Approov, creators of advanced mobile app and API shielding solutions, today introduced Approov Runtime Secrets Protection, enabling comprehensive protection of the API credentials and secrets that are typically targeted by threat actors for malicious exploitation.
Recent breaches have highlighted the risk of stolen keys and secrets being exploited by hackers. It is clear that such secrets are not being effectively protected at rest and in transit, resulting in bad actors acquiring them and exploiting them to access APIs and applications.
The wide use of third-party APIs by mobile apps adds another dimension to the problem. Mobile app developers can suffer both financial losses and brand reputation damage if they are seen to be the cause of 3rd party app breaches or service disruptions caused by Distributed Denial of Service (DDoS) attacks using stolen secrets.
Recent research from Osterman Research illustrates the extent of the issue:
“Upcoming Osterman findings show that mobile apps depend on average on more than 30 third-party APIs, and that half of the mobile developers we surveyed are still storing API keys in the app code,” Michael Sampson, senior analyst at Osterman Research, said. “These two things together constitute a massive attack surface for bad actors to exploit. And third-party API threats against mobile apps aren’t as well understood by companies as they should be. The new functionality from Approov allows API keys to be managed and updated dynamically and ensures they are never extractable from the app. This is a major step forward in protecting APIs from abuse.”
Developers have frequently been urged not to store hard coded keys in a mobile app or device, but as the research shows this “best-practice” is not widespread, since up to now, there has been no easy way to conveniently store such secrets safely outside the app code.
Introducing Approov Runtime Secrets Protection: Just in Time Keys Secrets That Thwart Mobile API Attacks
This is why Approov is releasing new functionality in Approov 3.0 which addresses this issue by making management of API keys and other secrets easy and secure, at rest, or in transit.
Approov Runtime Secrets Protection manages and protects all the secrets a mobile app uses. The Approov cloud service delivers secrets “just-in-time” to the app only at the moment they are required to make an API call, and only when the app and its runtime environment has passed attestation. This ensures that sensitive API secrets are not being continuously stored or delivered to unsafe places, such as fake apps or into malicious hands.
All secrets are stored by the Approov cloud service and are easy to manage dynamically. If changes to these are needed, they are easily and immediately changed across all deployed apps, preventing abuse.
This approach marks a major improvement over keys that are hard coded in the app itself, because should those keys be “leaked” the app must be updated with an entirely new version – a process which is complex and time-consuming, and involves juggling new and old keys during the time it takes for the installed base to be transferred to the new version.
Doğan Bolak, CTO of social investment innovator Invstr, said, “We love the way Approov protects both our app and the APIs we use. Our customers need to be confident that our service is secure and Approov delivers that. We are very happy with the technology and support we get from them. Approov Runtime Secrets Protection delivers the important ability to turn static keys into dynamic keys and updates them ‘at the flick of a switch’ which means that 3rd party APIs are no longer open to abuse even if secrets do get in the hands of bad guys.”
Approov Runtime Secrets Protection eliminates the need to include secrets in the mobile app code at all, completely eliminating any risk of extraction through code analysis, as well as the risk of exposure through accidental source code repository leaks. Additionally administration is easy: Approov allows secrets to be dynamically updated in the field with no need to issue app updates.
David Stewart, CEO, Approov, said: “Mobile apps and APIs are — now more than ever — the lifeblood of organizations large and small. Leaving secrets in apps or extractable via man-in-the-middle (MitM) attacks is like leaving your front door open to attackers, and organizations must act immediately to deploy secret shielding solutions. Relying purely on app hardening solutions that do not protect secrets in transit is like locking the front door while leaving the windows open. Approov Runtime Secrets Protection is the first solution to comprehensively shield secrets at rest and in transit, without any backend changes. It protects the full range of APIs that mobile apps now rely on, including previously unprotected 3rd party APIs.”
Join the live webinar from Approov on June 9th “Best Practices for Secure Access of 3rd Party APIs from Mobile Apps” which will discuss the reputational and financial risks associated with API use and how to mitigate those risks. Sign up here.
Pricing and Availability
The pricing of the Approov solution is designed to be completely aligned with your business growth, based on the number of genuine active apps in a monthly billing period. Approov 3.0 is available now.