Runtime
Secrets
Protection

Shift Left To Secure Your Secrets

Approov has developed an SDK that you can drop into your app to manage the secrets that it needs, such as API keys, to authenticate itself to various services that it uses. Rather than hardcode these in your app, where they are fixed and subject to reverse engineering extraction, the SDK obtains them at runtime from our cloud service.

Approov performs a deep inspection of your mobile app and the device it is running upon, and only if various integrity checks are passed are the secrets passed to it at runtime, where they are held securely. Outgoing requests that may contain the secrets are pinned, ensuring they cannot be extracted by a Man-in-the-Middle.

Shift left with Approov and integrate runtime secrets management, giving you complete operational flexibility and observability. Rotate secrets as needed and eliminate the risk of secrets exposure damaging your business.

Approov Runtime Secrets Protection manages and protects all the secrets a mobile app uses. The Approov cloud service delivers secrets “just-in-time” to the app only at the moment they are required to make an API call, and only when the app and its runtime environment has passed attestation. This ensures that sensitive API secrets are not being continuously stored or delivered to unsafe places, such as fake apps or into malicious hands.

Mobile App Integration

Adding Approov to your iOS or Android app is easy with our wide range of quickstarts. Each one implements a networking interceptor model so when secrets such as API keys need to be sent by the app they can be automatically added at runtime, minimizing code changes and maximizing security. All networking calls are protected with dynamic pinning, ensuring the secrets are also safe in transit. Other types of secrets can be obtained through simple calls, with options allowing user notification if the app has failed its runtime integrity checks.