Editor's note: This post was originally published in April 2020 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in September 2020.
Approov lets your mobile app prove to a backend API that it really is the official mobile app making the call, and that it is not running in an environment that may be compromised. Only requests from the apps that you specifically allow can make successful requests.
To achieve this Approov uses industry standard JSON Web Tokens (JWT). The default signing algorithm we use is HS256, meaning that the tokens are signed using a secret that is specific to your Approov account. Our cloud service will only correctly sign these tokens if it is satisfied that they are being provided to an valid app instance, from where the app can pass the token along to your backend API via an additional request header. This provides proof of authorization from the Approov service that the app is valid. The signing secret is never passed to the app itself, so it can never manufacture its own valid tokens. As an additional security measure these tokens also have an expiry time of only a few minutes.
So once you’ve integrated Approov into your mobile app(s), you will need to integrate a check on your backend API to make sure that the Approov JWT being supplied is valid. This might be done in your server code itself, or perhaps in an API management layer that protects accesses before it even hits your servers. We have a variety of customers using various different methods, technologies and languages. We even have some customers doing the check in a CDN on the edge. Use of the industry standard JWT format makes this integration easy, there are a huge number of different JWT verification libraries and HS256 is a very common signing algorithm.