without any service interruption and without having to update apps.
Secured Remote Configuration
Some approaches exist whereby an app can receive secrets and other configuration from a remote server. This removes the secrets from the app and allows dynamic updates of the configuration but it isn't secure. An attacker can send a request to the endpoint to get the secrets. Moreover, the secrets are not safe once they reach the mobile app without tamper and communication channel protections.
Approov provides a unique combination of remote configuration capability along with advanced app protections. This ensures that secrets can only ever be delivered to authentic apps that have proved they are not being manipulated.