Runtime Secrets Protection


Recent breaches have highlighted the risk of threat actors exploiting stolen API keys and secrets. Too often, developers store API keys in their code, increasing the potential for threat actors acquire them and exploit them to access APIs and applications.

Developers have frequently been urged not to store hardcoded keys in a mobile app or device, but research shows that best practices are not commonly followed. Because, up to now, there has been no easy way to store such secrets safely outside the app code conveniently, developers followed the path of least resistance.  

Just ahead of RSAC 2022, Approov, creators of advanced mobile app and API shielding solutions, announced Runtime Secrets Protection to shield mobile app secrets. The solution prevents API Keys and credentials theft and blocks mobile app DDoS attacks, enabling comprehensive protection of the API credentials and secrets.

Mobile apps’ wide use of third-party APIs exacerbates the problem. Mobile app developers can suffer financial losses and brand reputation damage if their customers and partners believe them to be the cause of breaches or service disruptions caused by Distributed Denial of Service (DDoS) attacks using stolen secrets.

Recent findings from market research and consulting firm Osterman Research indicate that contrary to coding best practices, a significant portion of developers continue to store API keys in their code. 

Michael Sampson, a senior analyst at Osterman Research, said, “Osterman findings show that mobile apps depend on average on more than 30 third-party APIs, and that half of the mobile developers we surveyed are still storing API keys in the app code.” Highlighting the dangers of this practice, he continued, “These two things together constitute a massive attack surface for bad actors to exploit. And third-party API threats against mobile apps aren’t as well understood by companies as they should be.” 

Specifically addressing Approov’s Runtime Secrets Protection, Sampson said, “The new functionality from Approov allows API keys to be managed and updated dynamically and ensures they are never extractable from the app. This is a major step forward in protecting APIs from abuse.”

Approov is releasing new functionality in Approov 3.0, which addresses this issue by making management of API keys and other secrets easy and secure, at rest or in transit. 

Approov Runtime Secrets Protection manages and protects all the secrets a mobile app uses. The Approov cloud service delivers secrets “just-in-time” to the app only when required to make an API call and only when the app and its runtime environment have passed attestation. This timely and careful delivery of secrets ensures that sensitive API data is not continuously stored or delivered to unsafe places, such as fake apps or into malicious hands. 

Approov’s cloud service stores all secrets, and they are easy to manage dynamically. If changes to these are needed, they are easily and immediately changed across all deployed apps, preventing abuse. 

This approach marks a significant improvement over hardcoded keys in the app itself because should those keys be “leaked,” the developer must update the app with an entirely new version. This process is complex and time-consuming and involves juggling new and old keys during the time it takes for the installed base to be transferred to the latest version.  

Doğan Bolak, CTO of social investment innovator Invstr, said, “We love the way Approov protects both our app and the APIs we use. Our customers need to be confident that our service is secure and Approov delivers that. We are very happy with the technology and support we get from them. Approov Runtime Secrets Protection delivers the important ability to turn static keys into dynamic keys and updates them “at the flick of a switch,” which means that 3rd party APIs are no longer open to abuse even if secrets do get in the hands of bad guys.”

Approov Runtime Secrets Protection eliminates the need to include secrets in the mobile app code, eliminating any risk of extraction through code analysis and exposure through accidental source code repository leaks. Additionally, administration is easy: Approov allows secrets to be dynamically updated in the field with no need to issue app updates.

David Stewart, CEO, Approov, said: “Mobile apps and APIs are — now more than ever — the lifeblood of organizations large and small. Leaving secrets in apps or extractable via man-in-the-middle (MitM) attacks is like leaving your front door open to attackers, and organizations must act immediately to deploy secret shielding solutions. Relying purely on app hardening solutions that do not protect secrets in transit is like locking the front door while leaving the windows open. Approov Runtime Secrets Protection is the first solution to comprehensively shield secrets at rest and in transit, without any backend changes. It protects the full range of APIs that mobile apps now rely on, including previously unprotected 3rd party APIs.”

Upcoming Webinar 

Join the live webinar from Approov on June 9th, “Best Practices for Secure Access of 3rd Party APIs from Mobile Apps,” which will discuss the reputational and financial risks associated with API use and how to mitigate those risks. Sign up here.

Pricing and Availability

The pricing of the Approov solution is designed to be wholly aligned with your business growth, based on the number of genuine active apps in a monthly billing period. Approov 3.0 is available now.

About Approov 

Approov solutions help stop API abuse at the edge and prevent security breaches in mobile channels. With more businesses moving to digitalization and future-ready services that utilize mobile API connections, securing those connections properly can get overlooked or not fully implemented for all possible threats, exposing organizations and their users to breaches, fraud, denial of service, and other forms of API abuse.

Approov API Threat Protection provides a multi-factor, end-to-end mobile API security solution that complements identity management, endpoint, and device protection to lock-down proper API usage. It ensures that only safe and approved apps running in safe environments can successfully and securely access an organization’s APIs and turns away unauthorized accesses by attacker scripting, bots, and fake or tampered apps. https://www.approov.io/


Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Facebook, Instagram, and LinkedIn.