Approov Runtime Secrets Protection protects mobile app secrets, prevents API key and credential theft, blocks mobile app DDoS attacks

New research findings from Osterman reveal a massive and highly exploitable mobile API attack surface. Approov New Release dynamically manages and protects all API credentials for mobile apps, keeping them secure and protecting apps against attacks.

Approvalcreators of advanced mobile application and API shielding solutions, today introduced Approov Runtime Secrets Protection, enabling comprehensive protection of credentials and API secrets that are commonly targeted by security actors. threat for malicious exploitation.

Recent breaches have highlighted the risk of stolen keys and secrets being exploited by hackers. It is clear that these secrets are not effectively protected at rest and in transit, resulting in malicious actors acquiring and exploiting them to gain access to APIs and applications.

The widespread use of third-party APIs by mobile apps adds another dimension to the problem. Mobile app developers can suffer both financial loss and brand reputation damage if they are found to be the cause of third-party app violations or service disruptions caused by denial of service attacks. distributed service (DDoS) using stolen secrets.

Recent research from Osterman Research illustrates the magnitude of the problem:

“Osterman’s upcoming findings show that mobile apps rely on more than 30 third-party APIs on average, and that half of the mobile developers we surveyed still store API keys in app code,” said said Michael Sampson, senior analyst at Osterman Research. . “These two elements together constitute a massive attack surface that malicious actors can exploit. And third-party API threats against mobile applications are not as well understood by enterprises as they should be. The new feature Approov allows API keys to be managed and managed dynamically updated and ensures that they are never extractable from the application.This is a major step forward in protecting APIs against abuse.

Developers have often been told not to store hard-coded keys in an application or mobile device, but as research shows this “best practice” is not widespread, as so far there is no was no easy way to easily store these secrets securely. outside of the application code.

Introducing Approov Runtime Secret Protection: just-in-time secret keys that thwart mobile API attacks

That’s why Approov is releasing a new feature in Approov 3.0 that solves this problem by making it easy and secure to manage API keys and other secrets, at rest or in transit.

Approov Runtime Secrets Protection manages and protects all secrets used by a mobile application. The Approov cloud service provides “just-in-time” secrets to the application only at the time they are required to make an API call, and only when the application and its runtime environment have passed attestation. This ensures that sensitive API secrets are not continually stored or delivered to dangerous places, such as bogus applications or into malicious hands.

All secrets are stored by the Approov cloud service and are easy to manage dynamically. If changes are needed, they are easily and immediately changed in all deployed applications, preventing abuse.

This approach marks a major improvement over keys that are hard-coded into the application itself, because if those keys were to “leak”, the application must be updated with a completely new version – a process that is complex and time-consuming, and involves juggling new and old keys during the time of transfer from the installed base to the new version.

Doğan Bolak, CTO of social investment innovator Invstr, said, “We love how Approov protects both our app and the APIs we use. Our customers need to be confident that our service is secure and Approov provides that. We are very happy with the Approov Runtime Secrets Protection offers the important ability to turn static keys into dynamic keys and update them “in a jiffy”, which means that third-party APIs are no longer open to abuse. , even if the secrets cause it to fall into the hands of the wicked.”

Approov Runtime Secrets Protection eliminates the need to embed secrets in mobile application code, completely eliminating any risk of extraction by code analysis, as well as the risk of exposure by accidental source code repository leaks. Plus, administration is easy: Approov allows secrets to be dynamically updated in the field without the need to release application updates.

David Stewart, CEO of Approov, said, “Mobile apps and APIs are – now more than ever – the lifeblood of organizations large and small. “man-in-the-middle” (MitM) is like leaving your front door open to attackers, and organizations must act immediately to deploy secrets protection solutions. Apps that don’t protect secrets in transit are like locking the front door while leaving the windows open.Approov Runtime Secrets Protection is the first to comprehensively protect secrets at rest and in transit, without any backend modifications. It protects the full range of APIs that mobile apps now rely on, including previously unprotected third-party APIs.

Upcoming webinar

Join Approov’s live webinar on June 9 “Best Practices for Securely Accessing Third-Party APIs from Mobile Applications”, which will discuss the reputational and financial risks associated with using APIs and how to mitigate these risks. Register here.

Price and availability

Pricing for the Approov solution is designed to be fully aligned with your business growth, based on the number of genuine active applications during a monthly billing period. Approov 3.0 is available now.

About Approval

Approov solutions help stop API abuse at the edge and prevent security breaches in mobile channels. As more and more enterprises move towards digitization and future-ready services that use mobile API connections, properly securing these connections may be overlooked or not fully implemented for all possible threats. , exposing organizations and their users to breaches, fraud, denial of service, and other forms. API abuse.

Approov API Threat Protection provides an end-to-end, multi-factor mobile API security solution that complements identity management, endpoints, and device protection to lock down the correct use of APIs. It ensures that only safe and trusted applications running in secure environments can successfully and securely access an organization’s APIs, and blocks unauthorized access by attacker scripts, bots, and bogus applications or falsified.

Contact information:

Michael Sampson, Principal Analyst, Osterman Research: Contact Madison Alexander

Dogan Bolak, CTO, Invstr: Contact Madison Alexander

Links to additional resources:

Explanation: Threats to mobile apps and APIs

Explanation: The Approval Product Page

Casey J. Nelson