Mobile first business relies on the unique data behind their APIs to provide them with an edge in the market place. Such valuable data is vulnerable to appropriation by 3rd parties, also wishing to profit from it, who will deploy automated systems (often bots) to scrape the API. Approov API protection is an effective anti-bot solution which ensures that only legitimate apps can access your API.
APIs provide an information rich and easy to traverse target for automated systems. The increasing size of the API economy results in these automated scraping systems being developed into highly sophisticated bots capable of executing various attacks including:
These automated systems are increasingly capable of detecting and sidestepping behavioral analysis based approaches for protecting APIs by adapting their behavior to appear human where necessary. This forces behavioral approaches to become ever more sensitive, increasing the false positive rate and therefore reducing effectiveness.
Enforcing access control with user accounts protected with reCAPTCHA style anti-bot protections may hamper fully automated exploitation of a system, but systems already exist for the bot to co-opt a human as required to get them past this obstacle.
Traditional API keys start to provide the right kind of protection but these are vulnerable to reverse engineering once the app containing them is published.
Approov provides a robust method for apps to positively identify themselves to your API allowing you to filter traffic to your service. Valid apps which are registered with the Approov Service are dynamically issued a short lived JSON Web Token (JWT) which is then sent with each request to your API. Traffic with valid JWTs is from known apps and can be prioritized.
Since Approov does not rely on embedded API keys there is nothing to be extracted and reused in automated systems. The Approov service will only grant tokens to unaltered, pre-registered apps preventing spoofing by automated scripts.
This positive identification approach, built on standard JWT technology, removes the possibility of false positives that behavioral approaches suffer from and is transparent to users. By using a simple JWT in the header, you have the flexibility to manage traffic in whatever way best suits your business needs. You can choose to block all unidentified traffic on the API, deprioritize it or simply monitor where it is coming from.