Review of Approov for Mobile API Security

Unfortunately, the reality of mobile apps is that at some point, someone is going to try to do something they’re not allowed to. Whether this is through brute-forcing keys, spoofing identities, or simply issuing distributed attacks across the application’s server dependencies, the threat to public-facing APIs in the mobile space is real, dangerous, and often inefficiently mitigated.

This poor mitigation largely comes out of the fact that many API developers are expert developers or marketers rather than security professionals — and while they may indeed have some inkling of the threats their APIs face, they often underestimate the scope.

Thankfully, there are third party solutions that developers can tie into for increased security against these various and varied attacks. One such technology is Approov, published by CriticalBlue. Today we’re going to take a look at this solution, identify proper use cases that would necessitate integration, and highlight the efficacy of the solution on offer.

What is Approov?

Approov is an interesting take on the problem of security in the API space, specifically implemented via a client-server communicative approach. To understand why their approach is novel, we must first understand the current approaches taken by other solutions, and why they fail.

The lion’s share of anti-tampering solutions have focused on the concept of “baking in” protection. While this initially seems a fair solution — after all, what’s better for locking a door than attaching a bolt and shackle directly to it? — it glosses over quite a big part of the average application functionality.

While securing the app internally within the code might secure the app itself, and encrypting traffic secures the transmission of data, nothing is done to prevent eavesdropping and spoofing.

You can scramble this data, sure, and you can even implement token passing systems for a modicum of security to prevent spoofing, but you will always have three points of failure — the application issuing the request, the medium through which the request is handled, and the server authenticating on the other side. Should any of these fail, security is broken.

That’s simply the common approach in a proactive format. However — there’s also an entire field of reactive technologies that use analytics to dictate response. This has been called many things — Critical Blue calls it “big data analytics”, while white papers from hardware vendors often refer to it as “behavioral analytics”.

Whatever this approach is called, it uses the fundamental nature of data — that is, relative comparisons between data points — to track long-term behaviors, establishing a baseline of trusted function and behavior and rejecting any deviations from this stock behavior.

And that’s a perfectly fine approach, save for the fact that it requires deviations to occur for them to be blocked, and requires excessive computational power to identify these deviations quickly enough to respond, and accurately enough to be less visible to the consumer.

With the rise of cloud computing, some of the issues with this solution have been negated — but too often we must still wait for a problem to occur before fixing it.

The Approov Trinity

Approov handles things a little differently. Instead of pushing a token through an encrypted pipeline to authenticate the specific user (as is often the solution implemented by developers in the modern era), their tokens instead rely on authenticating the source.

What this means is this — instead of saying “yes, this user is authorized to do what they’re trying to do, go ahead”, the Approov solution instead says “yes, this request is from an authorized application on an authorized device”.

While this might seem like a minor difference, it is very, very significant. By authenticating the source rather than the user, you maintain both the authentication and authorization of the user and the integrity of the application making the request by choosing only specific applications that can do the function you desire.

Think of it this way — imagine a road that only allows cars due to weight limitations and restrictions. At the start of this road, you have a guard inside a locked shack who stops drivers and looks to see if they’re ok to go through. The drivers show their license to a closed circuit camera for verification from the guard inside the shack.

In the classic solution, the guard would check their driver’s license to ensure they have a stamp from their local authority to drive. This is a problem, because that stamp can be easily spoofed — and if the guard only cares about the stamp and can never see around the license in the camera to verify the type of vehicle, a trucker could very easily stamp their own license and spoof as if they were a car.

Approov essentially makes the license itself a token. By being able to present the license in the first place, the guard knows they have already been pre-approved, as the local council would never approve a license to drive for a vehicle that did not meet the standards. The license is very special — unlike the stamp, which can simply be copied — and proves they came from an authorized source.

So how does Approov do this?

Cloud Authentication

One of the great features of Approov is that it handles the app requests and authenticity grading via a cloud service. They use a challenge-response protocol to do so, and specifically a protocol that requires the interaction to be live and unique.

This is beneficial for a number of reasons. First and foremost, supporting authentication through the cloud reduces the load on the application itself that would typically be part and parcel with a “baked in” solution. Off-loading this functionality to an external server in a secure format is a literal weight off the user in terms of both application size and processing requirements in clock and bandwidth.

Diagram of the three actors within Approov mobile API securitySecondly, cloud authentication is inherently more secure than hardware authentication in this format. While the inverse would typically be true — that is, hardware is typically more secure than over the air — because the challenge-response protocol insists on live interaction, the only way to break this structure is to change the data for authentication on the device. And because this authentication data does not actually reside on the device in a pre-approved manner, and is interacted with live, so-called “replay” attacks are prevented.

Lightweight Application Functionality

While the processing itself is lifted from the shoulders of the app, there is always necessarily going to be a piece that resides in the app itself to jumpstart the authentication. Failure in this realm would all but negate the benefit of cloud computing.

Thankfully, the methodology that Approov uses is tied into a very lightweight, agile SDK library. Having a lightweight solution for starting the authentication process, delivering the token, and receiving the token is key to the low latency of this solution, and is fundamental to both speed and efficacy in terms of volumetric attack negation.

The big positive for this library is that it’s unique — the Approov cloud service generates the library uniquely, preventing spoofing from one library to another. By establishing an “official” library and basing all future interactions on whether or not the libraries match is as good a security solution as you can ask for.

Lightweight Server Functionality

Rounding out the trinity of benefits is the fact that the code integrated into the server for authentication is similarly simple and lightweight. Code volume as well as efficacy is important to how seamless an experience is, and keeping the load light is incredibly important.

Not only is the code lightweight, it’s straightforward for most applications — the token is a standard JSON Web Token, and thus plays nice with most codebases straight out of the box.

Additional Benefits

There is something to be said for the additional benefits coming out of the Approov approach, and more than anything, this is perhaps where this solution really shines.

By basing their servers on the Amazon Web Services and depending on cloud computing, Approov can be easily scaled to various levels and in various global locales, reducing latency and reacting actively to increased traffic. This scaling is key to surviving certain kinds of attacks, because even the best authentication system can be overwhelmed and broken by sheer volume.

Knowing full well this sort of vulnerability, Approov has also taken strides to ensure security by having third party experts conduct penetration testing to try and break the system.

Integrating with Approov also has the added benefit of negating many of the issues that plague apps centered around spoofing. Redirected ad revenue, reverse engineering, and vulnerability discovery are all tamped down in a significant way.

Caveats

With all this being said, Approov is not a perfect solution only because there is no truly perfect, singular solution. Cloud based authentication using device library tokens rather than user tokens is a novel approach, but it’s still an unproven one.

On paper, and through active testing, the solution has shown great promise — that being said, no one solution is going to be a magic bullet. While time will likely prove this to be the correct approach, especially considering the movement away from internal systems to external ones steeped in heavy encryption and secure protocols, the fact is that it’s still an unproven approach in terms of time and long-term use case.

There is of course the issue of price, as nothing with so many benefits comes free. While this cost could be argued to actually be a savings, especially when considering the potential lost revenue from ad redirection and spoofed access, for smaller apps, teams, and userbases, this might not be the best solution.

Increased security, stability of authentication, and securing the advertising stream has tremendous economic value. The technology is solid, but for apps starting off with their first hundred users, let alone their first 10k, this might be a tough sell.

Conclusion

So we come down to a simple suggestion — try out the service for yourself, and consider the possible savings of integration. If the cost can be justified then Approov is a powerful solution.

Its approach to securing applications in the mobile environment is novel, and the way CriticalBlue goes about this is perhaps one of the more secure ways of doing so. While using cloud services for authentication is often highly questionable, their implementation in this case looks rock solid.

In general, preventing the types of reverse engineering issues that Approov is designed to stop is vitally important — whether it be in a broad sense of securing user data on social accounts, or securing data and revenue streams in Pokemon Go. As hacking becomes more and more commonplace, and more funding is tied into systems that depend on secure interactions, Approov and solutions like it will only prove themselves more vital.

[Disclaimer: Approov did not sponsor this post, nor does Nordic APIs have any affiliation with CriticalBlue or Approov]