Overview

Approov protects mobile apps and APIs which access enterprise backend servers. Malicious actors target enterprise servers either by modifying the app or more commonly by targeting the API. The latter is achieved by reverse engineering the protocol and utilizing valid user credentials and/or static API keys which are extracted from the app or intercepted in transit. The enterprise server is unable to distinguish between traffic coming from a malicious script or a modified app, and traffic coming from a genuine and untampered mobile app. Authenticating good traffic is what Approov does.

Approov is a cloud based service which performs regular software authentication of the mobile app, thus verifying the app’s presence, and its integrity, when the traffic was generated. The authentication process is based on a low level dynamic integrity check of the app in memory and does not rely on any static secrets being stored in the app. The cloud service generates a time limited JWT token which is added to the API message header by the app and requires a simple check at the enterprise server end to verify that the token has been signed with the correct secret. This secret is known only to the Approov cloud service and the enterprise server; the mobile app does not know it. Further, the app is always given a token, even if it fails authentication, thereby ensuring that the app never knows its status.

Approov is a positive software authentication solution, enabling enterprises to identify good customers with confidence and preserve business revenue. It is not based on behavioral analysis or bad signature analysis. On average our customers report 10-15% of mobile API traffic as not coming from the expected mobile app. This unwanted traffic causes extra cost and can result in lost revenue and damaged brand reputation.