AppiCrypt ensures that only the genuine mobile application has the right to communicate with protected remote services.
The generic solution for all types of iOS and Android devices without dependency on Google Play or other OEM services. The integration can be done within a few days of developer work.
It doesn't require any integration with external APIs. It ensures low latency and doesn't introduce a single point of failure. Cryptogram verification is s simple script running on the customer backend locally.
AppiCrypt provides fine-grained details about detected threats, device identity, and HW details. It enables the user and session binding to address the most sophisticated attacks like session hijacking.
We need to keep in mind that the mobile application installed on the users' mobile devices is running in an uncontrolled and untrusted environment. Mobile app itself can be a target of reverse engineering, making all hard-coded API keys or client authentication materials compromised, creating an opportunity for attackers to abuse remote services.
botnets and fake registrations
brute force attacks
Ultimately qualified reverse engineer will be able to overcome the root/JB control of whatever RASP technology. By design, the reverse engineer always wins if they invest enough time to exercise the App. But...
In contrast to other vendors, we have an additional "layer" of protection - Appicrypt®. This technology implies that RASP SDK generates a unique cryptogram unreadable to attackers but readable for a simple script linked to the API gateway on the backend.
The idea behind this technology is not just to protect API but to let your "backend" know that RASP controls were overcome or turned off by attackers. So gateway can easily block the session if the App integrity is compromised, and only in the case that RASP control passed can API calls be processed by backends.
In short, our approach makes the RASP control much harder to break and allows you to deliver a highly secure and fast product.
AppiCrypt aims at API vulnerabilities that WAF and API gateway solutions cannot address as they miss client integrity controls.