Free Trial

For Developers

Features

No API key in App
Positive app authentication
Safe app environment
Reliable certificate pinning
Bound app-user tokens
Over-the-air security updates
Real-time telemetry access
DevOps tooling
Help desk support
Easy app SDK integration
Easy backend token checking
Selective security policies

Approov API Threat Protection Architecture

Approov is comprised of three components which are integrated with your app and the backend(s) serving the API(s) being protected.

  • An SDK that drops into your iOS or Android app and handles all of the work to identify your app to our cloud service and fetch tokens.
  • SDK and cloud communication protocol heavily defended against hacking approaches
  • Easy to use tools for administering your account

How It Works

Industry standard signed JSON Web Tokens (JWT) are used for ease of checking in a wide range of server and API management technologies. They have a very short lifetime (minutes) and are signed with a custom secret only known to the Approov cloud service and the backend API. Because this secret is never contained within the app itself, it is cannot be extracted.

Setting the security policy for your account determines the requirements on the runtime environment that your apps’ are running in (e.g. it must not be rooted/jailbroken or particular hacking analysis tools are not running).

Only apps that have been registered with the Approov service and which meet the runtime environmental criteria are issued with valid Approov tokens. If an app is issued with an invalid token it cannot access protected API services.

For more information, see Approov Architecture.

Mobile App Integration

Adding Approov to your iOS or Android app is an easy process. After creating an Approov account, you can download the SDK. The SDK handles all of the interactions with the cloud service and provides a simple interface to your app.

Tokens can be fetched by your app using a simple call. This automatically does all of the analysis and measurement necessary to identify the app to the Approov Cloud Service and receive the resulting token. If a valid token has already been obtained and has not yet expired, it is returned immediately. For the app to prove its authenticity to the backend API serving it, the token simply needs to be added to the API call.

After integrating the SDK into your app, you register each app version with the Approov Cloud Service using the approov command line tool authorized by the management access tokens provided when you signed up for the service. This process extracts and registers the “DNA” of the app with the cloud service so that your app can be positively identified as a genuine app in the field. Your app is then published as normal, and the enhanced security is transparent to your users.

App signatures can be removed from the Approov service at any time, allowing tight control of which versions of the software can access your API. The administration tools also provide other features to control your security policy.

Mobile Platforms

Integrating Approov into mobile applications is straightforward, and quickstart guides are provided for popular platforms below. If your platform is not listed, a generic integration approach is described in the Approov user manual.

React Native

Get started quickly

Cordova

Get started quickly

For more information, see SDK Integration.

Backend API Integration

Once the SDK has been integrated with your app, live tokens are added to your API request headers, and your backend API systems are enhanced to verify these tokens. Each Approov token provides a strong authentication signal; how you chose to handle authentication failures is up to you — rejecting the requests, rate limiting access, or enabling additional security measures. Approov provides the flexibility to balance your security needs against API accessibility. Token verification is straightforward with the adoption of industry standard JWT formats; you check that each token has been correctly signed with the secret for your account, and that it has not expired. We provide example integrations for a wide range of systems, from various server frameworks to API management and CDN solutions.

Backend API Platforms

Integrating Approov into backend services is straightforward, and quickstart guides are provided for popular platforms below. If your platform is not listed, a generic integration approach is described in the Approov user manual.

For more information, see Backend Integration.

TLS Pinning Simplified

Modern apps communicate using a secure TLS connection between the app and the backend APIs. A common misconception is that this encryption ensures that the data is not vulnerable to eavesdropping by a Man-in-the-Middle (MitM) attacker. Although TLS ensures that the data is encrypted end-to-end, it can’t ensure that one of the ends is actually your app. It is possible to trick the app into setting up a communication indirectly via an MitM attacker that can see and potentially modify all of the traffic. Such MitM approaches are also commonly used by attackers to reverse engineer an API protocol for subsequent attack.

Employing certificate pinning can prevent these attacks. This binds the app to the certificate (or public key) that is expected on the backend API service. If an attacker tries to insert a MitM, even if it is trusted by your customers’ device itself, the connection will be rejected. Mobile apps should employ pinning to protect against the loss of user personally identifiable information (PII) or against malicious modification.

Unfortunately, pinning can be complex to implement in the app and require coordination with the backend API services that may wish to rotate certificates on a regular basis. If there is a certificate mismatch with the app, then it will become unusable until a new version is available leading to an unpleasant customer experience.

Approov provides code examples of how to implement pinning across a wide range of different app frameworks, along with the tools to easily determine and manage the pins. It also provides support for updating pinning over the air with no need to update the app. Certificate rotations can be handled cleanly, with no risk of interruption to customer service.

For more information, see Public Key Pinning.

Want a Live Demo?

We will show you how the ShipFast courier service uses Approov to protect their mobile app from abuse by evil ShipRaider.

Schedule a Demo

Copyright © 2020 CriticalBlue, Ltd. All Rights Reserved.