We're Hiring!

Approov Blog
API (4)

Securing APIs in React Native

May 14, 2020

ShipFast and ShipRaider made a fresh appearance at the RSA Conference in late February 2020 in San Francisco. This time the focus was on API security for React Native Apps: Read Full Story

Quick Analysis: NHSX Contact Tracing App

May 11, 2020

When the NHSX contact tracing app was made available in the app stores last Thursday we decided to take a quick look at its operation and how the code has been put together. We used the Android version and the excellent MobSF tools to do our reversing analysis. On Friday the full source code of the app was also published on github. Read Full Story

Approov Backend Quickstarts

April 29, 2020

Photo by Ankush Rathi from Pexels Editor's note: This post was originally published in April 2020 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in September 2020. Approov lets your mobile app prove to a backend API that it really is the official mobile app making the call, and that it is not running in an environment that may be compromised. Only requests from the apps that you specifically allow can make successful requests. Read Full Story

Contact Tracing Apps: Privacy vs. Security?

April 16, 2020

Photo by Fusion Medical Animation on Unsplash Last Friday, there was an unusual joint announcement from Apple and Google providing details of a new phone API for Covid-19 contact tracing via Bluetooth. The protocol allows mobile phones to continually transmit Bluetooth advertisements to one another. This includes a proximity identifier derived from randomly generated keys that can be held secretly on each device. If a phone user is later diagnosed with Covid-19, they are able to upload the daily tracing keys for those days when they might have been infectious. Read Full Story

COVID-19 App User Anonymity Mandates App Authentication

April 4, 2020

With smartphone usage now a global phenomenon, mobile apps and connectivity are common denominators binding people the world over. And as the world’s nations grapple with the common dilemma of how to manage the ongoing pandemic of coronavirus or COVID-19, it’s little wonder that governments and health authorities across the planet are turning to mobile app technology as a weapon in their crisis management arsenal. Read Full Story

Let's Fight COVID-19 With Apps - Privately

April 3, 2020

Photo by CDC on Unsplash In recent weeks we have been following the race to build contact tracing smartphone apps in the worldwide fight against COVID-19. Such apps are a powerful weapon in controlling the growth of infection by automating the scaling of the contact tracing process. By tracking interactions between people, the apps allow instant user notification if they have recently been in close proximity with anyone later diagnosed with COVID-19. This allows immediate social distancing or self isolation measures to be instituted for that potential infected user, slowing the spread of the virus. It would have been better if these apps were widely available during the initial phase of the pandemic, but they may still have a crucial role to play as we eventually emerge from full lockdown We have some specific suggestions about how this can be achieved while maintaining citizen anonymity. Read Full Story

Blockchain renders online votes immutable, including fake votes!

March 19, 2020

“It's the wave of the future,” declared the US State of West Virginia's Secretary of State of following a limited deployment of a blockchain-based voting app for the state's general midterm elections. For cybersecurity and election integrity advocates, however, the move was “an example of all the things states shouldn’t do when it comes to securing their elections.” Read Full Story

Approov Serverless Reverse Proxy in the AWS API Gateway

February 27, 2020

In my previous article, Using a Reverse Proxy to Protect Third Party APIs, I left you without a solution to secure the purple API key inside the mobile devices in the graphic above from being extracted by the bad guy wearing the orange hat. As promised I am going to show you in this article how you can implement a solution for it. Rather than securing the purple API key, wouldn’t it be better not to have it in the first place or at least to make sure that if it is extracted then it can’t be used at scale by malicious actors? Well that's what a Mobile App Attestation solution is for, and we will start this article by explaining what it is. Spoiler alert: it allows you to secure your API without needing to ship any type of secret inside your mobile app or, if you already have a secret in your mobile app, it allows you to ensure that the secret can’t be used to abuse your API. Read Full Story

Using a Reverse Proxy to Protect Third Party APIs

February 12, 2020

In this article you will start by learning what Third Party APIs are, and why you shouldn’t access them directly from within your mobile app. Next you will learn what a Reverse Proxy is, followed by when and why you should use it to protect the access to the Third Party APIs used in your mobile app. Read Full Story

Addressing Vulnerabilities and Abuse for Comprehensive API Security

January 17, 2020

As APIs become a critical part of almost every business, the need to build a robust API security strategy grows infinitely. API calls account for 83% of web traffic, according to the Akamai 2019 [state of the internet] / security: Retail Attacks and API Traffic report. The largest API directory now lists nearly 22,000 public APIs, up from 12,000 in 2015. A majority of companies now consider APIs to be critical to business strategy and imperative for developing partner ecosystems, enhancing customer value and creating new revenue opportunities. Cloud Elements, in its third annual State of API Integration report, recently found that businesses planned to deploy an average of 18 new APIs in 2019, compared to just 11.5 in 2018. Read Full Story