Securing Mobile Apps: Approov's Award-Winning Attestation Technology

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome back everyone to another deep dive. This time we're
going exploring the world of mobile API and app security.

Speaker 2 (00:07):
Yeah, always a fun topic, it.

Speaker 1 (00:09):
Is, It really is, especially these days. I'm George by
the way, I'm Sky and Sky and I are going
to be your guides today. We get a lot to uncover. So,
you know, for all those mobile developers out there working
across all the different platforms. We got iOS, Android, even Harmony.

Speaker 2 (00:24):
Os, flutter React Native yeah.

Speaker 1 (00:27):
Flutter React Native Yeah. Making sure that your apps are
really talking to the back end securely. It's kind of
a big deal these days, right, it is. It's kind
of everything pretty much. So we're going to be zeroing
in on I guess you could call it a technique.
It's a pretty powerful one though. It's called a client
software attestation, Okay. And to help us really get a

(00:48):
handle on all this, we're gonna be looking at a
company that's, well, I guess you could say they're leading
the pack when it comes to this stuff.

Speaker 2 (00:55):
Yeah, they've been at it for a while, actually they have.

Speaker 1 (00:58):
So I guess to kick things off, maybe we could
just you know, talk about the whole mobile security landscape
for a minute. You know what are some of the
things that that developers really need to be worried about
these days?

Speaker 2 (01:08):
Well, yeah, I mean mobile mobile brings its own set
of challenges, right. So it's not just like, you know,
can somebody log in as a user that they shouldn't, right,
which is like, you know, that's your typical authentication concern,
right right, right, But it's like what if the app
itself has been you know, tampered with in some way,
and it's running on a device that's you know, maybe

(01:31):
it's been rooted or jail broken, oh yeah, or you've
got these you know, sophisticated attacks you know that that
are coming from what appears to be like a legitimate
app instance like gets, but actually it's been compromised. So
like you know, your typical you know authentication you know protocols,
they're not going to really help you, there are they?

Speaker 1 (01:51):
No, they don't. They don't do much in that case
because you get like a valid user, right, but they're
running something that's well not quite what you intended.

Speaker 2 (02:00):
Not quite right. Yeah. It's like a like a big
hole in your security.

Speaker 1 (02:03):
Isn't it. It really is, it really is. So that
brings us to to this idea of client software attestation.
So what what is that like at its core?

Speaker 2 (02:15):
Okay, So it's all about you know, your back end
server actually verifying the integrity of the mobile app that's
trying to talk to it.

Speaker 1 (02:24):
Okay, so before it lets it in.

Speaker 2 (02:25):
Yeah, it's like it's like the server is saying, you know,
hold on a second, are you really the app that
I'm expecting.

Speaker 1 (02:31):
Like a bouncer at a club?

Speaker 2 (02:33):
Yeah, exactly, okay, and you know it wants to do
that before you know, any sensitive data is you know
handed over or any you know, kind of important stuff happens.
So it's a lot. It's a lot more than just
you know, checking a user's log in, right, It's more like,
you know, it's not just about who the messenger is.

Speaker 1 (02:50):
It's all packaged.

Speaker 2 (02:51):
Yeah, it's like, you know, is the is the vessel
that's carrying the message the real deal?

Speaker 1 (02:56):
Oh okay, yeah, so you know, making sure that nothing's
been messed with, right, got it? Okay, So now we've
mentioned this company, Approve. They're they're doing some really interesting
things in this space.

Speaker 2 (03:10):
They are. Yeah, they're kind of pioneers, i'd say, you know,
yeah in this whole attestation thing.

Speaker 1 (03:16):
Yeah, you know, and they've got a patent to prove
it too.

Speaker 2 (03:18):
They do. It's a US patent eleven million, one hundred
and sixty three eight hundred and fifty eight B two.
Catchy title, Yeah, rolls right off the tone.

Speaker 1 (03:29):
But what they're doing, you know, it's it's pretty serious stuff.
They're they're all about making sure that mobile apps are
you know, running safely.

Speaker 2 (03:35):
Yeah, that they can be trusted you know, by the
by the back end, that.

Speaker 1 (03:39):
That trust is there. Yeah, right, So how do they
make that happen? What's the secret sauce?

Speaker 2 (03:44):
Well, the really cool thing is that they use you
know some really you know high tech cryptography stuff. Oh okay,
you know, combined with like runtime security checks that are
happening all the time.

Speaker 1 (03:55):
So it's not just like a one time thing, no.

Speaker 2 (03:57):
It's it's constantly checking, you know. And all of this
is managed through you know, a cloud based service. And
for developers, you know, they've got these you know, nice
lightweight SDKs that they can integrate into their apps, and
they've got them for you know, Android iOS.

Speaker 1 (04:14):
Yeah, the usual suspects.

Speaker 2 (04:15):
Yeah, the usual and even you know HarmonyOS.

Speaker 1 (04:18):
Oh wow, HarmonyOS too. Huh. That's that's impressive.

Speaker 2 (04:22):
Yeah, they're covering a lot of ground.

Speaker 1 (04:24):
They are, they are. So it seems like a proof
has been thinking about this problem for quite some time.

Speaker 2 (04:29):
Oh yeah, yeah, I mean they were doing this way back,
you know, like twenty sixteen.

Speaker 1 (04:35):
Wow, that's like ancient history in the tech world.

Speaker 2 (04:38):
Yeah, pretty much.

Speaker 1 (04:39):
So that was even before you know, Apple and Google
started getting serious about this stuff.

Speaker 2 (04:43):
Right with their own you know, native solutions.

Speaker 1 (04:46):
Yeah. Yeah, A tests, play, integrity, API, all that jazz.

Speaker 2 (04:49):
Exactly.

Speaker 1 (04:50):
So given that Approved has this kind of head start,
what what does that mean? You know, are their advantages
to their approach compared to just relying on those native tools?

Speaker 2 (04:59):
Oh, there are finitely. I mean, especially when you start
thinking about you know, devices that are rooted or jail broken.

Speaker 1 (05:04):
Oh yeah, those are always tricky, right.

Speaker 2 (05:08):
You know those native solutions, you know, they can be
bypassed in those environments sometimes.

Speaker 1 (05:12):
Oh that's not good, not good.

Speaker 2 (05:13):
But Approved they've designed their tech to handle those, you know,
those tougher situations. Okay, So it's a it's a more
robust security layer, you know, across different platforms and you know,
different device states.

Speaker 1 (05:26):
It sounds like a more universal shield exactly.

Speaker 2 (05:29):
Yeah, and and potentially a stronger one too.

Speaker 1 (05:32):
Okay, so I guess now we're all wondering, you know,
how does it actually work?

Speaker 2 (05:36):
Yeah? How does this magic happen?

Speaker 1 (05:38):
Yeah? Then nuts and bolts.

Speaker 2 (05:39):
So it all starts, you know, with the developer integrating
the approved SDK into their app. Okay, and when that
app wants to you know, chat with your API back
end send a message, right. Yeah, the SDK it does
a little you know.

Speaker 1 (05:57):
Integrity check, make sure everything's kosher.

Speaker 2 (05:59):
Yeah, on the app itself and you know where it's running.
And this check it involves like a little back and
forth with the proves cloud service. Okay, they're working together,
you know, analyzing things and they're looking for you know,
red flags.

Speaker 1 (06:13):
Like what kind of red flags?

Speaker 2 (06:14):
Well, you know, is it running on one of those
you know, rooted or jail broken devices. Is it like
a copied or tampered version, a fake basically, yeah exactly.
Or are there you know sneaky little tools you know
hanging around, like snooping tools. Yeah, yeah, trying to you know,
mess with things.

Speaker 1 (06:32):
So if any of that stuff is found, what happens.

Speaker 2 (06:35):
Well, the API request it's stopped dead in its tracks
like a brick wall. Yeah, pretty much. And on top
of all that, they've got this thing called dynamic certificate pinning.

Speaker 1 (06:45):
Okay, now that's a mouthful.

Speaker 2 (06:47):
It is, it is, but it's important, right. So unlike
static pinning, which can be a real pain to manage,
dynamic pinning lets the server tell the app you know, hey,
these are the good certificates right now, okay, and that,
you know, really strengthens your defenses against those man in
the middle.

Speaker 1 (07:02):
Attacks, right because the app knows who to trust exactly.

Speaker 2 (07:06):
Yeah, it's like, you know, only talk to the real deal.

Speaker 1 (07:08):
So it's like a double check on top of everything else.

Speaker 2 (07:10):
Yeah, pretty much. It's all about layers you know.

Speaker 1 (07:12):
Okay, yeah, layers of security makes sense. But okay, all
of this sounds great in theory, but is it actually
making a difference out there in the real world.

Speaker 2 (07:21):
Oh it is absolutely, I mean approve They've got some
big name clients, you know, really like in all sorts
of industries, you know, fintech, healthcare, you name it, that's
his stuff. Yeah, high stakes, and they're reporting some pretty
amazing results, like you know, over ninety five percent reduction
in API attacks.

Speaker 1 (07:42):
Wow, ninety five percent, that's huge.

Speaker 2 (07:44):
Yeah, it is, and they're preventing you know, all sorts
of nasty stuff like what bought attacks, man in the middle, exploits,
you know, app tampering.

Speaker 1 (07:53):
So it's a it's a pretty comprehensive solution, huh, it
really is.

Speaker 2 (07:56):
Yeah.

Speaker 1 (07:56):
Okay. And they're not just you know, protecting a handful
of app This is like a large scale deployment.

Speaker 2 (08:02):
Right right, Yeah, they're talking about millions of app users millions. Yeah,
and in over thirty countries, so.

Speaker 1 (08:08):
It's not just you know, one little corner of the.

Speaker 2 (08:10):
World, No, it's global.

Speaker 1 (08:12):
This is this is a big deal. Okay. So you know,
I'm curious, are there are there any specific examples of
how companies are you know, putting Approved to work, you know,
solving their own you know, unique security problems.

Speaker 2 (08:31):
Oh yeah, yeah there are. Like, for example, you've got
the BMW.

Speaker 1 (08:35):
Group, BMW the car company.

Speaker 2 (08:37):
Yeah, the one and only. Wow, they're using Approve to
secure their you know, car sharing platform okay, for those
you know, factory ready vehicles right right. And it's it's
pretty clever actually because it provides that security right.

Speaker 1 (08:50):
From the get go, so it's like built in security.

Speaker 2 (08:52):
Yeah, okay, make things a lot simpler.

Speaker 1 (08:54):
Right, you don't have to worry about you know, retrofitting
later on.

Speaker 2 (08:57):
Yeah, exactly.

Speaker 1 (08:58):
So that's pretty cool. What about, like in e commerce,
are there any you know e commerce companies using approve?

Speaker 2 (09:04):
Oh yeah, there's a dem Deal Deal. They're a pretty big,
you know, e commerce platform in Switzerland, and they found
that approve was a really you know, easy way to
secure their API driven platform, right.

Speaker 1 (09:18):
Because those are kind of those are becoming more and
more popular these days.

Speaker 2 (09:21):
Yeah, they are. But they had a problem you know,
when they were you know, moving from their web platform
to you know mobile atis, they kind of lost some
of that you know context that they used to have,
which helped them you know, spot and block you know
those automated.

Speaker 1 (09:36):
Bots, right, the pesky bots, right.

Speaker 2 (09:38):
But a proof helped them get that back.

Speaker 1 (09:40):
Okay, so they restored that visibility exactly. Yeah, that's pretty neat.
What about you know, fintech. You know that's another area
where security is you know obviously.

Speaker 2 (09:49):
Paramount Oh absolutely, yeah. And there's a company Papara. They're
they're a fintech company that's you know growing really fast,
and they implemented a proof okay, and they saw like
a like a massive drop in their fraud.

Speaker 1 (10:03):
Costs really like how much, Like wow, ninety percent in
just a month. That's that's incredible. So it's like a
real you know, bottom line impact.

Speaker 2 (10:13):
Oh yeah, absolutely.

Speaker 1 (10:14):
So it sounds like, you know, it's not just about
you know, the technology working, it's also about you know,
how easy it is for companies to actually use.

Speaker 2 (10:22):
It, right. The user experience is important too.

Speaker 1 (10:25):
Yeah.

Speaker 2 (10:25):
Yeah, and you know what a lot of Prooves customers
they say that it's really straightforward to you know, integrate
the SDK, okay, and they're they're seeing you know, real
security improvements without having to you know, completely revamp.

Speaker 1 (10:40):
Their back end, right, so no major surgery required.

Speaker 2 (10:43):
Yeah exactly, and you know it doesn't it doesn't mess
with the user experience.

Speaker 1 (10:47):
Either, Okay. So it's it's a win win, you know, yeah,
pretty much security and usability. But are there are there
any like, you know, independent reviews of Approvers.

Speaker 2 (10:56):
Oh yeah, there have been. There have been several, and
you know, they they've really highlighted Approve's strengths, you know
in protecting apps, especially on those you know, rooted or
jailbroken devices, right, the tricky ones where you know, those
native solutions they can sometimes struggle.

Speaker 1 (11:14):
Okay, so it proves holding its own.

Speaker 2 (11:16):
Yeah. Yeah, they're doing really well.

Speaker 1 (11:18):
That's great to hear. And I hear they've even won
an award recently.

Speaker 2 (11:21):
Yeah, they did. They won the Cyber Innovation Award. Wow,
at the twenty twenty five Scottish Cyber Award.

Speaker 1 (11:27):
That's that's a pretty big deal. So who are they
up against?

Speaker 2 (11:31):
Oh, some some pretty tough competition. You know, you had
Lloyd's Banking Group, Morgan Stanley, True Deploy.

Speaker 1 (11:39):
Wow, those are some serious players.

Speaker 2 (11:41):
Yeah, and Pace Anti Piracy you're at LTD.

Speaker 1 (11:45):
So it's not like they were, you know, competing against amateurs.

Speaker 2 (11:48):
No, not at all.

Speaker 1 (11:49):
So what did Approve CEO have to say about, you know,
winning this award?

Speaker 2 (11:53):
Well, Ted Morocco, he's the CEO.

Speaker 1 (11:56):
He was.

Speaker 2 (11:56):
He was really pleased, of.

Speaker 1 (11:57):
Course, right as you would be.

Speaker 2 (11:59):
And he said, you know that it really you know,
shows how dedicated they are to you know, making mobile
more secure. Yeah, you know, for everyone, for both businesses
and users exactly.

Speaker 1 (12:10):
Yeah, it's good to see that, you know, that innovation
is being recognized.

Speaker 2 (12:15):
So let's shift gears a bit, okay and talk about
how a technology like a proof you know, fits in
with all the regulations that are coming out these days,
you know, stuff like the EU's Digital Markets Act and
the UK's Digital Markets Competition and Consumer's Bill.

Speaker 1 (12:31):
Yeah, yeah, those are big ones.

Speaker 2 (12:33):
They are, they are. So how does approve kind of
align with with those goals?

Speaker 1 (12:39):
Well, you know that those regulations they're all about making
you know, digital ecosystems more secure, right right, and more competitive.
You know, they wanted to kind of break the grip
that some of the big platform providers have.

Speaker 2 (12:53):
Right, create a more level playing field exactly.

Speaker 1 (12:55):
And approoves technology. It really supports that, you know, because
it gives you this you know, wrong security mechanism that
isn't tied to you know, just Apple or Google's way
of doing things.

Speaker 2 (13:06):
Right, So it's like platform agnostic.

Speaker 1 (13:07):
Yeah exactly. So developers can you know, potentially distribute their
apps and you know, all sorts of different ways, okay,
and still be confident that you know, their apps are.

Speaker 2 (13:15):
Secure and their user's data is protected right right.

Speaker 1 (13:19):
So it's like it opens up you know, more possibilities, you.

Speaker 2 (13:21):
Know, Yeah, it does, and it kind of helps you know,
level the playing field a bit, right, So.

Speaker 1 (13:26):
Everybody's got a chance to you know, play the game.

Speaker 2 (13:28):
Fairly exactly. Yeah.

Speaker 1 (13:29):
Now, I know that the UK's d mc C bill,
it had a lot of you know support from different groups,
it did.

Speaker 2 (13:36):
Yeah. I mean Michelle Donlin, you know, the UK Secretary
of State for Science, Innovation and Technology, she was a
big fan. She talked a lot about how the bill
would you know, encourage innovation, right, and.

Speaker 1 (13:47):
The Coalition for App Fairness they were also on board.

Speaker 2 (13:50):
Oh yeah, they were all for it. I mean they're
all about, you know, tackling the power of Apple and
Google right, right, So they saw this bill as a
way to you know, do just.

Speaker 1 (13:58):
That, okay, and did approve CEO weigh in on this
at all.

Speaker 2 (14:02):
He did, Ted Morocco. He said that the bill is
a really important step, you know towards fair competition and
more innovation in the.

Speaker 1 (14:11):
Mobile app world, which would be good for you know,
smaller developers especially.

Speaker 2 (14:15):
Yeah, yeah, exactly, and security companies like approof right.

Speaker 1 (14:19):
So you know it seems like proof isn't just you know,
solving a technical problem. They're also you know, kind of
pushing for positive change in the whole industry.

Speaker 2 (14:27):
Yeah, it's like they're trying to make the whole ecosystem better. Yeah, exactly,
so I guess to wrap things up, let's go back
to Approve's patent for a second.

Speaker 1 (14:36):
Okay.

Speaker 2 (14:37):
You know that US patent eleven million, one hundred and
sixty three eight hundred and fifty eight B two, the
famous patent, Yeah, the one we all know and love.
What does it really tell us about you know, a
proof's place and all of this.

Speaker 1 (14:50):
Well, you know, the patent was granted in twenty twenty one, Okay,
but they actually filed for it way back in twenty fifteen.

Speaker 2 (14:57):
Wow, So they were thinking about this, you know, years ago.

Speaker 1 (15:00):
Yeah, they were ahead of the curve. I saw these
problems coming, you know, before most people even knew they existed.

Speaker 2 (15:05):
Wow. So the patent really shows that Approve is a
you know, a true innovator in this space.

Speaker 1 (15:10):
Yeah, they're they're the real deal.

Speaker 2 (15:12):
Okay, Well, this has been a really fascinating deep dive.

Speaker 1 (15:14):
Yeah. It has you know, into the world of mobile
app security and what a proof's doing with their client
software attestation technology. It's clear that you know, keeping mobile
apps secure it's not an option these days, no, it
must have it's essential. Yeah, and technology is like a proof,
They're they're really leading the way.

Speaker 2 (15:34):
Yeah, they're setting the bar high.

Speaker 1 (15:36):
They are, so, you know, I guess for all of
you listening out there, Yeah, you know, think about how
you can use these techniques, you know, in your own
development work. How can you make your apps more secure?

Speaker 2 (15:48):
How can you build that trust you know with your users.

Speaker 1 (15:52):
Yeah, it's all about trust at the end of the day,
it really is. And remember, you know, things are changing
all the time in this field.

Speaker 2 (15:58):
Yeah, fast moving targets.

Speaker 1 (16:00):
So stay informed, stay curious, keep learning. That's the best
way to stay ahead of the bad guys.

Speaker 2 (16:05):
Yeah.

Speaker 1 (16:06):
Absolutely, And just a quick note, this deep dive was
based on you know, information from human sources, right, and
we had a little help from AI in putting it
all together. Yeah.

Speaker 2 (16:16):
AI was our assistant.

Speaker 1 (16:17):
Yeah, yeah, a little AI assistant. All right, that's it
for today. Thanks for joining us, and we'll see you
next time.

Speaker 2 (16:24):
See you later, Bye bye,

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

The Herd with Colin Cowherd

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Securing Mobile Apps: Approov's Award-Winning Attestation Technology

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

Dateline NBC

The Herd with Colin Cowherd

All Episodes

Securing Mobile Apps: Approov's Award-Winning Attestation Technology

Stuff You Should Know