Managing the keys and secrets used by your apps to access multiple 3rd party APIs is a challenging problem. A common approach is to centralize keys on a proxy server and route all app traffic through it. Approov provides the vital App Legitimacy capabilities necessary to enable this solution effectively.
Useful apps are dependent on the data and services provided by multiple APIs from a range of vendors. A typical enterprise app will make use of both internal and 3rd party APIs each with its own approach to access management and associated charges.
Most APIs require apps to present some sort of valid API key with each request to allow access. Failing to protect this key from misuse can have a number of consequences:
The API keys used by your apps can fall into the wrong hands in a number of ways. They can simply be extracted from from the distribution package and redeployed in scripts, and it is not uncommon for keys to be accidentally uploaded by developers to public code sharing sites with GitHub and BitBucket.
To address both the security and management issues around keeping API keys safe, a common solution is to centralize use of keys into a single proxy server.
Introducing a proxy server for all API requests across your apps can simplify deployment significantly. All API calls from all apps are directed to the proxy server instead of going directly to 3rd party (and internal) APIs. The proxy service looks up the relevant API key and adds it to the request with the appropriate headers before forwarding it onto the required API.
By removing API keys from the app you make it impossible for attackers to reverse engineer the secrets. This is far more effective than using code obfuscation or app hardening techniques. Server side assets are easier to control and manage. For heightened security keys can be encrypted at rest or even stored in a hardware security module.
Development is also simplified with the use of a unified API proxy. App developers, including 3rd parties and contractors, no longer need access to API keys directly, removing issues around security as well as key renewal and revocation. Where only a subset of a 3rd party API is used, a simplified version of the API can be presented to developers, reducing app complexity and increasing API security.
The only weakness in this strategy is that you still need to protect the API of your proxy server. Since the issue is protecting API keys by not deploying them in an app, it does not make sense to use a traditional API key to try and achieve this.
Instead, Approov is deployed in the client side app. This avoids all of the issues surrounding securing static API keys while providing your proxy server with a high reliability method of identifying requests from authorized apps, thus enabling a complete solution for API key protection.