From Edinburgh to the World: Approov’s Mission to Secure Mobile Apps
Approov is an Edinburgh-based cybersecurity company specializing in mobile app and API security, integrating with CI/CD DevOps workflows.
A flagship venture demonstrating the exciting innovation leadership of Scotland’s cybersecurity industry is Approov.
They recently raised £5m to scale their mobile app and API security technology amid rising AI-driven cyber threats, with backing from Maven Capital Partners, Souter Investments, and existing investors Lanza techVentures and Scottish Enterprise.
Headquartered in Edinburgh, Scotland, with a U.S. office in Palo Alto, California, Approov provides end-to-end protection from device to cloud, focusing on authenticating app instances to prevent unauthorized access by bots, scripts, or tampered apps.
The company serves industries like eCommerce, financial services, healthcare, gaming, and connected cars, addressing vulnerabilities such as reverse engineering, man-in-the-middle attacks, and API abuse.
Runtime Attestation
Its key features include dynamic runtime attestation, just-in-time secret delivery, and dynamic certificate pinning, eliminating the need for hardcoded API keys. Approov integrates with CI/CD pipelines, supports DevOps workflows, and offers real-time threat analytics.
Runtime attestation is a security process used to verify the authenticity and integrity of a mobile app or device during its execution, ensuring it hasn’t been tampered with or compromised. It involves real-time checks to confirm that the app instance communicating with an API is genuine, running in a trusted environment, and not manipulated by attackers (e.g., through reverse engineering, emulators, or malware).
Here’s how it typically works:
- Device and App Verification: At runtime, the app sends a unique attestation token or cryptographic proof to the server. This token is generated based on the app’s code, configuration, and the device’s environment (e.g., OS, hardware, or jailbreak/root status).
- Dynamic Checks: The server validates the token to ensure the app is unmodified, signed correctly, and running on a legitimate device, not an emulator or compromised system.
- Continuous Monitoring: Unlike static checks performed during app installation or build, runtime attestation occurs continuously or at critical points (e.g., during API requests), ensuring ongoing trustworthiness.
- Response to Threats: If the attestation fails (e.g., detecting a tampered app or malicious environment), the server can block access, limit functionality, or trigger alerts, preventing unauthorized API interactions.
Approov’s implementation uses dynamic runtime attestation to issue short-lived, cryptographically secure tokens, ensuring only verified apps can access APIs, protecting against bots, scripts, or repackaged apps. This approach enhances security by adapting to new threats without requiring app updates.
