App and API protection with Promon App Attestation™

APIs are inherently vulnerable to attacks

APIs are essential for applications, but they also provide an easy way for threat actors to take advantage of and misuse services. Hardcoding API keys or credentials into application code is one of the four most common ways that APIs are vulnerable. If APIs leak into the public domain, businesses can suffer significant losses in revenue, service downtime, and brand reputation.

Rogue apps that connect to APIs are prone to abuse, leading to breaches, non-compliance, and loss of user trust. Unprotected apps can also be modified by attackers to steal sensitive data or use the app as a vector for malware or other attacks. As such, API protection is critical to prevent data breaches.

78%

The amount of API attacks that come from seemingly legitimate users but are, in fact attackers with maliciously achieved authentication

35%

The amount of account takeover attacks targeting APIs specifically

$71b

The maximum annual cost of poor API protection

How Promon App Attestation™ protects APIs and apps in real time

The Promon SHIELD™ App Attestation module helps you verify the integrity and authenticity of your mobile apps accessing your APIs in real time to ensure that they have not been compromised or tampered with. With App Attestation, a challenge-response mechanism is used to ensure that a genuine application on a secure device makes the API call.

Each challenge-response is unique, making it difficult for hackers to exploit and reducing the risk of replay attacks. Promon SHIELD™ App Attestation ensures that even if the APIs and their keys are leaked, you don’t have to worry.

Strengthen your app and API security

Stop rogue mobile apps or servers impersonating legitimate sources. The App Attestation module ensures that access to customers’ APIs only comes from a validated mobile app, preventing attacks such as API injection and data tampering.
Use App Attestation to secure the API connectivity without impacting regulatory constraints.
Demonstrate your commitment to security, privacy and reduce the risk of systemic attacks and fraud. You can increase user trust since your organization will avoid costly breaches and hacking incidents.

Promon App Attestation™ tailored to your needs

Woman playing mobile game app phone

For Gaming

Protect against friendly fraud and swiftly detect and block unauthorized app connections in real-time, ensuring fair gameplay for your games. Promon App Attestation™ delivers filtered access to the gaming apps’ APIs and allows you to react if non-genuine apps are trying to connect to your servers.

Mobile banking app

For Banking and Open Banking

Verify the integrity and authenticity of your banking or fintech applications to guarantee that only trusted versions of the apps can interact with your servers. Promon App Attestation™ ensures the security and integrity of the communication between the app and the servers of different financial organizations, preventing unauthorized access and data theft.

Streaming video on phone app

For Streaming

Keep streaming content secure and accessible only through legitimate channels, preventing unauthorized distribution and piracy. For instance, PromonApp Attestation™ will diminish DRM breaches on the server side because even if DRM keys are leaked, the API can only be accessed by protected, unmodified applications.

Woman online shopping in app eCommerce

For eCommerce

Safeguard your businesses from fraudulent transactions, account takeover, and identity theft, and minimize the risk of disputes and chargebacks. By thoroughly verifying the integrity and authenticity of your apps in real time, the module establishes a secure and trusted connection between the apps and your eCommerce platform’s APIs.

With Promon App Attestation™:

Transition from static to dynamic app attestation

While Google and Apple’s attestation approach is limited to session-based verification when the app is launched, Promon App Attestation™ provides transaction-based, continuous validation. This ensures the mobile app is executed in a secure and unmodified environment while connecting to your APIs. With real-time validation, the module enhances security and safeguards against potential tampering, providing higher protection for your app and data.

Go beyond authentication and secure your app at runtime

The Promon SHIELD™-protected app authenticates to the server side with the embedded assurance that the app is uncompromised. Google Play’s integrity and signing service and Apple’s app attest service don’t check if the application was tampered with and don’t validate the device integrity, while Promon SHIELD™ with the App Attestation module also validates the app and device integrity.

Get full control

Promon App Attestation™ is fully self-contained and offers the same mechanism for attestation for iOS and Android apps. The attestation process occurs within the app without relying on external services or separate channels. This can provide benefits such as not being dependent on external availability, greater control over the process, and reduced risk of interception or tampering.

How to enhance your API protection

In addition to offering comprehensive API protection through app attestation, our whitebox-backed security solutions can help enhance your API protection even more.

SAROM is a module of Promon SHIELD™. It provides a simple solution to a challenge that is hard to solve on any mobile platform. SAROM helps in protecting specific assets in a published app.

Promon SHIELD™ offers Secure Local Storage (SLS) as a module. This provides app developers with the ability to store app secrets locally on the end-user device. Examples of app secrets are session tokens, personally identifiable information, API keys, and more.

  • SLS enables secure encrypted data storage on a device​, even if the device is rooted or jailbroken.
  • Secure application ROM (SAROM) keeps your fixed app secrets safe​ in a published app.

Gartner states that hardcoding API keys or other credentials in web and mobile applications is a major API vulnerability. This method makes these secrets vulnerable to decompiling attacks.

Gartner. “API Security: What You Need to Do to Protect Your APIs.” Mark O’Neill, Dionisio Zumerle, Jeremy D’Hoinne