One of the major vectors for malware is by repackaging existing apps. Repackaged apps damage revenue streams and cause reputational damage. Approov stops repackaged apps accessing your online services by verifying that the app code has not been tampered with.
Studies show that one of the major threats to the security and integrity of the mobile ecosystem is malware posing as legitimate apps by altering and repackaging the genuine apps. These fake apps can contain malicious code with a variety of objectives:
Some of these threats are targeted at the owners of mobile devices, some at mobile app developers and some at the businesses at the end of the API. For example, many apps depend on ad revenue as their main income stream and fake apps which siphon off this revenue can be very damaging. If user credentials are compromised or if the fake apps appear to be ad-infested or power hungry then this reflects negatively on the mobile app developer. Fake apps may also access the web services used by the genuine app, such as analytics, usage information or scoring for online games. This data then becomes polluted and is not useful for real app users or the businesses providing the web services.
Approov is a way to prevent successful repackaging of apps which use web services to provide some of their capabilities. In a process analogous to user authentication, the Approov SDK integrates with the app and provides a mechanism to verify the authenticity of the code being used to access an API. By positively identifying traffic from genuine apps, attempts to use the API from repackaged apps or other unofficial clients can be blocked. Fake apps are simply unable to access any of the features provided by the app servers and fail to work.
By using Approov to identify legitimate apps, API producers can gain confidence that the software being used to access their servers does not have malicious intent. Approov implements an additional layer of security for API servers and is a more robust method of gating access compared to API keys. It also allows for specific versions of software to be positively identified and granted access to an API. This can be useful in areas with strict regulatory constraints such as healthcare and banking.