Approov introduced the Approov Alliance and Integration Program to ensure that the critical elements of comprehensive mobile app API protection are rigorously tested and work together harmoniously and seamlessly to avoid both data leakage and exposure of the app’s core logic.
“API security is critical to protecting the confidentiality, integrity, and availability of your data but today the market is fragmented and customers need products to work together to get the protection they need,” said Alissa Knight, partner of Knight Ink. “The mobile app and client attestation provided by Approov is a crucial element and the new alliance program gives customers assurance that it works seamlessly with other security solutions to protect APIs.”
Mobile apps, by their nature, expose a potential “Achilles heel” in application security. A mobile app and its APIs expose API Keys, business logic, and other data that can be used to successfully attack that API using a script or modified mobile app. The deployment of mobile apps can present a comprehensive “tool kit for hackers” who are targeting APIs. Even with extensive shift-left security initiatives in place, this ability to exploit APIs can never be completely eliminated and they must be shielded at run-time.
Approov’s approach blocks these and other mobile app attack vectors, such as Man-in-the-middle attacks. Approov blocks any access to the API from anything other than unmodified, genuine versions of the app, effectively preventing any vulnerabilities in an app or its API from being exploited, protecting both apps under development and apps in production.
The Approov Integration and Alliance Partner program ensures that each component in the application security ecosystem works seamlessly with Approov, in order to make it easy for customers to deploy a comprehensive solution for API security that optimizes user experience while thwarting malicious API access attempts. Approov invites vendors with complementary solutions to sign up here to the program.
Approov technology integrations
Approov already has tried and tested integrations with a number of security vendors:
Identity and access management: Approov works with any products which support standards for authorization, authentication and identity management, such as OAuth2 and OpenID Connect (OIC).
WAF and API management gateways: Approov integrates easily with any backend environment: QuickStart guides are available for 10 commonly used environments. However, an emerging best practice is to unify security layers by having a single control point where application security policies are enforced. Approov supports this through integrations with back-end security platforms including Fortinet’s Fortiweb WAF, which allows Approov mobile attestation to be integrated into Fortiweb security rules. Similarly, Approov’s integration with API Gateways such as Kong, TIBCO/Mashery and NGINX PLUS, adds the Approov assurance that APIs can only be accessed by genuine instances of your mobile app.
Cloud services: Integration of Approov with Amazon API Gateway and the Microsoft Azure API Management allows the Approov mobile app and client environment attestation checks to be enforced at the gateway to ensure comprehensive and consistent security for cloud-native APIs.
Browser based API access: It is a best-practice to isolate and have dedicated APIs to serve mobile apps in order to optimize performance and lock down access using app attestation and client validation. However, some mobile-first customers also allow browser-based access to the same APIs which service their mobile apps. To provide a single common validation method for mobile apps and browser-based access, Approov integrations include FingerprintJS, hCaptcha and reCaptcha. These solutions evaluate whether a browser access is by a human or a bot, and integration with Approov enables a single, common authorization method for both the web and mobile API channels in order to validate legitimate access.
Mobile development framework integration: Approov ensures ease of deployment through integration with Android native and iOS native app development frameworks, as well as major cross-platform frameworks such as Flutter, React Native, NativeScript, Ionic, Cordova, and Xamarin.
Client integrity: Apple DeviceCheck allows developers to set and track states on (anonymized) iOS devices and Google SafetyNet evaluates whether an android device has been rooted or otherwise compromised. Integration of both with Approov ensures that DeviceCheck and SafetyNet validation can be incorporated into the powerful security policy framework which is part of the Approov service. This provides granularity of control, consistency and simplicity of implementation across both platforms and ensures compromised device access can always be blocked without creating false negatives.
“As we have seen in recent high-profile breaches involving Peloton and Experian, threat actors are actively working to dissect mobile apps in order to mount successful attacks on APIs,” said Approov CEO David Stewart. “Approov integrations simplify mobile security for customers by ensuring that the required security capabilities for mobile can seamlessly be integrated with the other essential elements of a security solution, bringing an important new level of security to existing and future mobile applications.”
Approov recently launched Release 2.7 of the Approov API Shielding platform, enabling companies of all sizes to adopt leading-edge, affordable API cybersecurity protections for mobile-based applications, including production apps.
The Approov platform is deployed by connected car companies BMW and Sixt, the European eCommerce platform Deindeal, the healthcare app developer MV, the financial services platform Papara, and other security-minded organizations whose applications are a primary customer conduit.