Innovative Approov Offers Much-Needed Protection for Mobile Apps and APIs
Approov, a Lanza techVentures investment, is a leading provider of security authentication for mobile apps, evolving from its founding mission to be an electronic design automation (EDA) company providing synthesis software.
While it appears Approov (formerly CriticalBlue) took a circuitous route from its origins David Stewart, its CEO, will say otherwise. Accordingly, each step along the journey brought the company closer to where it is today, moving from EDA to multicore processing with tools that enable performance optimization to mobile business protection. In a savvy move to support a growing and important market, Approov reused the deep-level performance analysis technology to concentrate on security. The result is the Approov SDK, an SaaS service that positively authenticates requests on a user’s mobile API.
Whether it served the chip, embedded or mobile markets, Approov always optimizes behavior of software and monitors execution meaningfully and rapidly at the deepest possible level to detect unwanted behavior of the machine. “It is reducing performance to the deepest possible level of the machine to ensure it is behaving appropriately,” notes Lucio Lanza, managing partner of Lanza techVentures and chairman of Approov . “As markets evolve, Approov is meeting the changing requirements.”
Approov of Edinburgh, Scotland, was founded by David and Richard Taylor, veterans of EDA and embedded systems. David worked at the enduring EDA company Cadence Design Systems for 10 years, starting as an AE after working in ASIC design. He opened Cadence’s Stockholm, Sweden, office to support its customer Ericsson. In those days, the networking and communications leader designed close to 100 chips per year. From there, David went to Redwood Design Automation, a well-funded EDA startup acquired by Cadence. Soon enough, he was back in the Cadence fold working in business development and the fast-growing area of design services.
David’s various roles within Cadence served him well when he and his colleagues started Approov in 2001, a time when the semiconductor industry was moving to multicore processing. Approov had software to synthesize the C language to RTL code and this same approach was later used for partitioning multicores.
Alas, companies such as Ericsson were moving away from designing multiple chips a year to maybe one or two. That’s when Approov made the crucial decision to apply the deep-level performance optimization technology targeting multicores to mobile security.
David admits it was a massive leap but calculated nonetheless to where mobile is all Approov does today. “We secure mobile APIs,” he remarks. “Our differentiation is to authenticate that only genuine mobile app instances can use the communications channel.” It’s a giant opportunity, per Gartner’s article titled, “How To Build An Effective API Security Strategy.” Gartner predicts by 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.
Approov allows an API back end to positively identify requests made by a legitimate mobile app and reveals what is communicating with the servers. As well, it prevents API abuse, misuse and scraping by positively authenticating requests on a user’s mobile API. Approov creates a forensic digital DNA profile of a genuine app instance.
When an app is launched, Approov authenticates that its instance is genuine and unmodified. Each transaction request must pass Approov’s Dynamic Forensic Integrity Authentication. If it’s a bot or modified app, it will fail Approov’s authentication and will be blocked at the API end point. If it is genuine, the digital DNA will be verified and traffic will be processed. The process is repeated at a frequency defined by the company.
“It is reducing performance to the deepest possible level of the machine to ensure it is behaving appropriately,” notes Lucio Lanza, managing partner of Lanza techVentures and chairman of Approov. “As markets evolve, Approov is meeting the changing requirements.”
Approov is sold through a SaaS model, a change from the familiar EDA business model based on licenses. SaaS is an on-demand software licensing and delivery model leveraging cloud-service portals, and far more automated than EDA’s selling model.
Businesses today pay a monthly fee to get access to Approov. A typical Approov user is in the business-to-consumer mobile app market. Sectors all feature mobility — transport OEMs, car rental or car-sharing and airlines, for example. The mobile app is the touch-point functionality of a smart phone with valuable data both personal and business critical to a company, and even more important if the user is in the car.
Mobile banking and Fintech is another growing market and one in need of authentication services. So is retail because competitive information is sensitive. Retailers have mobile apps for customers to check product availability and pricing without the need to log in. A competitive retailer may be able to access sensitive data through an unauthorized script on the API. Approov detects that unauthorized script and ensures that information is protected.
The connection David has to Lucio goes all the way back to Redwood in the 1990s. It was funded by U.S. Venture where Lanza served as a venture partner and general partner. At the same time, he worked with senior Cadence executives at the highest levels to outline the strategy for its mergers and acquisitions program.
David approached Lucio when Approov, then developing co-processor synthesis product, was looking for seed funding. Lanza techVentures invested and has been an investor in every subsequent round. Lucio became chairman in 2004. David credits him with being an advisor and active participant in Approov’s transformations. “He admits when he needs to be educated on market dynamics, is full of ideas about how to approach opportunities, and always contributes in a unique fashion at board meetings,” David says. In fact, he never misses a board meeting.
Lucky for companies and their customers with a strong mobile presence and in need of security protection that the aptly named Approov focused its attention on mobile security and away from EDA.