Approov API Protection
Free Trial

For Security / Ops

First-Class API Protection

APIs connect your backend services to your customers through your mobile app. They are the customer access point for interaction with your business.

Protection of API calls and data or transactions is now imperative for business. Insecure APIs can lead to lost revenue, increased operating costs, loss of reputation, and potentially large legal costs and restitution if breached.

Approov API Threat Protection provides three critical security benefits:

App Authentication

Ensures a real and authentic app is accessing your backend service, not a bot or tampered, repackaged app.

Safe Environment

Detects unsafe operating environments, such as running rooted/jailbroken, in a debugger or emulator, or with malicious frameworks present.

Secure Comms

Protects all API communications from third party observation or manipulation.

Identity management (IAM) services and role-based access control (RBAC) can control WHO can access backend services, but how well do you control WHAT can access your services? Approov closes this security gap to answer questions such as:

  • How do you prevent a bot using stolen credentials from calling your APIs?
  • How do you prevent a user from giving their credentials to a 3rd party app to access your data and services without your consent?
  • How do you prevent scraping of data when logins are not required?

By 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications.

Gartner: How to Build an Effective API Security Strategy

Aren't API Keys Good Enough?

Useful apps are dependent on the data and services provided by multiple APIs from a range of vendors. A typical enterprise app will make use of both internal and 3rd party APIs each with its own approach to access management and associated charges.

Most APIs require apps to present some sort of valid API key with each request to allow access. Failing to protect this key from misuse can have a number of consequences:

  • Paying for someone else's access to a pay-per-call API.
  • Key revocation due to use outside of terms of service.
  • Rate Limiting due to overuse.

The API keys used by your apps can fall into the wrong hands in a number of ways. They can simply be extracted from from your published app and redeployed in scripts, and it is not uncommon for keys to be accidentally uploaded by developers to public code sharing sites with GitHub and BitBucket

Anatomy of a Hack

100's of millions of API-leveraged attacks occur each day attempting to steal valuable data, goods, or access accounts which can be exchanged for money. A typical attack sequence involves:

Approov API Protection

Operating Securely with Approov

Approov's operational capabilities are continually enhanced through interactions with our customers.

Security Policies

Approov detects potentially unsafe mobile device environments including device rooting/jailbreaking, emulator or debugger usage, malicious instrumentation frameworks, and cloned apps. Customers specify which policies should be enforced. Changes to security policies roll out immediately to active apps.

Potentially unsafe conditions detected include:

bad hmac
device changed
app not registered
root risk
ios simulator
multi-app clone
xposed unsafe
magisk hidden
risky device
devicecheck ban
non-standard launch
automated launch

Monitoring & Metrics

Live metrics are accumulated regarding device usage, attestation forensics, and billing information. Both graphical and report notifications are available.

Approov API Protection

Over the Air Updates

Hackers continuously evolve their run time penetration techniques, and Approov keeps pace by providing security detection updates over the air without requiring app store updates. This live update service is also used to manage trust certificates and security policies.

Approov API Protection

DevOps Tooling

The Approov service is managed by a uniform command line tool available on Windows, MacOS, and Linux for easy integration into devops flows.

See Approov for developers about Approov integration into apps and back-end services.

Want a Live Demo?

We will show you how the ShipFast courier service uses Approov to protect their mobile app from abuse by evil ShipRaider.

Schedule a Demo
Approov API ProtectionApproov API Protection

Copyright © 2021 CriticalBlue, Ltd. All Rights Reserved.