Approov Explained

Approov (formerly CriticalBlue) is a Scottish software company based in Edinburgh that is primarily active in two areas of technology: anti-botnet and automated threat prevention for mobile businesses,^[4] and software optimization tools and services for Android and Linux platforms.

Approov recently issued findings showing that 92% of the most popular banking and financial services apps contain easy-to-extract secrets such as API keys that could be used in scripts and bots to attack APIs and steal data, devastating consumers and the institutions they trust. The Approov Mobile Threat Lab downloaded, decoded and scanned the top 200 financial services apps in the U.S., U.K., France and Germany from the Google Play Store, investigating a total of 650 unique apps. Ninety two per cent of the apps leaked valuable, exploitable secrets and twenty three per cent of the apps leaked extremely sensitive secrets.^[5]

History

In 2001, David Stewart, Richard Taylor, and Ben Hounsell founded the software company, under the name CriticalBlue, in Edinburgh, Scotland.^{[6] [7]} The company won a Smart Scotland Award in 2002 for "Electronic design automation tools for improved design of demanding multimedia applications."^[8] Approov received $2 million in seed funding and assembled a core team in 2003.^{[9] [10] [11]}

In May 2008, Approov joined the Multicore Association, where CEO David Stewart would eventually co-chair the Multicore Programming Practices workgroup in 2009.^{[12] [13]} The company received $4 million funding in September 2008 from European, Silicon Valley, and Japanese venture capitalists and corporate investors, and started a close collaboration with Toshiba Corporation.^{[14] [15]}

During 2010, Approov extended Prism product support for MIPS, Cavium, and Freescale.^{[16] [17] [18]} In 2011, the company added support for TI C66x DSPs and second generation Intel Core processors.^{[19] [20]} The company expanded the range of supported Renesas platforms in 2012.^[21]

In 2013, Approov refocused on mobile Android and embedded Linux platforms.^[22]

Products

Approov service

Approov continued to work in the mobile software optimization market while it started the analysis of mobile data security opportunities, followed by the launch of the Approov app authentication service in 2016.^[23] Approov is an app authentication service that allows API backends to positively identify that requests are being made by a legitimate mobile app.^[24]

Kristopher Sandoval, an author for Nordic APIs, conducted a fully independent review of Approov in February 2017 and noted that "... the threat to public-facing APIs in the mobile space is real, dangerous, and often inefficiently mitigated."^[25] After evaluating the Approov service, he concluded that "Its approach to securing applications in the mobile environment is novel, and the way CriticalBlue goes about this is perhaps one of the more secure ways of doing so. While using cloud services for authentication is often highly questionable, their implementation in this case looks rock solid."

While pointing out that "... preventing the types of reverse engineering issues that Approov is designed to stop is vitally important" ^[25] he recommends that companies should consider the possible savings of integration.^[25]

According to Steven Puddephatt, Business Solutions Architect at the Racing Post:^[26]

Bill Buchanan, Professor of Computing, The Cyber Academy, Edinburgh Napier University, stated, "[w]e have analyzed Approov for both its cryptography strength and also for an initial penetration test. The current system has very good levels of assurance which provide significantly reduced risk within the key application areas." The Approov mobile app authentication technology has been described at the AppsWorld London 2016 event as "a baked in plan for success in your app such that you avoid service downtime costs, distributed attack risks, and cloud resource wastage due to illegitimate app requests from automated botnets."^[27] According to the Approov White Paper from the product website, "[t]he Approov service uses a unique challenge-response cryptographic protocol between the mobile app and ... cloud based attestation server. A local attestation library is seamlessly integrated into a mobile app ... When the mobile app launches, the attestation process is initiated to prove to the attestation service that it is an authentic app using a one-time non-replayable cryptographic hash of the app code."^[28]

Prism

First released in 2009, Prism dynamically traces software applications at runtime and captures data that can be used to analyze and identify the causes of poor performance.^[29] Prism received the "Best of Show" Award at the 2009 Silicon Valley Embedded Systems Conference.^[30]

Bryon Moyer, in Real World Multicore Embedded Systems, states that Prism's objective is "to provide analysis and an exploration and verification environment for embedded software development using multicore architectures."^[31] Moyer also describes the Prism interface as a set of integrated views in the GUI that display interactions between threads, data dependencies, cache analysis, along with the microprocessor pipeline.^[31]

Matassa and Domeika, in Break Away with Intel Atom Processors, similarly state that Prism is a "toolsuite aimed at optimized software development for multi-core and/or multithreaded architectures."^[32] While mentioning the same analysis views in the Prism GUI described by Moyer, they also describe the dynamic tracing approach, whereby "traces of the user's software application are extracted either from a simulator of the underlying processor core or via an instrumentation approach where the application is dynamically instrumented to produce the required data."^[32]

Cascade

Finalized in 2003 and commercially released in 2004, Approov's Cascade is a C to RTL synthesizer.^{[33] [34] [35]} Richard Taylor and David Stewart, from Approov itself, provided a chapter in Customizable Embedded Processors, describing Cascade as a "solution [that] allows software functionality implemented on an existing main CPU to be migrated onto an automatically...generated coprocessor."^[36] They stated that this is realized as an automated design flow from an embedded software implementation onto a coprocessor described in RTL. They identified offloading computationally-intensive algorithms from the main processor as the primary usage of such a coprocessor. Cascade was awarded "Best Wireless Design Tool" in 2003 by the Wireless Systems Design magazine.

Patents

• GB . 2393811 . patent . A configurable microprocessor architecture incorporating direct execution unit connectivity . 2004-09-29 . 2003-06-30 . 2002-06-28 . Richard M Taylor . CriticalBlue Ltd. .
• GB . 2394085 . patent . Generating code for a configurable microprocessor . 2005-03-23 . 2003-06-30 . 2002-06-28 . Richard M Taylor . CriticalBlue Ltd. .
• GB . 2393809 . patent . Automatic configuration of a microprocessor . 2004-04-07 . 2003-06-30 . 2002-06-28 . Richard M Taylor . CriticalBlue Ltd. .
• GB . 2393812 . patent . Microprocessor instruction execution method for exploiting parallelism . 2004-04-07 . 2003-06-30 . 2002-06-28 . Richard M Taylor . CriticalBlue Ltd. .
• GB . 2393810 . patent . Automatic configuration of a microprocessor influenced by an input program . 2004-04-07 . 2003-06-30 . 2002-06-28 . Richard M Taylor . CriticalBlue Ltd. .

Publications

1. Hounsell, Ben & Taylor, Richard. Co-processor Synthesis: A New Methodology for Embedded Software Acceleration, Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE'04), 16 February 2004. Retrieved on 23 June 2014.
2. Taylor, Richard et al. Automated data cache placement for embedded VLIW ASIPs, codes-isss, pp. 39–44, Third IEEE/ACM/IFIP International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS'05), 19 September 2005. Retrieved on 23 June 2014.
3. Morgan, Paul & Taylor, Richard. ASIP instruction encoding for energy and area reduction, DAC '07 Proceedings of the 44th annual Design Automation Conference, Pages 797-800, 4 June 2007. Retrieved on 23 June 2014.

References

Notes and References

1. Web site: 2022-12-08 . Approov Appoints Cybersecurity Executive Ted Miracco CEO (Board member) . 2023-03-09 . www.businesswire.com . en.
2. Web site: 2023-03-21 . Approov Names Pearce Erensel Vice President of Sales.
3. Web site: CRITICAL BLUE LIMITED people - Find and update company information - GOV.UK . 2023-03-09 . find-and-update.company-information.service.gov.uk . en.
4. Web site: OWASP Automated Threats to Web Applications. OWASP. 16 January 2017.
5. Web site: Zurier . Steve . 2023-03-02 . Financial apps tested from Google Play Store leaked sensitive API data under testing conditions . 2023-03-09 . SC Media . en.
6. http://data.companieshouse.gov.uk/doc/company/SC224237 "Company registration record"
7. Web site: Critical Blue collects $2m funding. 1 October 2003. 15 September 2014. Electronics Weekly.com. Metropolis Media Publishing.
8. http://www.scotland.gov.uk/Publications/2003/06/17320/22383 "Winners of 2002 SMART:SCOTLAND Competition"
9. Dorsey, Kristy. "Tech start-up shows the colour of its money", The Herald (Glasgow), 29 September 2003. Retrieved on 23 June 2014.
10. Goering, Richard. "Co-processor synthesis startup wins first-round funding", EETimes, 2 October 2003. Retrieved on 23 June 2014.
11. http://www.electronicsweekly.com/news/archived/resources/critical-blue-collects-2m-funding-2003-10/ "Critical Blue collects $2m funding"
12. http://www.multicore-association.org/press/080507.htm "Multicore Association Adds CriticalBlue to its Membership"
13. http://www.multicore-association.org/press/130214.html "Multicore Association Rolls Out Developer's Guide to Software Programming for Multicore Designs"
14. http://embedded-computing.com/news/criticalblue-corporation-scottish-venture-fund/ "CriticalBlue raises $4M, adds Investors Toshiba Corporation and Scottish Venture Fund"
15. http://www.eetimes.com/document.asp?doc_id=1169347 "Toshiba, CriticalBlue collaborate on multicore development environment"
16. http://globenewswire.com/news-release/2010/03/31/417440/187780/en/CriticalBlue-and-MIPS-Technologies-Enable-Software-Developers-to-Quantify-Benefits-of-Migrating-to-MIPS32-R-Based-Multicore-Platforms.html "CriticalBlue and MIPS Technologies Enable Software Developers to Quantify Benefits of Migrating to MIPS32(R)-Based Multicore Platforms"
17. http://www.caviumnetworks.com/newsevents_Caviumnetworks_CriticalBlue.html "CriticalBlue Provides Multicore Software Development Analysis Environment for OCTEON and OCTEON II Processors"
18. http://media.freescale.com/phoenix.zhtml?c=196520&p=irol-newsArticle&ID=1501802&highlight "Freescale and CriticalBlue expand collaboration on multicore software development environments"
19. http://e2e.ti.com/support/dsp/c6000_multi-core_dsps/b/announcements/archive/2011/10/04/critical-blue-announces-support-for-ti-c66x-dsps.aspx "CriticalBlue announces support for TI C66x DSPs"
20. http://www.intel.sg/content/dam/www/public/us/en/documents/white-papers/hd-video-encoder-performance-paper.pdf "Evaluating HD Video Encoder Performance on 2nd Generation Intel Core Processor-Based Devices Using CriticalBlue Prism"
21. https://www.bloomberg.com/apps/news?pid=newsarchive&sid=ap.NNknF4kXo "CriticalBlue Announces Broader Support for Renesas' Multicore Platforms Within Prism"
22. McLellan, Paul. "Kathryn Kranen Joins CriticalBlue's Board", SemiWiki, 5 February 2013. Retrieved on 23 June 2014.
23. Web site: CriticalBlue . CriticalBlue Launches Approov, Next Generation Mobile API Abuse/Misuse Prevention System . 2023-03-09 . www.prnewswire.com . en.
24. Web site: Mobile API Security for Android & iOS Apps Approov . 2023-03-09 . approov.io.
25. http://nordicapis.com/review-of-approov-for-mobile-api-security/ "Review of Approov for mobile API Security"
26. http://www.prnewswire.com/news-releases/criticalblue-launches-approov-next-generation-mobile-api-abusemisuse-prevention-system-606250726.html "CriticalBlue Launches Approov, Next Generation Mobile API Abuse/Misuse Prevention System"
27. https://tmt.knect365.com/apps-world/sponsors/critical-blue "Apps World 2016 London CriticalBlue Exhibitor Profile"
28. https://www.approov.io/whitepaper.pdf "Approov White Paper"
29. http://www10.edacafe.com/nbc/articles/view_article.php?section=ICNews&articleid=670025 "CriticalBlue Delivers Prism, The First Embedded Multicore Development System to Leverage Unmodified Sequential Software."
30. Balacco, Stephen. "VDC Awards CriticalBlue the Embeddie Best of Show Award for the 2009 Embedded Systems Conference", VDC Research, 4 May 2009. Retrieved on 23 June 2014.
31. Book: Moyer. Bryon. Real World Multicore Embedded Systems: A Practical Approach: Expert Guide. 11 April 2013. Newnes. 978-0-12-416018-7. 323–324.
32. Book: Matassa. Lori. Domeika. Max. Break Away with Intel Atom Processors: A Guide to Architecture Migration. 16 December 2010. Intel Press. 978-1-934053-37-9. 325–326.
33. http://www.design-reuse.com/news/5524/criticalblue-eda-true-co-processor-synthesis-toolset-embedded-microprocessor-applications.html "CriticalBlue Provides EDA's First True Co-Processor Synthesis Toolset for Embedded Microprocessor Applications"
34. Ball, Richard. "Scottish firm's co-processor runs native software", Electronics weekly, 14 May 2003. Retrieved on 23 June 2014.
35. Goering, Richard. "CriticalBlue releases coprocessor synthesis tool", EETimes, 19 May 2004. Retrieved on 23 June 2014.
36. Book: Ienne. Paolo. Leupers. Rainer. Customizable Embedded Processors, Volume V: Design Technologies and Applications (Systems on Silicon). 28 July 2006. Morgan Kaufmann. 978-0-12-369526-0. 210–211.