Approov on Thursday announced Approov 3.0, which aims to protect API keys and have them used only when a customer needs to make an API call.
David Stewart, Approov’s chief executive officer, explained that recent breaches have highlighted the risk of stolen keys and secrets being exploited by hackers. Such secrets are not always effectively protected at rest and in transit, resulting in bad actors acquiring them and exploiting them to access APIs and applications.
The wide use of third-party APIs by mobile apps adds another dimension to the problem, Stewart said. Mobile app developers can suffer both financial losses and brand reputation damage if they are seen as the cause of third-party app breaches or service disruptions caused by distributed-denial-of-service (DDoS) attacks using stolen secrets.
SC Media talked to Stewart on the company’s long history, how it came to focus on mobile APIs, and the importance of leveraging cloud technologies to better protect API keys and secrets for its customers.
Approov got its start in 2001. Can you give us a quick rundown of the company's past and how it has evolved over the years?
The company's origins are in deep inspection and optimization of software, right down at the hardware level. The techniques, patented intellectual property, and expertise we have developed over the lifetime of the company are all related to different applications of deep software analysis. In the past we have done a lot of services work for clients and about 10 years ago we were doing a lot of work on software optimization of Android code. Having completed these projects we saw an opportunity to apply our software analysis approach to create a mobile app attestation solution designed to secure end-to-end mobile first or mobile only businesses. At the time, we saw accelerated mobile adoption in many high-growth market sectors, but no security solutions to match. The Approov Mobile App Protection solution went live in late 2016.
Why the focus on mobile APIs? What's the business challenge you are looking to solve?
What we saw in 2013-14 was that mobile adoption was moving fast, but security approaches were not keeping pace. Worse than that, there was a blind spot. There were and are mobile app security solutions to protect the mobile app code 24/7, and there were also traditional network security solutions to protect API endpoints. In between these two solutions were the APIs, and nobody was protecting them. We set out to protect end-to-end mobile businesses by ensuring only genuine (attested) mobile apps could use the APIs, meaning that automated traffic from scripts and bots are blocked at the edge. In this way, businesses that rely on their mobile apps to interact with their customers can keep their operating costs, fraud costs, and data breach risks at minimum, without impacting end-user experience.
Can you explain how mobile APIs work and what people need to understand as to why they are important, especially in a mobile context?
APIs are the communications “glue” between one piece of software and another. In mobile this means the conduit between a mobile app, the device it runs on, and a back-end server or cloud service. Many people think that all API traffic can be treated equally, but it’s a well-understood concept in security that context is everything. Therefore, without understanding and verifying the nature of the remote client making the API request it’s near impossible to distinguish genuine API requests from automated impersonations. Mobile presents a special case because anyone can download and analyze mobile apps, and they contain helpful business logic and secrets, enabling bad actors to study API behavior closely and then build scripts capable of mimicking genuine app traffic. This includes valid credentials, such as API keys which they will either extract from the app code itself or intercept in transit on the API.
What is the importance of cloud in the mobile world, and the advantages a cloud solution brings to customers?
Approov consists of two parts. There’s the Approov SDK, which gets dropped into the mobile app code; and there’s the Approov Cloud Service, which operates as cloud-native technology. We think of the Approov Cloud Service as vital to the solution when you consider the nature of protecting mobile businesses. Nothing in the app or on the device can be trusted, so when considering the architecture of an end-to-end mobile protection system, two points become apparent as “must-have" characteristics: no secrets related to securing the mobile business should be stored in the mobile app; and no decision-making code should exist in the mobile app. If Approov secrets or decision-making code were present locally on the mobile device, threat actors would target them in the mobile app and manipulate them to their advantage. As a result, an off-device code entity is needed to manage the security process overall and to make decisions about the mobile app and its runtime environment — away from the app itself.
Please talk about the new product announcement and how it solves these mobile API challenges?
Approov 3.0, in addition to updated security mechanisms for the core mobile app attestation functions, contains a new capability to protect secrets such as API keys by preventing them from needing to be hardcoded into mobile apps. Approov Runtime Secrets Protection lets customers store these important secrets in the Approov Cloud Service, which has an over-the-air live connection to all deployed mobile apps. Therefore, we can deliver those secrets just-in-time when they are needed to make an API call — and only where Approov mobile app attestation has been successful. As a result, we no longer have to store hardcoded secrets in mobile apps. This has been a long-term problem for app developers who are often criticized for storing keys in mobile apps, but there have been very few obvious alternatives to doing it — until now.
What do the next three to five years look like for Approov? Is the strategy to grow through acquisition? Be acquired? Any plans to go public?
With the ongoing acceleration of mobile-related services and the continued low adoption of security best practices, we expect to grow significantly over the next three years. Our primary markets, within which there appears to be plenty of growth opportunity, are fintech, healthcare, retail and transportation. Geographically, we have historically seen most customer activity in North America and Europe. These areas are still growing, but we are now seeing increased activity in South America and Asia. Today, we are 10 people, but plan to reach 50 employees over the next three years. That said, we are a modern, online, SaaS business, so the primary headcount additions will come in engineering and marketing. It's clear that customers want security solutions that are effective, but also easy to deploy and manage so they don't need to become experts in the underlying technology. As a result, we are growing a company that delivers robust and resilient end-to-end mobile business protection with a simple deployment mechanism and alongside excellent and responsive customer support. We have existing investors who continue to support our expansion plans and expect to bring in new investors with the next 12 months. These conversation are already under way.
