It was our API that we were looking to harden against abuse and potential bad actors attempting to threaten the security and availability of our service.
Daniel Jones, Founding Partner, Scoffable
Scoffable, founded in 2010, provides a fast and convenient online ordering experience for takeaway consumers.
With the increase in online transactions and the use of mobile apps, protecting sensitive data has not only become a part of doing business, but a requirement to earn the trust of customers.
The food ordering app market is highly competitive with big investments from some major players. Scoffable understood that it was vital to maintain a responsive and frictionless experience for both consumers and partner takeaways in order to build and retain brand trust. Any service downtime through a DDoS attack by scripts or bots could result in the loss of revenue or valuable local restaurant data to competitors.
The team at Scoffable had already employed some common techniques to prevent abuse, such as rate limiting, Google reCAPTCHA and the use of Cloudflare’s Web Application Firewall product to help protect their services from various threats, including DDoS attacks.
This wasn't enough for mobile, so they reached out to the Approov team for a solution purpose built for mobile. Approov's use of signed JWTs (JSON Web Tokens) could be validated quickly and, in conjunction with Cloudflare, solved the DDoS mitigation problem with their APIs.
Scoffable has also made use of Approov’s integration with the Apple DeviceCheck API to ban specific devices from using the Scoffable service. More details on this Approov feature can be found here.
Finally, we asked Daniel why they chose Approov:
We couldn’t find anything else quite like Approov, for us it solved a number of problems:
- Preventing non-Scoffable applications from making requests to our public APIs
- Providing a DDoS mitigation solution (in conjunction with Cloudflare)
- Reducing legitimate user friction on iOS where Google reCAPTCHA is not native
- Providing a simplified approach to the management of Certificate Pinning