Racing Post’s business relies on controlling access to its racing form data. Loss of that proprietary data means loss of customers and revenue. Approov was rapidly deployed to protect a new cloud based mobile API from data scrapers and cloned apps, providing a secure basis for the creation of further digital products.
Racing Post are the authority on racing and betting in the UK. Their mission, says Stephen Gorton, Technical Solutions Architect, is to
transition from a traditional newspaper business to a multi-channel digital company who puts its customers at the heart of everything we do. To date they have been very successful in achieving this transition. At the 2013 British Media Awards, in spite of strong competition from the many media companies who are also facing the challenges of transitioning to digital, the Racing Post’s mobile app was named Digital Product of the Year and the iPad Daily Edition won the Launch of the Year prize.
Building on this success, Racing Post are now focused on driving content sales and betting through their existing consumer products while growing a sustainable and strong B2B business, all through digital channels. Once this model is firmly established in the UK Racing Post will take advantage of being digital by taking their consumer offering international and broadening their coverage into other sports beyond horse and dog racing.
Given the value of their proprietary data it was unsurprising that the scrapers came knocking once Racing Post started to make their data available on the internet, even behind a private mobile API. The seriousness of losing customers and revenue was not underestimated and the pressure was on.
We have a substantial number of customers who use our iOS and Android apps for betting, Stephen explained.
We found that there were a number of Android app clones that were attempting to make use of our unique data. We also found a number of sophisticated data scrapers, trying to gather daily and historical information that we generate and make available solely to our app subscribers.
Worse still, the problem was growing. So Stephen’s group began looking for solutions.
We wanted to secure our data to the point where only our apps could seamlessly access it, but quickly deny any other unauthorized source from accessing our API data content.
The Racing Post engineering team developed several methods to limit the number of app clones but found they could not completely bolt down access to the level they required to make certain that customers and revenue were retained.
We looked at various existing methods. However it was clear that any cloner or scraper with good knowledge and resources could get around these systems.
Once it became apparent that they would need outside help to tackle these sophisticated adversaries, Stephen turned to the market for a solution. It was already clear that Racing Post had a tough problem to solve and they struggled to find a commercial offering that could provide the level of security that they needed.
We did not find
— Stephen Gorton
Technical Solutions Architect
At around this time Approov was launched. Stephen takes up the story.
We came across approov.io, researched the system, looked at how it works, analyed its cost-base, ease of implementation into our iOS and Android app codebase, reviewed the documentation, and support processes. CriticalBlue’s Approov did everything we required. We did not find an alternative and we managed to successfully implement Approov inside this environment in a small amount of time.
Racing Post dropped the Approov SDK into their iOS and Android apps in the normal way. On the server side, their new API was implemented using the AWS API Gateway so the Approov token check was implemented in an AWS Lambda function and deployed as a Custom Authoriser for the API Gateway. This efficient implementation allowed their API to continue to handle up to 10,000 requests per second.
Once deployed as a Custom Authorizer, Approov allowed Racing Post’s API Gateway to recognise traffic from authorized apps and block all requests from data scrapers and cloned apps. This has been so effective that the number of rejected requests has greatly reduced over time as people have given up trying to access the API illegitimately and moved on to easier targets.
Is working with CriticalBlue and Approov a good experience? We asked Stephen what he likes about the services:
Very easy to POC the service. Basically you can setup a full functioning test app at zero cost to test.
Support is very quick, for any queries relating to the service.
SDK and Documentation is kept up-to-date.
Our developers control app registration with the service themselves, before a new release, so Approov integration isn't a problem for them.
Following the initial deployment to protect their dynamic racing data, Racing Post have also successfully implemented an Approov signature check to authorize access to their static data via their CDN edge (Cloudfront & Fastly), which means only their apps can access Racing Post static data ranging from news to images to referencing static JS/CSS code.
Also, it appears that Racing Post’s experience with Approov has inspired their solutions in other areas of the platform beyond the mobile API.
Because of the success of Approov, comments Stephen.
We have created our own in-house static JWT system for our fixed B2B partners.
Finally, Stephen described the next steps for Approov within Racing Post’s growing service:
We are now looking at using Approov to generate keys and tokens required for our other secure data systems, using the Approov token as an authorizing method for access.