Mobile apps are increasingly the primary tools we use to access our daily digital lives. These apps become central in sensitive (user) information handling and facilitating transactions.

However, not all mobile apps can be trusted. Promon’s State of App Repackaging threat report stated that 61% of apps in the wild could be repackaged or suffer from malware already present in the device running the app.

This is a problem in itself, but when combined with the extensive use of APIs, it then brings the risk to a possible systemic layer where the blast radius of an exploit can dramatically impact your business. The possible risks are too significant to be ignored, especially in industries like banking and fintech, which are increasingly driven by real-time settlements with no possible roll-back. The need for enhanced security measures has never been more critical to avoid costly API security flaws remediations and reputational damage.

To address this, we are thrilled to announce the launch of Promon App Attestation™ as the first pillar for security at reach. With the Promon SHIELD™ App Attestation module, you can now bind the authenticity and integrity of your mobile apps to your APIs in real time.

As always, with Promon SHIELD™, this innovative module also verifies the integrity of the devices running your apps.

Why do you need App Attestation?

First, let’s understand why you need any type of app attestation. App attestation is historically a cryptographic element that is shared between app stores and mobile apps in the field.

Essentially, application stores like Apple® or Google® would verify that the app you are about to run is, in fact, ‘real’ and unmodified. Having this type of ‘app attestation’ to filter down who can use your API seems like a very good idea. However, this approach has limitations. If the ‘attestation server’ is not reachable (or if the app ‘thinks’ it is not reachable), then a much less secure fallback mechanism is used.

Last, this protection is inefficient when facing risks at runtime, as the verification is usually done at launch time.

Authentication, or even Strong Customer Authentication (SCA) alone, is insufficient to guarantee API security, especially in the context of open (banking) APIs where liability shift and vendor risk injection are critical. Moreover, malicious actors can exploit unsecured apps, modify their behavior, steal sensitive data, or even turn them into vectors for malware and other cyberattacks.

Finally, yes, you need to deploy app attestation, but what is available by default has limits that put you at risk, so you may want to look for something better.

Promon App Attestation™ addresses these critical security challenges by providing integrity validation and authenticity verification for your applications. Integrated into the multi-layered Promon SHIELD™ mobile app protection, this module ensures that your apps remain secure at rest and runtime. It marks Promon’s first solution for protection at reach, enabling secure connections to external APIs and services.

The benefits of app and API protection with App Attestation

Go from static to dynamic app attestation

Unlike the limited session-based verification offered by others, Promon App Attestation™ provides transaction-based, continuous validation. This ensures that your mobile app is executed in a secure and unmodified environment while connecting to your APIs. Real-time validation significantly enhances security, safeguarding against potential tampering and providing robust protection for your app and data.

Practically speaking: if you attempt to connect a debugger to an app at runtime on a device and access your APIs, App Attestation will completely prevent the app from running. In contrast, other app attestation solutions would prove ineffective.

Go beyond authentication and secure your app at runtime

While Google and Apple primarily focus on app launch verification, Promon SHIELD™ goes a step further. Our App Attestation module validates both the app and device integrity during runtime, ensuring a higher level of security and removing the gap between what you protect and what you use.

Practically speaking: there will be no decoupling from the attestation server and your API server because the former will not be accessible due to your API being unreachable.

Gain full control

By leveraging Promon’s App Attestation, businesses gain full control over the entire chain of trust in their country or operating zone. It is a platform-agnostic solution that eliminates reliance on any third-party services.

Practically speaking: you will have data residency certainty, keeping GDPR nightmares like post “Schrems II” mitigation at bay. App Attestation finally offers customizable solutions tailored to your specific needs, ensuring the highest level of security (data at rest protection options, state-of-the-art obfuscation, including WBC use).

App and API security tailored to your needs

Promon App Attestation™ caters to various industries and sectors, ensuring comprehensive app and API protection. Whether you’re in gaming, banking, streaming, eCommerce, or any other industry, App Attestation can be tailored to meet your specific security requirements.

That’s a wrap!

Promon App Attestation™ revolutionizes mobile app and API security, offering real-time integrity validation and authenticity verification. By leveraging this powerful module, organizations can enhance security, ensure regulatory compliance, and build user trust. Take control of your app and API security today with App Attestation.