Approov

Last updated

Approov
Type Private
IndustryIT, Cybersecurity
Founded2001
FounderDavid Stewart
Richard Taylor
Ben Hounsell
Headquarters
Edinburgh
,
Scotland, UK
Key people
Ted Miracco [1] (CEO)
Richard Taylor
(CTO)
Pearce Erensel [2] (Vice President of Sales)
Lucio Lanza [3]
(Board member)
Products SECaaS
Dynamic Analysis Tools
Profiling Tools
Verification Tools
Services API Security
Application Security
Software Optimization
Performance Tuning
Performance Prediction
Multicore Programming
Number of employees
25 (2016)
Website approov.io

Approov (formerly CriticalBlue) is a Scottish software company based in Edinburgh that is primarily active in two areas of technology: anti-botnet and automated threat prevention for mobile businesses, [4] and software optimization tools and services for Android and Linux platforms.

Contents

Approov recently issued findings showing that 92% of the most popular banking and financial services apps contain easy-to-extract secrets such as API keys that could be used in scripts and bots to attack APIs and steal data, devastating consumers and the institutions they trust. The Approov Mobile Threat Lab downloaded, decoded and scanned the top 200 financial services apps in the U.S., U.K., France and Germany from the Google Play Store, investigating a total of 650 unique apps. Ninety two per cent of the apps leaked valuable, exploitable secrets and twenty three per cent of the apps leaked extremely sensitive secrets. [5]

History

In 2001, David Stewart, Richard Taylor, and Ben Hounsell founded the software company, under the name CriticalBlue, in Edinburgh, Scotland. [6] [7] The company won a Smart Scotland Award in 2002 for "Electronic design automation tools for improved design of demanding multimedia applications." [8] Approov received $2 million in seed funding and assembled a core team in 2003. [9] [10] [11]

In May 2008, Approov joined the Multicore Association, where CEO David Stewart would eventually co-chair the Multicore Programming Practices workgroup in 2009. [12] [13] The company received $4 million funding in September 2008 from European, Silicon Valley, and Japanese venture capitalists and corporate investors, and started a close collaboration with Toshiba Corporation. [14] [15]

During 2010, Approov extended Prism product support for MIPS, Cavium, and Freescale. [16] [17] [18] In 2011, the company added support for TI C66x DSPs and second generation Intel Core processors. [19] [20] The company expanded the range of supported Renesas platforms in 2012. [21]

In 2013, Approov refocused on mobile Android and embedded Linux platforms. [22]

Products

Approov service

Approov continued to work in the mobile software optimization market while it started the analysis of mobile data security opportunities, followed by the launch of the Approov app authentication service in 2016. [23] Approov is an app authentication service that allows API backends to positively identify that requests are being made by a legitimate mobile app. [24]

Kristopher Sandoval, an author for Nordic APIs, conducted a fully independent review of Approov in February 2017 and noted that "... the threat to public-facing APIs in the mobile space is real, dangerous, and often inefficiently mitigated." [25] After evaluating the Approov service, he concluded that "Its approach to securing applications in the mobile environment is novel, and the way CriticalBlue goes about this is perhaps one of the more secure ways of doing so. While using cloud services for authentication is often highly questionable, their implementation in this case looks rock solid." [25]

While pointing out that "... preventing the types of reverse engineering issues that Approov is designed to stop is vitally important" [25] he recommends that companies should consider the possible savings of integration. [25]

According to Steven Puddephatt, Business Solutions Architect at the Racing Post: [26]

At the Racing Post we've historically had problems with data scrapers on our site and have relied on 'after the fact' mechanisms such as IP blocking. [In December 2016 we are] on the precipice of exposing our API to the general public, and we are understandably reticent given the value of our data. We searched the market and only Approov offered the strong mobile app authentication and security we required [...] We are now very confident we can launch a public facing API without fear of unauthorized access.

Bill Buchanan, Professor of Computing, The Cyber Academy, Edinburgh Napier University, stated, "[w]e have analyzed Approov for both its cryptography strength and also for an initial penetration test. The current system has very good levels of assurance which provide significantly reduced risk within the key application areas." [26] The Approov mobile app authentication technology has been described at the AppsWorld London 2016 event as "a baked in plan for success in your app such that you avoid service downtime costs, distributed attack risks, and cloud resource wastage due to illegitimate app requests from automated botnets." [27] According to the Approov White Paper from the product website, "[t]he Approov service uses a unique challenge-response cryptographic protocol between the mobile app and ... cloud based attestation server. A local attestation library is seamlessly integrated into a mobile app ... When the mobile app launches, the attestation process is initiated to prove to the attestation service that it is an authentic app using a one-time non-replayable cryptographic hash of the app code." [28]

Prism

First released in 2009, Prism dynamically traces software applications at runtime and captures data that can be used to analyze and identify the causes of poor performance. [29] Prism received the "Best of Show" Award at the 2009 Silicon Valley Embedded Systems Conference. [30]

Bryon Moyer, in Real World Multicore Embedded Systems, states that Prism's objective is "to provide analysis and an exploration and verification environment for embedded software development using multicore architectures." [31] Moyer also describes the Prism interface as a set of integrated views in the GUI that display interactions between threads, data dependencies, cache analysis, along with the microprocessor pipeline. [31]

Matassa and Domeika, in Break Away with Intel Atom Processors, similarly state that Prism is a "toolsuite aimed at optimized software development for multi-core and/or multithreaded architectures." [32] While mentioning the same analysis views in the Prism GUI described by Moyer, they also describe the dynamic tracing approach, whereby "traces of the user's software application are extracted either from a simulator of the underlying processor core or via an instrumentation approach where the application is dynamically instrumented to produce the required data." [32]

Cascade

Finalized in 2003 and commercially released in 2004, Approov's Cascade is a C to RTL synthesizer. [33] [34] [35] Richard Taylor and David Stewart, from Approov itself, provided a chapter in Customizable Embedded Processors, describing Cascade as a "solution [that] allows software functionality implemented on an existing main CPU to be migrated onto an automatically...generated coprocessor." [36] They stated that this is realized as an automated design flow from an embedded software implementation onto a coprocessor described in RTL. [36] They identified offloading computationally-intensive algorithms from the main processor as the primary usage of such a coprocessor. [36] Cascade was awarded "Best Wireless Design Tool" in 2003 by the Wireless Systems Design magazine.

Patents

Publications

  1. Hounsell, Ben & Taylor, Richard. Co-processor Synthesis: A New Methodology for Embedded Software Acceleration , Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE'04), 16 February 2004. Retrieved on 23 June 2014.
  2. Taylor, Richard et al. Automated data cache placement for embedded VLIW ASIPs , codes-isss, pp. 39–44, Third IEEE/ACM/IFIP International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS'05), 19 September 2005. Retrieved on 23 June 2014.
  3. Morgan, Paul & Taylor, Richard. ASIP instruction encoding for energy and area reduction , DAC '07 Proceedings of the 44th annual Design Automation Conference, Pages 797-800, 4 June 2007. Retrieved on 23 June 2014.

Related Research Articles

<span class="mw-page-title-main">DEC Alpha</span> 64-bit RISC instruction set architecture

Alpha is a 64-bit reduced instruction set computer (RISC) instruction set architecture (ISA) developed by Digital Equipment Corporation (DEC). Alpha was designed to replace 32-bit VAX complex instruction set computers (CISC) and to be a highly competitive RISC processor for Unix workstations and similar markets.

<span class="mw-page-title-main">Microprocessor</span> Computer processor contained on an integrated-circuit chip

A microprocessor is a computer processor where the data processing logic and control is included on a single integrated circuit (IC), or a small number of ICs. The microprocessor contains the arithmetic, logic, and control circuitry required to perform the functions of a computer's central processing unit (CPU). The IC is capable of interpreting and executing program instructions and performing arithmetic operations. The microprocessor is a multipurpose, clock-driven, register-based, digital integrated circuit that accepts binary data as input, processes it according to instructions stored in its memory, and provides results as output. Microprocessors contain both combinational logic and sequential digital logic, and operate on numbers and symbols represented in the binary number system.

<span class="mw-page-title-main">Embedded system</span> Computer system with a dedicated function

An embedded system is a computer system—a combination of a computer processor, computer memory, and input/output peripheral devices—that has a dedicated function within a larger mechanical or electronic system. It is embedded as part of a complete device often including electrical or electronic hardware and mechanical parts. Because an embedded system typically controls physical operations of the machine that it is embedded within, it often has real-time computing constraints. Embedded systems control many devices in common use. In 2009, it was estimated that ninety-eight percent of all microprocessors manufactured were used in embedded systems.

<span class="mw-page-title-main">Secure cryptoprocessor</span> Device used for encryption

A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike cryptographic processors that output decrypted data onto a bus in a secure environment, a secure cryptoprocessor does not output decrypted data or decrypted program instructions in an environment where security cannot always be maintained.

<span class="mw-page-title-main">Coprocessor</span> Type of computer processor

A coprocessor is a computer processor used to supplement the functions of the primary processor. Operations performed by the coprocessor may be floating-point arithmetic, graphics, signal processing, string processing, cryptography or I/O interfacing with peripheral devices. By offloading processor-intensive tasks from the main processor, coprocessors can accelerate system performance. Coprocessors allow a line of computers to be customized, so that customers who do not need the extra performance do not need to pay for it.

<span class="mw-page-title-main">Am386</span> 80386 microprocessor clone released by AMD in 1991

The Am386 CPU is a 100%-compatible clone of the Intel 80386 design released by AMD in March 1991. It sold millions of units, positioning AMD as a legitimate competitor to Intel, rather than being merely a second source for x86 CPUs.

The Khronos Group, Inc. is an open, non-profit, member-driven consortium of 170 organizations developing, publishing and maintaining royalty-free interoperability standards for 3D graphics, virtual reality, augmented reality, parallel computation, vision acceleration and machine learning. The open standards and associated conformance tests enable software applications and middleware to effectively harness authoring and accelerated playback of dynamic media across a wide variety of platforms and devices. The group is based in Beaverton, Oregon.

x87 is a floating-point-related subset of the x86 architecture instruction set. It originated as an extension of the 8086 instruction set in the form of optional floating-point coprocessors that works in tandem with corresponding x86 CPUs. These microchips have names ending in "87". This is also known as the NPX. Like other extensions to the basic instruction set, x87 instructions are not strictly needed to construct working programs, but provide hardware and microcode implementations of common numerical tasks, allowing these tasks to be performed much faster than corresponding machine code routines can. The x87 instruction set includes instructions for basic floating-point operations such as addition, subtraction and comparison, but also for more complex numerical operations, such as the computation of the tangent function and its inverse, for example.

<span class="mw-page-title-main">Multi-core processor</span> Microprocessor with more than one processing unit

A multi-core processor is a microprocessor on a single integrated circuit with two or more separate processing units, called cores, each of which reads and executes program instructions. The instructions are ordinary CPU instructions but the single processor can run instructions on separate cores at the same time, increasing overall speed for programs that support multithreading or other parallel computing techniques. Manufacturers typically integrate the cores onto a single integrated circuit die or onto multiple dies in a single chip package. The microprocessors currently used in almost all personal computers are multi-core.

Scratchpad memory (SPM), also known as scratchpad, scratchpad RAM or local store in computer terminology, is an internal memory, usually high-speed, used for temporary storage of calculations, data, and other work in progress. In reference to a microprocessor, scratchpad refers to a special high-speed memory used to hold small items of data for rapid retrieval. It is similar to the usage and size of a scratchpad in life: a pad of paper for preliminary notes or sketches or writings, etc. When the scratchpad is a hidden portion of the main memory then it is sometimes referred to as bump storage.

<span class="mw-page-title-main">Intel Active Management Technology</span> Out-of-band management platform

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems. Out-of-band (OOB) or hardware-based management is different from software-based management and software management agents.

The Advanced Learning and Research Institute (ALaRI), a faculty of informatics, was established in 1999 at the University of Lugano to promote research and education in embedded systems. The Faculty of Informatics within very few years has become one of the Switzerland major destinations for teaching and research, ranking third after the two Federal Institutes of Technology, Zurich and Lausanne.

Tilera Corporation was a fabless semiconductor company focusing on manycore embedded processor design. The company shipped multiple processors in the TILE64, TILEPro64, and TILE-Gx lines.

The Multicore Association was founded in 2005. Multicore Association is a member-funded, non-profit, industry consortium focused on the creation of open standard APIs, specifications, and guidelines that allow system developers and programmers to more readily adopt multicore technology into their applications.

<span class="mw-page-title-main">TenAsys</span> American software company

TenAsys is a privately owned company providing real-time software and services based on the x86 Intel Architecture and Microsoft Windows operating system.

Manycore processors are special kinds of multi-core processors designed for a high degree of parallel processing, containing numerous simpler, independent processor cores. Manycore processors are used extensively in embedded computers and high-performance computing.

Zero ASIC Corporation, formerly Adapteva, Inc., is a fabless semiconductor company focusing on low power many core microprocessor design. The company was the second company to announce a design with 1,000 specialized processing cores on a single integrated circuit.

A trusted execution environment (TEE) is a secure area of a main processor. It helps code and data loaded inside it to be protected with respect to confidentiality and integrity. Data integrity prevents unauthorized entities from outside the TEE from altering data, while code integrity prevents code in the TEE from being replaced or modified by unauthorized entities, which may also be the computer owner itself as in certain DRM schemes described in SGX. This is done by implementing unique, immutable, and confidential architectural security such as Intel Software Guard Extensions which offers hardware-based memory encryption that isolates specific application code and data in memory. Intel SGX allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels. A TEE as an isolated execution environment provides security features such as isolated execution, integrity of applications executing with the TEE, along with confidentiality of their assets. In general terms, the TEE offers an execution space that provides a higher level of security for trusted applications running on the device than a rich operating system (OS) and more functionality than a 'secure element' (SE).

<span class="mw-page-title-main">Tango (platform)</span> Mobile computer vision platform for Android developed by Google

Tango was an augmented reality computing platform, developed and authored by the Advanced Technology and Projects (ATAP), a skunkworks division of Google. It used computer vision to enable mobile devices, such as smartphones and tablets, to detect their position relative to the world around them without using GPS or other external signals. This allowed application developers to create user experiences that include indoor navigation, 3D mapping, physical space measurement, environmental recognition, augmented reality, and windows into a virtual world.

Heterogeneous computing refers to systems that use more than one kind of processor or core. These systems gain performance or energy efficiency not just by adding the same type of processors, but by adding dissimilar coprocessors, usually incorporating specialized processing capabilities to handle particular tasks.

References

  1. "Approov Appoints Cybersecurity Executive Ted Miracco CEO (Board member)". www.businesswire.com. 8 December 2022. Retrieved 9 March 2023.
  2. "Approov Names Pearce Erensel Vice President of Sales". 21 March 2023.|language=en}}
  3. "CRITICAL BLUE LIMITED people - Find and update company information - GOV.UK". find-and-update.company-information.service.gov.uk. Retrieved 9 March 2023.
  4. "OWASP Automated Threats to Web Applications". OWASP. Retrieved 16 January 2017.
  5. Zurier, Steve (2 March 2023). "Financial apps tested from Google Play Store leaked sensitive API data under testing conditions". SC Media. Retrieved 9 March 2023.
  6. "Company registration record", Companies House. Retrieved on 23 June 2014.
  7. "Critical Blue collects $2m funding". Electronics Weekly.com. Metropolis Media Publishing. 1 October 2003. Retrieved 15 September 2014.
  8. "Winners of 2002 SMART:SCOTLAND Competition", The Scottish Government, 16 June 2003. Retrieved on 23 June 2014.
  9. Dorsey, Kristy. "Tech start-up shows the colour of its money", The Herald (Glasgow), 29 September 2003. Retrieved on 23 June 2014.
  10. Goering, Richard. "Co-processor synthesis startup wins first-round funding", EETimes, 2 October 2003. Retrieved on 23 June 2014.
  11. "Critical Blue collects $2m funding", Electronics Weekly, 1 October 2003. Retrieved on 23 June 2014.
  12. "Multicore Association Adds CriticalBlue to its Membership", Multicore Association, 7 May 2008. Retrieved on 23 June 2014.
  13. "Multicore Association Rolls Out Developer's Guide to Software Programming for Multicore Designs", Multicore Association, 14 February 2013. Retrieved on 23 June 2014.
  14. "CriticalBlue raises $4M, adds Investors Toshiba Corporation and Scottish Venture Fund", Embedded Computing, 10 September 2008. Retrieved on 23 June 2014.
  15. "Toshiba, CriticalBlue collaborate on multicore development environment", EETimes, 23 September 2008. Retrieved on 23 June 2014.
  16. "CriticalBlue and MIPS Technologies Enable Software Developers to Quantify Benefits of Migrating to MIPS32(R)-Based Multicore Platforms", GlobeNewswire, 32 March 2010. Retrieved on 23 June 2014.
  17. "CriticalBlue Provides Multicore Software Development Analysis Environment for OCTEON and OCTEON II Processors" Archived 19 September 2015 at the Wayback Machine , Cavium, 4 August 2010. Retrieved on 23 June 2014.
  18. "Freescale and CriticalBlue expand collaboration on multicore software development environments" Archived 2014-06-23 at archive.today , Freescale, 1 December 2010. Retrieved on 23 June 2014.
  19. "CriticalBlue announces support for TI C66x DSPs", Texas Instruments, 4 October 2011. Retrieved on 23 June 2014.
  20. "Evaluating HD Video Encoder Performance on 2nd Generation Intel Core Processor-Based Devices Using CriticalBlue Prism", Intel, 2011. Retrieved on 23 June 2014.
  21. "CriticalBlue Announces Broader Support for Renesas' Multicore Platforms Within Prism", Bloomberg News, 2 May 2012. Retrieved on 23 June 2014.
  22. McLellan, Paul. "Kathryn Kranen Joins CriticalBlue's Board", SemiWiki, 5 February 2013. Retrieved on 23 June 2014.
  23. CriticalBlue. "CriticalBlue Launches Approov, Next Generation Mobile API Abuse/Misuse Prevention System". www.prnewswire.com. Retrieved 9 March 2023.
  24. "Mobile API Security for Android & iOS Apps | Approov". approov.io. Retrieved 9 March 2023.
  25. 1 2 3 4 "Review of Approov for mobile API Security", Nordic APIs, 2 February 2017. Retrieved on 8 February 2017.
  26. 1 2 "CriticalBlue Launches Approov, Next Generation Mobile API Abuse/Misuse Prevention System", PR Newswire, 13 December 2016. Retrieved on 17 January 2017.
  27. "Apps World 2016 London CriticalBlue Exhibitor Profile", 18-20 October 2016. Retrieved on 10 November 2016.
  28. "Approov White Paper", CriticalBlue, 14 June 2016, page 4. Retrieved on 10 November 2016.
  29. "CriticalBlue Delivers Prism, The First Embedded Multicore Development System to Leverage Unmodified Sequential Software.", EDA Cafe, 25 March 2009. Retrieved on 23 June 2014.
  30. Balacco, Stephen. "VDC Awards CriticalBlue the Embeddie Best of Show Award for the 2009 Embedded Systems Conference", VDC Research, 4 May 2009. Retrieved on 23 June 2014.
  31. 1 2 Moyer, Bryon (11 April 2013). Real World Multicore Embedded Systems: A Practical Approach: Expert Guide. Newnes. pp. 323–324. ISBN   978-0-12-416018-7.
  32. 1 2 Matassa, Lori; Domeika, Max (16 December 2010). Break Away with Intel Atom Processors: A Guide to Architecture Migration. Intel Press. pp. 325–326. ISBN   978-1-934053-37-9.
  33. "CriticalBlue Provides EDA's First True Co-Processor Synthesis Toolset for Embedded Microprocessor Applications", Design & Reuse, 12 May 2003. Retrieved on 23 June 2014.
  34. Ball, Richard. "Scottish firm's co-processor runs native software", Electronics weekly, 14 May 2003. Retrieved on 23 June 2014.
  35. Goering, Richard. "CriticalBlue releases coprocessor synthesis tool", EETimes, 19 May 2004. Retrieved on 23 June 2014.
  36. 1 2 3 Ienne, Paolo; Leupers, Rainer (28 July 2006). Customizable Embedded Processors, Volume V: Design Technologies and Applications (Systems on Silicon). Morgan Kaufmann. pp. 210–211. ISBN   978-0-12-369526-0.

<https://www.scmagazine.com/news/application-security/financial-apps-google-play-leaked-data>

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.