Approov
Photo Gallery
Approov
Additional Info
Company | CriticalBlue |
Website | http://www.approov.io |
Company size (employees) | 10 to 49 |
Overview
Approov protects enterprise applications which are accessed from a mobile app via an API. Malicious actors target enterprise servers via the API by reverse engineering the protocol and utilizing valid user credentials and/or static API keys which are extracted from the app or intercepted in transit. The enterprise server is unable to distinguish between traffic coming from a malicious script or a modified app, and traffic coming from a genuine and untampered mobile app. Authenticating good traffic is what Approov does.
Approov is a cloud based service which performs regular software authentication of the mobile app, thus verifying the app’s presence, and its integrity, when the traffic was generated. The authentication process is based on a low level dynamic integrity check of the app in memory and does not rely on any static secrets being stored in the app. The cloud service generates a time limited JWT token which is added to the API message header by the app and requires a simple check at the enterprise server end to verify that the token has been signed with the correct secret. This secret is known only to the Approov cloud service and the enterprise server; the mobile app does not know it. Further, the app is always given a token, even if it fails authentication, thereby ensuring that the app never knows its status.
Approov is a positive software authentication solution, enabling enterprises to identify good customers with confidence and preserve business revenue. It is not based on behavioral analysis or bad signature analysis. On average our customers report 10-15% of mobile API traffic as not coming from the expected mobile app. This unwanted traffic causes extra cost and can result in lost revenue and damaged brand reputation.
How we are different
1. Approov is a positive software authentication approach, identifying good apps and hence good customers. It does not rely on historical data and does not suffer from false positives.
2. Approov does not require a static secret to be stored in the app. The dynamic integrity check uses a low level, patented approach based on many years of low level software analysis.
3. Approov is easy to integrate (drop-in SDK), simple to deploy via our cloud service, and has no impact on customer experience. One of our largest customers successfully went live in just over 1 week.