Mobile App Attestation

The Attestation Approach

Traditional app security approaches integrate all of the threat detection logic into the app itself. This code may be running in an attacker controlled environment, open to analysis and a variety of attacks. Even if the detection code is well defended, it relies on the app making a local decision about it’s own integrity, which presents an obvious weak point that is frequently exploited by attackers.

Approov is different. It uses a remote attestation approach, where the running app must prove itself to be genuine through a sequence of integrity measurements that it must perform. These results are then sent to the Approov cloud service using a patented challenge-response protocol, immune from replay attacks.

If integrity is verified then the running app is issued with a short lived cryptographic token that it can use to prove its authenticity to the backend API services it uses. The app cannot make its own decisions about integrity and cannot sign its own tokens. Defense is moved out of the attacker’s reach and into the Approov cloud.

How It Works

Industry standard signed JSON Web Tokens (JWT) make checking easy since they are supported by a wide range of server and API management technologies. They have a very short lifetime of minutes and are signed with keys that are never contained within the app itself, so it cannot be extracted.

Only apps that have been registered with the Approov service and which meet the runtime environmental criteria are issued with valid Approov tokens. If an app is issued with an invalid token it cannot access your protected API services.

For more information, see Approov Architecture.

Approov Architecture

Securing API Keys

Existing API security solutions may employ API keys or client secrets to identify accounts or lock down access to the mobile client. Such secrets can be easily reverse engineered from app code, and then used in attacker scripts to spoof requests to pretend they were coming from the official mobile app.

Even if such secrets can be protected at rest in the app code, they still need to be communicated to the backend API service. Therefore secrets can still be stolen in transit by Man-in-the-Middle (MitM) attacks.

A different security approach is needed. Approov tokens can either replace API keys and secrets, or act as a second authentication factor for them. Approov tokens are protected at rest and in transit, and because they are only issued as a result of an integrity measurement process they cannot ever be extracted from an app. This approach delivers real proof of the authenticity of a request.

SafetyNet and DeviceCheck Integrated

Apple DeviceCheck allows developers to set and track states on (anonymized) iOS devices, and the recent App Attest feature allows the authenticity of app requests to be verified. Google SafetyNet evaluates whether an Android device has been rooted or otherwise compromised.

Approov optionally integrates both iOS DeviceCheck and Android SafetyNet and they can be incorporated into the powerful threat management framework of the Approov service. This provides granularity of control and consistency across both platforms. It also allows a wider range of OS version support and management so that you can avoid the high latency of these Operating System operations that require Apple or Android server communication.

Talk to a Security Expert

Give us 30 minutes and our security experts will show you how to protect your revenue and business data by deploying Approov to secure your mobile apps and your APIs

Talk to an Expert
Approov Consultation