End-to-End
Mobile App
Security
Six Ways Approov Secures Mobile Apps
Approov provides the only comprehensive run-time security solution for mobile apps and their APIs, unified across Android and iOS.
Approov ensures that only genuine and authentic apps access your backend service, stopping bots, and tampered or repackaged apps in their tracks. Our unique deterministic approach ensures there are no false positives to manage.
Approov detects unsafe operation environments on the client device, such as rooted/jailbroken devices, apps running under debuggers or emulators, or whether malicious frameworks are present. Approov validates all aspects of the client environment and applies dynamic policies that allow fine-grained control.
Approov's dynamic pinning service stops Man-in-the-Middle or Man-in-the-Phone attacks, locking down connections to a fixed set of backend certificates that you can manage easily. Even better, it delivers secure over-the-air instant pin updates with no management headaches or service disruptions.
Approov performs an ongoing, deep inspection of your mobile app and the device it is running upon, and based on this guarantees authenticity to your backend APIs and services. API keys for your own and 3rd party APIs are only delivered if the app is genuine and the environment is safe. Approov prevents your backend APIs from API abuse, credential stuffing, fake botnet registrations, and DDoS attacks.
We solve the problem of hard coded or stolen API Keys. Our cloud service delivers secrets “just-in-time” to the app at the moment they are required to make an API call, and only when the app and its runtime environment has passed attestation. Dynamically managed, they can be updated across all deployed apps without the need for app updates.
You can deploy and test Approov during a free 30-day trial, and ongoing operation is easy. It integrates easily with your environment and a full range of other security tools and services.
Mobile App Attestation
Only Genuine Apps Allowed
Approov performs advanced runtime memory analysis to make sure your untampered official app is being used. This prevents repackaging, modification and fake app attacks, and gives you complete control over which specific versions of your app are accepted.
Easy to Manage and Very Secure
With Approov, the app must prove itself to be genuine through a sequence of integrity measurements. These results are then sent to the Approov cloud service using a patented challenge-response protocol, immune from replay attacks. The Approov cloud makes the decisions. If integrity is verified then the running app is issued with a short lived cryptographic token that it can use to prove its authenticity to the backend API services it uses. The app cannot make its own decisions about integrity and cannot sign its own tokens. Defense is moved out of the attacker’s reach and into the Approov cloud.
No False Positives
Our unique deterministic approach ensures there are no false positives to manage. Either the app is genuine and running in an unmodified environment — or it's not.
Device Attestation
Full Validation of the Integrity of the Client Environment
Approov detects any unsafe operating environments on the client device, such as rooted/jailbroken devices, apps running under debuggers or emulators, or whether malicious frameworks are present.
Complete Control via Fine-Grained Policy
You may want to permit some client modifications for some types of apps but not for others. Approov validates all aspects of the client environment and applies dynamic policies that allow fine-grained control. Policy changes are instantly applied to all apps.
Fully Integrated with Android Play Integrity and iOS AppAttest
Approov provides more granular control, wider device support, cross-platform consistency and various other advantages over the basic platform capabilities. However, Approov does optionally integrate with iOS AppAttest and/or Android Play Integrity to provide an even more powerful threat management framework.
Dynamic Certificate Pinning
No More Man-in-the-Middle
Approov’s dynamic pinning service stops Man-in-the-Middle or Man-in-the-Phone attacks, locking down connections to a fixed set of backend certificates that you can manage easily.
Completely Secure
Certificate pinning can prevent these attacks. This binds the app to the public key of the certificate that is expected on the backend API service. If an attacker tries to insert their own certificate, even if it is trusted by your customers’ device itself, the connection will be rejected. Because Approov detects hooking frameworks, any attempts to bypass pinning by using a “man-in-the-device” attack to manipulate the client environment are completely blocked too.
Easy to Manage
Pinning can be tricky to implement but not if you use Approov. Approov delivers secure over-the-air instant pin updates with no management headaches or service disruptions. There is no need to ever release a new version of the app simply to update pins. Pin updates are distributed immediately the next time an Approov token needs to be fetched.
API Protection
Only Genuine Apps Can Access APIs
Approov prevents your backend APIs from API abuse, credential stuffing, fake botnet registrations, and DDoS attacks. This is because Approov performs an ongoing, deep inspection of your mobile app and the device it is running upon, and based on this certifies authenticity to your backend APIs and services.
No More Hardcoded Secrets
Approov Runtime Secret Protection securely manages certificates, pins and API keys for your own and 3rd party APIs, and only delivers them to an app when needed, and only if the app is genuine and the environment is safe.
Protect 3rd Party APIs
Approov security also works for the 3rd party APIs your app depends on. Also, if for some reason 3rd party API secrets are changed, Approov lets you update them easily and securely across your installed apps without the need for app updates.
Runtime Secrets Protection
Secrets Are Always Secure
Approov provides a cloud-based solution for managing and securely storing the API keys and other secrets your apps use. Secrets are never present in the app code, and the app is no longer subject to any reverse engineering risk since there are no keys to steal.
Delivered Just in Time to Validated Apps
Approov performs a deep inspection of your mobile app and the device it is running upon, and only if various integrity checks are passed are the secrets passed to the app at runtime, just in time, where they are used securely. Outgoing requests that may contain the secrets are pinned, ensuring they cannot be extracted by a Man-in-the-Middle attack.
Update Immediately When Needed
Approov runtime secrets management gives you complete operational flexibility and observability. You can rotate secrets immediately if needed, across all your apps, eliminating the risk of stolen secrets being used to attack your APIs, while ensuring service continuity.
Easy to Deploy and Manage
Easy for Developers
Our free 30 day trial easily provides enough time to fully deploy and test Approov in your own environment. Adding the SDK to the app and integrating with the backend service are both made easy because Approov provides a range of Quickstart guides for all commonly used environments, and always keeps them up to date. LEARN MORE
Approov also has pretested integrations with a number of backend security platforms, tools and services to make integration in your environment easy.
Approov also has pretested integrations with a number of backend security platforms, tools and services to make integration in your environment easy.
DevOps Will Love It
Approov makes it easy to keep your app working and your service up and running. There are never any false positives to impact customer satisfaction and Approov delivers over-the-air instant pin updates with no management headaches and no risk of service disruption. In fact, with Approov there is no longer any need to release a new version of the app simply to update pins, certificates or API Keys. Your DevOps team will be happy about that.
Visibility and Control for the Security Team
Approov gives the security team complete visibility with Approov Analytics and fine-grained control over policies using over-the-air policy updates. No need for extensively trained specialists either - no tuning or rule creation is required. API Keys, certificates and all the other secrets the app needs are managed and delivered over-the-air. If secrets are stolen from somewhere else, Approov can block them instantly by applying updates across all deployed apps without the need for app version updates. 3rd party APIs are also protected.
