Runtime Secrets Protection | iOS, Android and HarmonyOS Solutions

Operational Flexibility

Improved operational flexibility by rotating secrets on demand

Implement with No Changes

Implement with no changes needed to backend APIs

Just-in-Time Secrets from the Cloud

Approov Runtime Secrets Protection can be used to protect and manage all the secrets a mobile app uses, including API keys used to authenticate against various backend services. With Approov you no longer need to hardcode these in your app, where they were both fixed and subject to reverse engineering extraction.

The Approov cloud service delivers secrets “just-in-time” to the app only at the moment they are required to make an API call, and only when the app and its runtime environment has passed attestation. This ensures that sensitive secrets cannot be extracted from the app package or via Man-in-the-Middle (MitM) attacks.

Dynamically Managed

Shift left with Approov and integrated runtime secrets management, giving you complete operational flexibility and observability. Rotate secrets as needed and eliminate the risk of secrets exposure damaging your business.

All secrets are stored by the Approov cloud service and are easy to manage dynamically. Certificates, pins, and API keys can easily and immediately be updated across all deployed apps. In this way, if secrets are ever stolen from cloud repositories or acquired through other means, or if a third-party API used by your app changes keys, they can immediately be rotated without any service interruption and without having to update apps.

Secured Remote Configuration

Some approaches exist whereby an app can receive secrets and other configuration from a remote server. This removes the secrets from the app and allows dynamic updates of the configuration but it isn't secure. An attacker can send a request to the endpoint to get the secrets. Moreover, the secrets are not safe once they reach the mobile app without tamper and communication channel protections.

Approov provides a unique combination of remote configuration capability along with advanced app protections. This ensures that secrets can only ever be delivered to authentic apps that have proved they are not being manipulated.