Approov enables software attestation for mobile apps. It allows your apps to uniquely identify themselves as the genuine, untampered software images you originally published. In exchange for this proof the app is granted a token which can then be presented to your API with each request. Your server side implementation can then differentiate between requests from known apps, which will contain a valid token, and requests from unknown sources, which will not.
Approov is comprised of three components which are integrated with your app and the servers providing the API.
Each component is straightforward to integrate into your software architecture and development flow. Once deployed, the Client SDK in your app can be called whenever the app makes an API request that should be protected. The client SDK typically has a valid token cached and will return it immediately, resulting in zero overhead for the majority of API accesses.
To mitigate theft, tokens have a very limited lifetime and the Approov SDK manages the token fetching and caching for you. This minimizes the complexity and latency when adding Approov to your app.
When the SDK requires a new token it begins the attestation process by requesting a random value (nonce) from the Approov Cloud Service which is used to seed the signature hash of the app. Running heavily obfuscated and defended code, the integrity of the Approov SDK itself is measured along with the rest of the app content. The combined cryptographic hash is sensitive to any change in the app or the code used to measure it. Since the hash is seeded with the nonce value it will always be unique and cannot be replayed by an attacker.
This resulting app signature is sent to the Approov Cloud Service as part of a token request along with other information about the app and the device it is running on. The cloud service then always responds with a signed JSON Web Token (JWT).
Since the Approov Cloud Service knows the contents of a registered good app it is able to perform the same calculation as the Approov SDK. If the app signature reported by the app is consistent with a registered app and all security checks pass, then the issued JWT will be signed with a secret associated with your account. Otherwise the JWT is not signed correctly. Since the app itself does not know the secret it does not know whether it passed or failed the integrity check, making it extremely difficult to reverse engineer the protocol.
The token is returned to your app whenever one of the fetchApproovToken calls is made to the SDK. Your app should then add the JWT base64 encoded string to the headers of any request to the API. Your API implementation can then check the validity of the token using one of the standard JWT libraries available for almost all platforms and the secret provided when you signed up to the Approov service.
Adding Approov API protection to your iOS or Android app is a straightforward process and can be easily integrated into most development flows.
Once you have set up your Approov Cloud Service account, you will be able to download a copy of the Approov SDK. The SDK handles all of the interactions with the Approov Cloud Service required to establish the authenticity of your app once it has been deployed.
Once the SDK is built into your app, tokens can be fetched using one of the tokenFetch calls available on the simple API provided by the SDK. A token can then be inserted into any suitable HTTP header field for each API request dependent via whichever framework you are using to communicate with your API.
Once the SDK has been hooked into your app you must register it with the Approov Cloud Service. This is done by running the registration tool downloaded from your Approov account with your library. The registration process generates the same signature for the app as the SDK does at runtime and is used as a basis for verifying that an attestation request comes from a genuine app.
Once registered with Approov, the app is published as normal. Since Approov checks for changes in the app’s signature to detect app repackaging, it is important to repeat the registration process every time you release a new version of the app. Approov supports multiple versions of the app being in circulation. You can remove app signatures from the Approov service at any time via your account, allowing you to tightly control which versions of the software can access your API.
Once the SDK has been integrated with your app and tokens are being added to your API request headers you need to modify your Server code to act upon this extra information.
How your Server side code treats tokens is entirely up to you. Approov gives you the flexibility to balance your security needs against API accessibility. Regardless of the action taken the token check is straightforward. Since the Approov token is in JWT format it can be interpreted using libraries available for the vast majority of server platforms and languages. All that is required is to test that the token is signed with the secret string provided with your Approov account.