apidays New York 2025 - Why an SDK is Needed to Protect APIs from Mobile Apps by Pearce Erensel (Approov)
Download as PPTX, PDF0 likes81 views
Why an SDK is Needed to Protect APIs from Mobile Apps Pearce Erensel, Global VP of Sales at Approov Mobile Security apidays New York 2025 API Management for Surfing the Next Innovation Waves: GenAI and Open Banking May 14 & 15, 2025 ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/
apidays New York 2025 - Why an SDK is Needed to Protect APIs from Mobile Apps by Pearce Erensel (Approov)
- 1. Why A Mobile SDK is Needed to Protect APIs Pearce Erensel - Approov apidays New York May 15 2025
- 2. 2 Adoption of APIs and API Security Firewalls IP Whitelists Limited API Visibility WAFs API Gateways Rate Limiting WAF Integration Bot Mitigation Web API Security DDos Mobile First Focus Mobile SDK Deployment Mobile RASP Multi-Channel API Security
- 3. 3 Large App Sec Vendors Focus ● Gartner WAAP Vision - Web Application and API Protection ● Web and browser focus ● Large vendors have built out web app and API protection ○ F5 bought Volterra (API Security) and Shape (Bots). ○ Akamai bought Noname and Neossec (API Security). ○ Imperva bought Prevoty (RASP), Distil Networks (Bots) and Cloudvector (API Security). ○ RADware bought ShieldSquare (Bots). ● Continued their focus on perimeter ● False positives from backend-only bot detection ● Mobile threats pass unnoticed.
- 4. 5 The Mobile Issue The threat is real: Kahoot!, Starbucks, T-Mobile,... Common Mobile to API Attacks ● Repackaged apps bypass restrictions ● Emulators to scale attacks ● Man-in-the -Middle to extract API keys and secrets ● Automation tools for script- based abuse ● Credential Stuffing via the API
- 5. 6 Why Mobile SDKs are Critical for API Security ● Mobile apps are easily modified, run in hostile environments. ● Automated tools can mimic valid traffic. ● Backend API security has no visibility into mobile threats. No amount of backend analysis can detect if the device was rooted, if the app has been modified, or if sensitive secrets are being exfiltrated. A Mobile SDK Can Add the Missing Context ● Verify that the app has not been modified or repackaged. ● Ensure the device is not rooted/jailbroken, running on an emulator, or tampered with. ● Continuously attest the runtime environment using trusted hardware or integrity checks. ● Bind requests to the genuine app using cryptographically signed tokens (e.g., JWTs). ● Block automated tools like Frida, Magisk, Xposed before they even touch the API.
- 6. 7 Types of Mobile SDKs 1. User Behavior Signals – CAPTCHA, gesture tracking 2. Software and Device Identity Signals
- 7. 8 Behavioural Signals How It Works 📦 Based on browser techniques ️ 🖱️ Tracks key clicks, touch events, movements and timing 🧠 Tries to differentiate humans from bots using behaviours Behavioural signals are helpful- but unreliable on their own. Mobile attestation offers deterministic verification. Challenges & Limitations 📊 Large volumes of data 🤷 Ambiguous results 🧮 ML/AI decisions lack transparency 🚫 Frequent false positives/ negatives 😡 User friction damages experience
- 8. 9 Software and Device Signals What They Detect 🔓 Rooted/Jailbroken device 🐞 Presence of problematic software 🎯 Consistent and deterministic identification of threats How to Evaluate 🧩 Platform coverage – Supports iOS, Android, HarmonyOS 🔍 Breadth of environment checks carried out ️ 🎛️ Fine-grained OTA policy setting 🚀 Addresses emerging issues Understanding Mobile Threat Signals and What to Look for in a Solution
- 9. 10 Concerns About Mobile SDKs Concern Best Practice SDK Complexity Frustrates Developers Choose an SDK that's easy to integrate and test SDK Security Choose a hardened, tested, SDK from a reputable vendor SDK Impacts App Size and Performance Choose a lightweight SDK that's easy to integrate one time in your app New versions of apps needed when something changes Ensure dynamic cloud updates of policies, pins and keys SDK can be manipulated Ensure validation takes place safely off-device More security team overhead to manage false positives Choose deterministic measurements Isn't Firebase App Check or Safety Net good enough Multi-platform SDK provides consistent best-in-class protection across all devices
- 10. 11 Effective App and Device Attestation 1 2 3 4 Register new app releases SDK collects and sends app and device integrity measurements Cloud service checks measurements and sends JWT to app Signed short-lived JWT token indicates if app and device validly attested APIs Cloud Validation SDK
- 11. 12 Extending Attestation to Secret Protection 1 2 3 4 5 Backend verifies API key Management of API Keys SDK collects and sends app and device integrity measurements Cloud service checks measurements and delivers API Key to app Just-in-time delivery of API keys from validated apps ● Just-in-time delivery of secrets to mobile apps, only when needed and only if app is safe ● Dynamic and secure cloud management of secrets ● Prevents abuse of secrets stolen from any source ● Must works with owned and 3rd party APIs APIs SDK Cloud Validation
- 13. 14 Conclusion - API Protection Including the Mobile Channel ● Use WAAP for web, Integrate SDK for mobile protection. ● Choose an SDK that continuously collects comprehensive deterministic context about the app and device ● Easy to integrate mobile contextual signals into any backend API security solution ● Quickly and effectively block mobile attacks ● Stop bots that shift from web to mobile
Editor's Notes
- #1: This short video gives an overview of how Approov works to protect apps and APIs
- #2: Approov has a unique and patented approach to stop attackers using any of these attack surfaces at run time
- #3: Approov has a unique and patented approach to stop attackers using any of these attack surfaces at run time
- #4: Total API Traffic Growth (% of Internet Traffic) This curve is an approximation based on: Akamai State of the Internet Report (2022–2023): API calls make up over 80% of web traffic today, growing steadily over the last decade. (Source) Postman State of the API Report (2023): Organizations are deploying APIs at scale with accelerated volume growth in public and internal APIs. Gartner Research: By 2025, 95% of web apps will be API-first. Cloudflare Radar & F5 reports: API-driven traffic has grown from ~20% in 2014 to 70–80% by 2023. 📱 Mobile-Originating API Traffic Estimates Estimated curve for mobile-originating API traffic is based on: Akamai and F5 Observations: Mobile apps now contribute more than 50–60% of API traffic in many consumer verticals. Google Firebase Trends (2022): Majority of usage in services like Gmail, YouTube, Maps occurs via mobile apps. Cloudflare and Imperva Reports: Bot traffic often targets mobile APIs; mobile devices generate the bulk of user-side API requests. Mobile App Indexing Reports (Statista, Sensor Tower): Correlation between mobile usage growth and API call volume supports an estimated 10–15% annual growth in mobile API share since 2010. ⚙️ Assumptions for Visual Estimation Year-over-year growth rates are smoothed for illustrative clarity. 2025 projection is conservative at ~80% mobile-originating share of total API traffic in mobile-heavy industries (fintech, e-commerce, media). Data is representative of global trends, though individual industry/application cases may vary significantly.
- #5: Total API Traffic Growth (% of Internet Traffic) This curve is an approximation based on: Akamai State of the Internet Report (2022–2023): API calls make up over 80% of web traffic today, growing steadily over the last decade. (Source) Postman State of the API Report (2023): Organizations are deploying APIs at scale with accelerated volume growth in public and internal APIs. Gartner Research: By 2025, 95% of web apps will be API-first. Cloudflare Radar & F5 reports: API-driven traffic has grown from ~20% in 2014 to 70–80% by 2023. 📱 Mobile-Originating API Traffic Estimates Estimated curve for mobile-originating API traffic is based on: Akamai and F5 Observations: Mobile apps now contribute more than 50–60% of API traffic in many consumer verticals. Google Firebase Trends (2022): Majority of usage in services like Gmail, YouTube, Maps occurs via mobile apps. Cloudflare and Imperva Reports: Bot traffic often targets mobile APIs; mobile devices generate the bulk of user-side API requests. Mobile App Indexing Reports (Statista, Sensor Tower): Correlation between mobile usage growth and API call volume supports an estimated 10–15% annual growth in mobile API share since 2010. ⚙️ Assumptions for Visual Estimation Year-over-year growth rates are smoothed for illustrative clarity. 2025 projection is conservative at ~80% mobile-originating share of total API traffic in mobile-heavy industries (fintech, e-commerce, media). Data is representative of global trends, though individual industry/application cases may vary significantly.
- #6: Approov has a unique and patented approach to stop attackers using any of these attack surfaces at run time
- #7: Approov has a unique and patented approach to stop attackers using any of these attack surfaces at run time
- #8: Approov has a unique and patented approach to stop attackers using any of these attack surfaces at run time
- #9: Approov has a unique and patented approach to stop attackers using any of these attack surfaces at run time
- #11: The obtained Approov token is added automatically as a header to the outgoing API request, which is sent. The same Approov token may be used for up to 5 minutes (as long as no change in the environment is detected) to avoid further communication with the Approov cloud. Pinning of TLS connections is managed automatically by the Approov dynamic pinning functionality, so that no Man-in-the-Middle interception is possible.
- #12: Approov runtime secrets protection works in a similar way. Rather than hard coding these into your app, where they are always vulnerable to reverse engineering extraction, an app protected by the Approov SDK simply obtains them at runtime from the Approov cloud service. Approov only provides API keys if and only if integrity checks pass. This ensures that sensitive API secrets are not being continuously stored or delivered to unsafe places, such as fake apps or into malicious hands. Approov can secure and manage any secrets that an app needs, including API keys for third party applications. Outgoing requests that may contain the secrets are pinned, ensuring they cannot be extracted by a Man-in-the-Middle attack. Secrets can be rotated easily as needed, without the need to update the app. This eliminates the risk of secret exposure damaging your business.
- #13: Most customers use a cloud service or WAF in front of application servers. Most of these support JWT token integration. In this example we integrate with Cloudflare API Shield On the Left hand side we add the configuration - effectively the JWT secret to API Shield. on the right hand side we select the endpoints to be protected and whether we want to block or log non validated requests. With these steps completed Cloudflare API Shield is now using Approov to validate every request.
- #14: In summary, Approov adds advanced runtime security to your apps and all the APIs they employ. Approov protects your mobile apps from being modified, prevents any manipulation of the client environment, keeps your APIs safe, secrets secure, and protects the communications channel to the server. Approov is easy to deploy and operate and identifies valid traffic with precision and accuracy, meaning that there are no false positives to manage.
- #15: Contact us for a free review of your mobile app security