Skip to content

Commit 6a8d727

Browse files
author
Richard Taylor
committed
Migrate to new registration approach and account defaults
1 parent bc75ca6 commit 6a8d727

5 files changed

Lines changed: 53 additions & 81 deletions

File tree

API-PROTECTION.md

Lines changed: 16 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -11,28 +11,33 @@ approov api -add your.domain
1111
```
1212
Approov tokens will then be added automatically to any requests to that domain (using the `Approov-Token` header, by default).
1313

14-
Note that this will also add a public key certicate pin for connections to the domain to ensure that no Man-in-the-Middle attacks on your app's communication are possible. Please read [Managing Pins](https://approov.io/docs/latest/approov-usage-documentation/#public-key-pinning-configuration) to understand this in more detail.
14+
Note that this will use [Managed Trust Roots](https://approov.io/docs/latest/approov-usage-documentation/#managed-trust-roots) to ensure that no Man-in-the-Middle attacks on your app's communication are possible.
1515

1616
> **NOTE:** By default a symmetric account key is used to sign the Approov token (HS256 algorithm), so that all API domains will share the same signing secret. Alternatively, it is possible to use a [keyset key](https://approov.io/docs/latest/approov-usage-documentation/#managing-key-sets) which may differ for each API domain and for which a wide range of different signing algorithms and key types are available. This requires you to first [add a new key](https://approov.io/docs/latest/approov-usage-documentation/#adding-a-new-key), and then specify it when [adding each API domain](https://approov.io/docs/latest/approov-usage-documentation/#keyset-key-api-addition). Note that this will have impact how you verify the token on your API backend.
1717
18-
## REGISTERING APPS
19-
In order for Approov to recognize the app as being valid it needs to be registered with the service. Change the directory to the top level of your app project and then register the app with Approov:
18+
## ADD YOUR SIGNING CERTIFICATE TO APPROOV
19+
In order for Approov to recognize the app as being valid, the local certificate used to sign the app needs to be added to Approov. The following assumes it is in PKCS12 format:
2020

2121
```
22-
approov registration -add app/build/outputs/apk/debug/app-debug.apk
22+
approov appsigncert -add ~/.android/debug.keystore -storePassword android -autoReg
2323
```
2424

25-
Note, some versions of Android Studio save the app in `app/build/intermediates/apk/debug/app-debug.apk`.
25+
This ensures that any app signed with the certificate used on your development machine will be recognized by Approov.
2626

27-
Note, on Windows you need to substitute \ for / in the above command.
28-
29-
> **IMPORTANT:** The registration takes up to 30 seconds to propagate across the Approov Cloud Infrastructure, therefore don't try to run the app again before this time has elapsed. During development of your app you can ensure it [always passes](https://approov.io/docs/latest/approov-usage-documentation/#adding-a-device-security-policy) on your device to not have to register the APK each time you modify it.
30-
31-
[Managing Registrations](https://approov.io/docs/latest/approov-usage-documentation/#managing-registrations) provides more details for app registrations, especially for releases to the Play Store. Note that you may also need to apply specific [Android Obfuscation](https://approov.io/docs/latest/approov-usage-documentation/#android-obfuscation) rules for your app when releasing it.
27+
See [Android App Signing Certificates](https://approov.io/docs/latest/approov-usage-documentation/#android-app-signing-certificates) if your keystore format is not recognized or if you have any issues adding the certificate. This also provides information about adding certificates for when releasing to the Play Store. Note also that you need to apply specific [Android Obfuscation](https://approov.io/docs/latest/approov-usage-documentation/#android-obfuscation) rules when creating an app release.
3228

3329
## FURTHER OPTIONS
3430
See [Exploring Other Approov Features](https://approov.io/docs/latest/approov-usage-documentation/#exploring-other-approov-features) for information about additional Approov features you may wish to try.
3531

32+
### Development Key
33+
You may wish to [set a development key](https://approov.io/docs/latest/approov-usage-documentation/#using-a-development-key) in order to force an app to be passed, if it may be resigned by a different app signing certificate to which you don't have access. Perform the call:
34+
35+
```Java
36+
ApproovService.setDevKey("uDW9FuLVpL1_4zo1");
37+
```
38+
39+
See [using a development key](https://approov.io/docs/latest/approov-usage-documentation/#using-a-development-key) to understand how to obtain the development key which is the parameter to the call.
40+
3641
### Changing Approov Token Header Name
3742
The default header name of `Approov-Token` can be changed as follows:
3843

@@ -61,15 +66,7 @@ ApproovService.prefetch();
6166
This initiates the process of fetching an Approov token as a background task, so that a cached token is available immediately when subsequently needed, or at least the fetch time is reduced. Note that there is no point in performing a prefetch if you are using token binding.
6267

6368
### Prechecking
64-
You may wish to do an early check in your app to present a warning to the user if it is not going to be able to obtain valid Approov tokens because it fails the attestation process. To do this you first need to enable the [Secure Strings](https://approov.io/docs/latest/approov-usage-documentation/#secure-strings) feature:
65-
66-
```
67-
approov secstrings -setEnabled
68-
```
69-
70-
> Note that this command requires an [admin role](https://approov.io/docs/latest/approov-usage-documentation/#account-access-roles).
71-
72-
Here is an example of calling the appropriate method in `ApproovService`:
69+
You may wish to do an early check in your app to present a warning to the user if it is not going to be able to obtain valid Approov tokens because it fails the attestation process. Here is an example of calling the appropriate method in `ApproovService`:
7370

7471
```Java
7572
import io.approov.service.httpsurlconn.ApproovException;

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
This quickstart is written specifically for native Android apps that are written in Java and use [`HttpsUrlConnection`](https://developer.android.com/reference/javax/net/ssl/HttpsURLConnection) for making the API calls that you wish to protect with Approov. If this is not your situation then check if there is a more relevant Quickstart guide available.
44

5-
This quickstart provides the basic steps for integrating Approov into your app. A more detailed step-by-step guide using a [Shapes App Example](https://github.com/approov/quickstart-android-java-httpsurlconn/blob/master/SHAPES-EXAMPLE.md) is also available.
5+
This page provides all the steps for integrating Approov into your app. Additionally, a step-by-step tutorial guide using our [Shapes App Example](https://github.com/approov/quickstart-android-java-httpsurlconn/blob/master/SHAPES-EXAMPLE.md) is also available.
66

77
To follow this guide you should have received an onboarding email for a trial or paid Approov account.
88

REFERENCE.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,13 @@ void setProceedOnNetworkFail(boolean proceed)
3838

3939
Note that this should be used with *CAUTION* because it may allow a connection to be established before any dynamic pins have been received via Approov, thus potentially opening the channel to a MitM.
4040

41+
### SetDevKey
42+
[Sets a development key](https://approov.io/docs/latest/approov-usage-documentation/#using-a-development-key) in order to force an app to be passed. This can be used if the app has to be resigned in a test environment and would thus fail attestation otherwise.
43+
44+
```Java
45+
void setDevKey(String devKey)
46+
```
47+
4148
## SetApproovHeader
4249
Sets the `header` that the Approov token is added on, as well as an optional `prefix` String (such as "`Bearer `"). Set `prefix` to the empty string if it is not required. By default the token is provided on `Approov-Token` with no prefix.
4350

SECRETS-PROTECTION.md

Lines changed: 18 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -3,49 +3,29 @@ You should use this option if you wish to protect app secrets, including API key
33

44
These additional steps require access to the [Approov CLI](https://approov.io/docs/latest/approov-cli-tool-reference/), please follow the [Installation](https://approov.io/docs/latest/approov-installation/) instructions.
55

6-
## ENABLING MANAGED TRUST ROOTS
7-
Client secrets or API keys also need to be protected in transit. For 3rd party APIs you should not pin against their certificates since you are not in control of when they might be changed. Instead the [Managed Trust Roots](https://approov.io/docs/latest/approov-usage-documentation/#managed-trust-roots) feature can be used to protect TLS.
8-
9-
Ensure managed trust roots are enabled using:
10-
11-
```
12-
approov pin -setManagedTrustRoots on
13-
```
14-
15-
> Note that this command requires an [admin role](https://approov.io/docs/latest/approov-usage-documentation/#account-access-roles).
16-
17-
This ensures connections may only use official certificates, and blocks the use of self signed certificates that might be used by a Man-in-the-Middle (MitM) attacker.
18-
196
## ADDING API DOMAINS
207
In order for secrets or API keys to be protected when being transmitted externally by the app, it is necessary to inform Approov about the domains on which they may be sent. Execute the following command:
218

229
```
2310
approov api -add your.domain -noApproovToken
2411
```
2512

26-
This informs Approov that it should be active for the domain, but does not need to send Approov tokens for it. Adding the domain ensures that the channel will be protected against Man-in-the-Middle (MitM) attacks.
13+
This informs Approov that it should be active for the domain, but does not need to send Approov tokens for it. Adding the domain uses [Managed Trust Roots](https://approov.io/docs/latest/approov-usage-documentation/#managed-trust-roots) to ensure that the channel will be protected against Man-in-the-Middle (MitM) attacks.
2714

2815
## MIGRATING THE SECRET INTO APPROOV
29-
It is assumed that you already have some client secrets and/or API keys in your app that you would like to migrate for protection by Approov. To do this you first need to enable the [Secure Strings](https://approov.io/docs/latest/approov-usage-documentation/#secure-strings) feature:
30-
31-
```
32-
approov secstrings -setEnabled
33-
```
34-
> Note that this command requires an [admin role](https://approov.io/docs/latest/approov-usage-documentation/#account-access-roles).
35-
36-
You must inform Approov what the value of each secret is as follows:
16+
It is assumed that you already have some client secrets and/or API keys in your app that you would like to migrate for protection by Approov. You must inform Approov what the value of each secret is as follows:
3717

3818
```
3919
approov secstrings -addKey your-secret-name -predefinedValue your-secret-value
4020
```
4121

42-
> Note that this command also requires an [admin role](https://approov.io/docs/latest/approov-usage-documentation/#account-access-roles).
22+
> Note that this command requires an [admin role](https://approov.io/docs/latest/approov-usage-documentation/#account-access-roles).
4323
4424
These values can be changed at any time and will propagate within 5 minutes to all running instances of your apps. Since earlier released versions of the app may have already leaked `your-secret-value`, you may wish to refresh the secret at some later point when any older version of the app is no longer in use. You can of course do this update over-the-air using Approov without any need to modify the app.
4525

4626
You can define up to 16 different secret values in this way.
4727

48-
# SUBSTITUTING THE SECRET AUTOMATICALLY
28+
## SUBSTITUTING THE SECRET AUTOMATICALLY
4929
If the secret is presented in an API header or query parameter, and you are able to use the `ApproovService` networking stack, then Approov can automatically substitute the secret value at runtime. You should use this method wherever possible.
5030

5131
If the published code of your app currently uses `your-secret-value` then replace it with the value `your-secret-name`. This provides a placeholder value which can then be automatically substituted with the actual secret value at runtime, for validly attesting apps. The shipped app code will only contain the placeholder values.
@@ -117,25 +97,30 @@ approov policy -setRejectionReasons on
11797
11898
You will then be able to use `getRejectionReasons()` on an `ApproovRejectionException` to obtain a comma separated list of [device properties](https://approov.io/docs/latest/approov-usage-documentation/#device-properties) responsible for causing the rejection.
11999

120-
## REGISTERING APPS
121-
In order for Approov to recognize the app as being valid it needs to be registered with the service. Change the directory to the top level of your app project and then register the app with Approov:
100+
## ADD YOUR SIGNING CERTIFICATE TO APPROOV
101+
In order for Approov to recognize the app as being valid, the local certificate used to sign the app needs to be added to Approov. The following assumes it is in PKCS12 format:
122102

123103
```
124-
approov registration -add app/build/outputs/apk/debug/app-debug.apk
104+
approov appsigncert -add ~/.android/debug.keystore -storePassword android -autoReg
125105
```
126106

127-
Note, some versions of Android Studio save the app in `app/build/intermediates/apk/debug/app-debug.apk`.
128-
129-
Note, on Windows you need to substitute \ for / in the above command.
130-
131-
> **IMPORTANT:** The registration takes up to 30 seconds to propagate across the Approov Cloud Infrastructure, therefore don't try to run the app again before this time has elapsed. During development of your app you can ensure it [always passes](https://approov.io/docs/latest/approov-usage-documentation/#adding-a-device-security-policy) on your device to not have to register the APK each time you modify it.
107+
This ensures that any app signed with the certificate used on your development machine will be recognized by Approov.
132108

133-
[Managing Registrations](https://approov.io/docs/latest/approov-usage-documentation/#managing-registrations) provides more details for app registrations, especially for releases to the Play Store. Note that you may also need to apply specific [Android Obfuscation](https://approov.io/docs/latest/approov-usage-documentation/#android-obfuscation) rules for your app when releasing it.
109+
See [Android App Signing Certificates](https://approov.io/docs/latest/approov-usage-documentation/#android-app-signing-certificates) if your keystore format is not recognized or if you have any issues adding the certificate. This also provides information about adding certificates for when releasing to the Play Store. Note also that you need to apply specific [Android Obfuscation](https://approov.io/docs/latest/approov-usage-documentation/#android-obfuscation) rules when creating an app release.
134110

135111
## FURTHER OPTIONS
136112

137113
See [Exploring Other Approov Features](https://approov.io/docs/latest/approov-usage-documentation/#exploring-other-approov-features) for information about additional Approov features you may wish to try.
138114

115+
### Development Key
116+
You may wish to [set a development key](https://approov.io/docs/latest/approov-usage-documentation/#using-a-development-key) in order to force an app to be passed, if it may be resigned by a different app signing certificate to which you don't have access. Perform the call:
117+
118+
```Java
119+
ApproovService.setDevKey("uDW9FuLVpL1_4zo1");
120+
```
121+
122+
See [using a development key](https://approov.io/docs/latest/approov-usage-documentation/#using-a-development-key) to understand how to obtain the development key which is the parameter to the call.
123+
139124
### Header Prefixes
140125
In some cases the value to be substituted on a header may be prefixed by some fixed string. A common case is the presence of `Bearer` included in an authorization header to indicate the use of a bearer token. In this case you can specify a prefix as follows:
141126

0 commit comments

Comments
 (0)