Wed 07 February 2018 By Jae Hossell
Approov is first and foremost an API protection solution, however, while performing this task it also gives insight into the types and state of devices that are communicating with the protected services. For example, do you want to know the proportion of connections coming from unauthorised software: bots, scripts, or repackaged apps? Do you want to know if your communications are being intercepted, if the mobile device is rooted, if your app is running in an emulator, or if there is a debugger or framework attached? These types of questions can be answered with an Approov integration and you can even start getting at these nuggets before the end of your free trial.
One of our customers managed to go from initial contact to deployment in 8 days (you can read about their experience here). While that is not our typical evaluation-to-deployment timescale, it got me thinking about the most efficient path through the Approov onboarding process. It turns out that, with a little planning, that 8 day record could be cut significantly, and you could learn quite a bit about the activity on your API without giving us a cent. Here I give you my 5 step plan to making the most of your first month:
Demo download: Before signing up, get used to the Approov SDK by downloading the demo and going through the steps required to get the provided app up and running. Specifically, look at the code to see how to pin https connections with Approov and how to add tokens to API requests; the Approov docs can help with this too. Combine looking at the docs with steps 2 and 3; the more you understand, before signing-up to Approov, the quicker you will progress through the final integration.
App Integration Prep: Refactor a dev version of your published app to minimise the time for Approov SDK integration. The extent of the required changes will depend on the structure of your app but you should aim for the following:
- Factor out code for establishing connections and add the code necessary for Approov pinning. At this stage, unless you already have a pinning solution, build it to always behave as though the certs match.
- Factor out code for constructing API requests and add the code to include an Approov token. We would suggest that you add a custom header to your traffic to hold the Approov token, this approach typically keeps the server-side integration simple. As you have yet to complete integration, you should use a constant string in place of an actual token, anyone will do.
Do this for Android and iOS if you want to support both platforms.
Server Integration: You now have everything in place to complete your server-side integration of Approov. Take a look through the server integration documentation which goes through the steps with examples in Python. The examples are easily adaptable to any language that has a JWT library; see the JWT homepage for a list of supported languages and also the useful JWT debugger for examining and constructing tokens.
Initially, you should not block based on the token. Instead set up your server-side to log (or better still: graph) successful and unsuccessful attestations. You should put in the code that allows you to enable blocking, but, apart from testing it, leave it disabled for now. To test it with your app, change the constant token it sends to be a valid/invalid JWT (using jwt.io to create the tokens with a secret you have made up and added to the server).
Note that, it is also easy to create unit tests for your server that generate both valid and invalid tokens. Just create a function that uses the JWT library you downloaded to build tokens with the same structure as Approov tokens.
Warning: It is tempting to add a token generation capability to your app for testing. We strongly suggest that you never add code for this to a project that is also used in published apps. It is too easy to accidentally commit and then ship an app with the real secret embedded in it.
Approov Sign Up: Now you're nearly set to go live, you just need to link in the real Approov service, so:
- Start you free trial by signing up to Approov.
- Download the latest SDKs and the real secret from the admin portal.
- Add the SDKs to your apps and put in the calls for pinning your connections and grabbing a token. (Note that, we have a simple cancel-any-time policy, which means there is no penalty or lock-in that prevents cancellation when SDKs are deployed in the field. Have a look at my last post for details on this.)
- Add the real secret to the token checking code in your server and test that everything is working together as expected.
- Deploy your new server and apps.
Please let the Approov Customer Service Team know when you intend to push the updated app into the wild. We like to keep an eye on new deployments to track their progress and make sure they're suitably provisioned.
You may need to force-update your apps to accelerate adoption and make the most of your new capability.
Monitor your API usage: When you initially deploy Approov we recommend that you keep your server monitoring traffic instead of blocking it, just like you did for testing. Doing it this way allows you to answer a few questions before blocking is enabled:
- What proportion of traffic has no token? After you have forced users to update then all legitimate installs of your app will be sending Approov tokens, any remaining tokenless traffic on your API will be coming from bots, scripts, or repackaged and side-loaded apps.
- What proportion of traffic has bad tokens? Depending on your account settings, Approov can fail those devices using MITMed connections, devices with an attached debugger, devices with an active framework, and/or rooted or emulated devices. By changing the conditions that cause authentication failure, you can track what is happening in your apps and on your API.
There you have it, an approach that will help you find out what’s using your API before being charged for the account you create and with a zero cost cancellation flow. By making the most of the demo we provide, I am sure we will see deployments that occur in less than 8 days in the near future. Of course, once you start using Approov we don't think you will want to stop. Protecting your API from bad actors, reserving your cloud resources for your real users, securing their data, and protecting your revenue streams. What's not to love?
Want to know more?
This series of posts focuses on aspects of Approov that are sometimes misunderstood. If you have any issues you want qualified then why not ask me a question from the contact us page. Otherwise, here are some links that you may find interesting: