According to Gartner Inc.,"Through 2019, the majority of mobile security breaches will be exploiting vulnerabilities in the communication of apps with the server." Thus the level of protection of their APIs will determine the resilience of an enterprise's mobile business against external disruption. Approov goes beyond the arms race mentality of using behavioral analysis trained by historical data to detect suspect activity. Instead, Approov adopts a positive approach by identifying good traffic via a cloud based software authentication service. Unlike existing solutions the security is not wholly dependent on secrets embedded inside the app but instead uses a dynamic measurement at of the app environment at runtime to guarantee its integrity. Coupled with a simple integration approach, Approov delivers a new level of protection with negligible development or operational overhead.
Strong Adoption in Markets where Bot Activity is a Known Issue
The simplicity of integration alongside the strength of mobile app and API protection delivered by Approov has encouraged a broad spectrum of interest in deployment of the solution across the finance, retail, gaming, media, travel and betting sectors.
"At the Racing Post we've historically had problems with data scrapers on our site and have relied on 'after the fact' mechanisms such as IP blocking. We are now on the precipice of exposing our API to the general public, and we are understandably reticent given the value of our data," commented Steven Puddephatt, Business Solutions Architect, Racing Post. "We searched the market and only Approov offered the strong mobile app authentication and security we required. We set CriticalBlue a challenge of making it work in a server-less environment in AWS using Lambda functions, which they did in under a week. We are now very confident we can launch a public facing API without fear of unauthorized access."
Software Authentication for Mobile API Protection
Protecting server digital assets while preserving a frictionless user experience is of vital importance in mobile business. From the server's perspective, knowing which customer is sending the traffic is important but it can only get the complete picture if it is also known what software is sending the traffic. Approov authenticates that the traffic is coming from the untampered mobile app through the encrypted transmission of one-time, time limited, IP address bound JWT tokens signed by a secret known only to the backend server and the Approov cloud service. Reverse engineering the mobile app, tampering with it, scripting API traffic generation or employing a man-in-the-middle attack will all result in failed authentication and blocked communication.
"We have analyzed Approov for both its cryptography strength and also for an initial penetration test," stated Bill Buchanan, Professor of Computing, The Cyber Academy, Edinburgh Napier University. "The current system has very good levels of assurance which provide significantly reduced risk within the key application areas."
 Gartner, "Securing Mobile App Back Ends", 15 November 2016, ID: G00271223
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Approov is a cloud service which verifies the authenticity of a mobile app instance and securely communicates the verdict to your backend server using industry standard JWTs. This establishes positive trust between your server and app with no impact on user experience. Approov consists of three elements:
- A library to be included in your mobile app
- An app authentication cloud service (can be on premises)
- A token check function for your server
For more technical information, pricing details, or to sign up for a free trial, visit http://www.approov.io
CriticalBlue enhances software performance and security of its customers' products. Patented binary level dynamic analysis technology underpins the delivery of tools and services offerings.
For more, visit http://www.criticalblue.com or @critblue
Contact: David Stewart, +1-408-573-3609