Approov is an API security solution used to verify that requests received by your API services originate from trusted versions of your mobile apps.
This repo implements the Approov API request verification for the AWS API Gateway, which performs the verification check on the Approov Token before allowing valid traffic to reach the API endpoint.
If you are looking for another Approov integration you can check our list of quickstarts, and if you don't find what you are looking for, then please let us know here.
You can learn more about Approov, the motives for adopting it, and more detail on how it works by following this link. In brief, Approov:
- Ensures that accesses to your API come from official versions of your apps; it blocks accesses from republished, modified, or tampered versions
- Protects the sensitive data behind your API; it prevents direct API abuse from bots or scripts scraping data and other malicious activity
- Secures the communication channel between your app and your API with Approov Dynamic Certificate Pinning. This has all the benefits of traditional pinning but without the drawbacks
- Removes the need for an API key in the mobile app
- Provides DoS protection against targeted attacks that aim to exhaust the API server resources to prevent real users from reaching the service or to at least degrade the user experience.
This is a brief overview of how the Approov cloud service and the AWS API Gateway fit together from a backend perspective. For a complete overview of how the mobile app and backend fit together with the Approov cloud service and the Approov SDK we recommend to read the Approov overview page on our website.
The Approov cloud service attests that a device is running a legitimate and tamper-free version of your mobile app.
- If the integrity check passes then a valid token is returned to the mobile app
- If the integrity check fails then a legitimate looking token will be returned
In either case, the app, unaware of the token's validity, adds it to every request it makes to the Approov protected API(s).
The AWS API Gateway ensures that the token supplied in the Approov-Token header is present and valid. The validation is done by using a shared secret known only to the Approov cloud service and the AWS API Gateway.
The request is handled such that:
- If the Approov Token is valid, the request is allowed to reach the API endpoint
- If the Approov Token is invalid, an HTTP 403 Forbidden response is returned
- If the Approov Token is missing, an HTTP 401 Unauthorized response is returned
The quickstart for the Approov integration with the AWS API Gateway gets you up and running with basic Approov token checking:
Bear in mind that the quickstart assumes that you already have an AWS API Gateway running, and that your are familiar with managing it. If you are not familiar with the AWS API Gateway then you want to follow instead the step by step AWS API Gateway Example to learn how to build one from scratch and integrate Approov on it.
If you need help to add Approov to the AWS API Gateway then please contact us here.
If you wish to explore the Approov solution in more depth, then why not try one of the following links as a jumping off point: