CriticalBlue Launches Approov, Next Generation Mobile API Abuse/Misuse Prevention System

SAN JOSE, California, December 13, 2016 /PRNewswire/ --

CriticalBlue, expert in binary level analysis and optimization, today announced the immediate availability of Approov, raising the bar significantly in protecting mobile APIs against scraping, fraud and other malicious activities. With Internet traffic shifting rapidly from web to mobile, enterprises are naturally eager to keep consumers engaged through enhanced functionality in their mobile apps. As a result the API between the mobile app and enterprises' backend assets has become an attractive target for bad actors. Time and again, basic encryption and embedded secrets have proven to be insufficient barriers against automation scripts and hackers.

According to Gartner Inc.^[1],"Through 2019, the majority of mobile security breaches will be exploiting vulnerabilities in the communication of apps with the server." Thus the level of protection of their APIs will determine the resilience of an enterprise's mobile business against external disruption. Approov goes beyond the arms race mentality of using behavioral analysis trained by historical data to detect suspect activity. Instead, Approov adopts a positive approach by identifying good traffic via a cloud based software authentication service. Unlike existing solutions the security is not wholly dependent on secrets embedded inside the app but instead uses a dynamic measurement at of the app environment at runtime to guarantee its integrity. Coupled with a simple integration approach, Approov delivers a new level of protection with negligible development or operational overhead.

Strong Adoption in Markets where Bot Activity is a Known Issue 

The simplicity of integration alongside the strength of mobile app and API protection delivered by Approov has encouraged a broad spectrum of interest in deployment of the solution across the finance, retail, gaming, media, travel and betting sectors.

"At the Racing Post we've historically had problems with data scrapers on our site and have relied on 'after the fact' mechanisms such as IP blocking.  We are now on the precipice of exposing our API to the general public, and we are understandably reticent given the value of our data," commented Steven Puddephatt, Business Solutions Architect, Racing Post. "We searched the market and only Approov offered the strong mobile app authentication and security we required.  We set CriticalBlue a challenge of making it work in a server-less environment in AWS using Lambda functions, which they did in under a week.  We are now very confident we can launch a public facing API without fear of unauthorized access."

Software Authentication for Mobile API Protection 

Protecting server digital assets while preserving a frictionless user experience is of vital importance in mobile business. From the server's perspective, knowing which customer is sending the traffic is important but it can only get the complete picture if it is also known what software is sending the traffic. Approov authenticates that the traffic is coming from the untampered mobile app through the encrypted transmission of one-time, time limited, IP address bound JWT tokens signed by a secret known only to the backend server and the Approov cloud service. Reverse engineering the mobile app, tampering with it, scripting API traffic generation or employing a man-in-the-middle attack will all result in failed authentication and blocked communication.

"We have analyzed Approov for both its cryptography strength and also for an initial penetration test," stated Bill Buchanan, Professor of Computing, The Cyber Academy, Edinburgh Napier University. "The current system has very good levels of assurance which provide significantly reduced risk within the key application areas."

[1] Gartner, "Securing Mobile App Back Ends", 15 November 2016, ID: G00271223

Disclaimer 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About Approov 

Approov is a cloud service which verifies the authenticity of a mobile app instance and securely communicates the verdict to your backend server using industry standard JWTs. This establishes positive trust between your server and app with no impact on user experience. Approov consists of three elements:

• A library to be included in your mobile app
• An app authentication cloud service (can be on premises)
• A token check function for your server

For more technical information, pricing details, or to sign up for a free trial, visit http://www.approov.io

About CriticalBlue 

CriticalBlue enhances software performance and security of its customers' products. Patented binary level dynamic analysis technology underpins the delivery of tools and services offerings.

For more, visit http://www.criticalblue.com or @critblue

Contact: David Stewart, +1-408-573-3609

SOURCE CriticalBlue