An article on wired summarises 25 data breaches that made headlines during 2017. The implication in the article, and the general impression of those who take an interest, is that 2018 will bring more of the same in an ever accelerating trend of discovery and disclosure. The growth in attacks indicates that companies of all sizes should continually raise the defensive bar and Approov raises that bar significantly. In this short post I will provide a high-level view of what Approov does and how it works.
One common mechanism for monitoring API access is to have an API key. The key is there to identify ‘what’ is accessing a service; user authentication is used to identify ‘who’. The problem with this approach is that it is normally trivial for an attacker to steal an API key. Decompiling and examining an app may expose it, although salting and dissolving keys can make this harder. Failing that, it can be revealed by eavesdropping on the client-server communication with Man-In-The-Middle(MITM) software and/or hooking an appropriate method with a runtime hooking framework; at some point the target app must have the API key in the clear in order to send it to the associated API. Approov avoids this problem by effectively making the app itself the API key; there are no secrets in the app to steal.
Approov combines runtime anti-tamper with a challenge-response backend service to authenticate the validity and integrity of an active app. The authentication is re-checked regularly while the app is running and valid apps are issued with authentication tokens much like a user authentication service would issue user tokens on a successful login. The result is that Approov enables your backend API to differentiate between traffic from your mobile apps and traffic from other sources. The backend can then react accordingly.
In the current environment, Approov provides a proactive defense against threats by ensuring your software is responsible for accesses to your servers. It can be used for bot mitigation and to block unwanted scrapers, scripts, and repackaged or modified apps. As a side benefit, it ensures your API is driven in the way it was intended, thereby helping to minimise the risk of it containing exploitable security holes and vulnerabilities.
Approov has been deployed and has successfully solved real security issues for our customers and is therefore doing its bit to try and reverse the successful attack trend. If you're not sure about the amount of bot traffic on your API you could take advantage of our free trial. This will allow you to quickly and easily profile the actual users of your API to see the impact they have on your service.
WANT TO KNOW MORE?
This is the first post in a series that will focus on aspects of Approov that are sometimes misunderstood. If you have any issues you want qualified then why not ask me a question from the contact us page. Otherwise, here are some links that you may find interesting:
- Top-level solution description and integration flow
- Customer success stories
- Cert pinning; how to toughen it up with Approov
- Blog posts commenting on threats (almost all of which could be mitigated or resolved with Approov)