Approov
Approov is a mobile app security solution that ensures the integrity and authenticity of mobile apps and their interactions with APIs.
| Category | API Security |
|---|---|
| This page updated | a month ago |
| Pricing Details | Contact for pricing details. |
| Target Audience | Mobile app developers, security teams, and organizations looking to secure their mobile applications. |
Approov is designed to ensure the integrity and authenticity of mobile apps and their interactions with APIs, particularly in the face of evolving threats such as tampered apps, bots, and Man-in-the-Middle (MitM) attacks.
The technical architecture of Approov revolves around a comprehensive attestation process that verifies the integrity of the app, device, communication channel, and credentials. This is achieved through a dynamic Runtime Application Self-Protection (RASP) mechanism that continuously secures the app and its environment. Approov's solution includes fine-grained device integrity checks, securely certificate-pinned TLS with dynamic pin updates, and frequent app authentication for strong user and API authorization.
Operationally, Approov integrates with various backend environments, including AWS API Gateway, Azure API Gateway, Cloudflare Worker, and NGINX Plus, among others. This integration allows for a single control point to enforce security policies, blocking unauthorized traffic such as bots and tampered apps before they reach the APIs. Approov also supports over-the-air updates for instant reactions to new threat intelligence and manages API secrets and certificates in the cloud, ensuring they are delivered just-in-time to attested apps.
Key technical details include the use of industry-standard JWTs for attestation tokens with short expiry lifetimes and support for various signing algorithms. The platform also offers role-based CLI tools, team member role management, and CI/CD automation token integration. Approov's binary analysis expertise enables a deterministic approach to threat detection, ensuring low latency and high performance without relying on AI-based behavioral solutions.
However, there are operational considerations such as the need for continuous monitoring and the potential for increased complexity in managing the attestation process across multiple platforms. Additionally, the cost of retaining and managing large volumes of threat analytics data can be significant, especially for apps with a large user base.