May 6, 2025
Building trust is paramount to earning and maintaining a loyal user base for your mobile apps. Users expect an uninterrupted, high performing, and secure in-app experience - and that trust must extend to the unseen interactions between your app and backend servers. The mobile apps interacting with your backend servers must be held to the same rigorous standards as the client-side experience.
What is mobile app attestation and why does it matter?
App attestation is a secure approach to verify that only your app can connect to your APIs. By adding server-side validation, app developers and security teams can ensure only legitimate apps interact with their APIs - blocking bots or non-genuine apps from interacting with your APIs.
Unlike client-side protection, mobile app attestation logic is executed on the server, resulting in enforcement that is opaque to attackers. It gives you greater control to instantly change security policies that evaluate the app environment and code integrity. These policies allow fine-grained control and can be modified without requiring your app to be republished to the app store.
Introducing Guardsquare’s app attestation
We’re excited to announce that Guardsquare now offers mobile app attestation. This addition gives teams an end-to-end view of their mobile app’s integrity - extending mobile app security coverage from the client to the server.
How app attestation works
The mobile app attestation service analyzes the app making the request and the environment of the device it’s running on. It generates a cryptographically signed token that determines a verdict based on the app's attestation policies that the developer or security analyst can then act on. This token is short-lived, encrypted, and cannot be reused or spoofed.
Fine-grained policies are managed through a server-side interface that allows you to verify all of the important security factors that contribute to the trust of the application interacting with your APIs.
The real power? Policies can be changed in real-time, empowering you to respond instantly to emerging threats - without pushing an app update.
The app attestation flow works like this: your APIs will receive incoming requests from your application with attestation tokens. Guardsquare will issue tokens for the requesting applications based on security policies you define. The tokens will enable your service to either grant access to your APIs or reject the application for not fulfilling certain requirements.
You can define these policies in the app attestation console - no coding required. Policies may include environment health, app and code integrity, malware checks, and more. If any of these policies are violated, the server will issue an invalid token to prevent unauthorized app access.
The token itself is short-lived, bound to the request payload, encrypted, and cryptographically signed. It remains hidden from the application attempting to interact with your APIs and cannot be faked by bots or custom scripts. Thanks to the cryptographic protection, it is hardened against being reused, stolen, modified, or transferred to another device.
App attestation allows you to define policies, with fine-grained conditions based on Guardsquare’s security controls. You can create unique policies for different use cases and tailor them for the needs of your application.
All of your mobile app attestation results are aggregated in your threat dashboard, alongside real-time threat data. App attestation results include historical views and granular insights to identify exactly why a given API request failed attestation. The visibility of real-time threats informs how you can adjust current and future policies to continually increase the posture of your mobile app's security.
Real-world benefits of app attestation
Any app that has a server API benefits from app attestation. App attestation has many benefits, including, but not limited to:
- Preventing API abuse and non-genuine app usage
- Adding server-side validation to your protection strategy
- Providing continuous threat detection updates
- Enabling instant security policy changes.
Prevent API abuse and non-genuine app usage
Client-side protections greatly strengthen your app’s security, especially code hardening techniques and RASP checks. But if back-end insight into the client's trustworthiness is lacking, it can lead to API abuse. Runtime protection for your APIs is essential to mitigating this risk.
With app attestation, you’re able to confirm the app attempting to access your APIs is genuine. The security policies that you define in the attestation console contain specific criteria that apps and devices must meet to establish they can be trusted, before access is granted to them. Essentially, it extends the reach of your client-side protections with custom policies based on aggregated threat data. Bots, scripts, and non-genuine apps are stopped in their tracks by denying them authorization. Adding this layer of protection to your real-time threat monitoring capabilities ensures only legitimate applications interact with your APIs at runtime.
Add server-side validation to your mobile app protection strategy
App attestation reinforces existing client-side protective measures, like KYC for financial apps, because it uses dynamic and flexible server-side configurations. It verifies the app is genuine and the device is uncompromised before your APIs grant access. This adds another layer of authentication to protect against bots and malware threats before interacting with your APIs.
Continuous threat detection updates
App attestation reaches a verdict based on your defined policies, triggered by the data collected from the app and device. Guardsquare continually researches and can update the underlying detections independently of your app updates or policy changes, keeping your application up to date and protected against the latest emerging threats. This helps you get closer to the speed of iteration of attackers, which is becoming more and more important.
Instant security policy modifications for real-time threat response
Always-on mobile app attestation and threat monitoring is essential for staying on top of evolving threats. But, traditional threat monitoring still requires communication with development teams to incorporate insights into their next sprint. While it protects against future threats, it doesn’t offer an immediate response when needed. This is often due to protections existing on the client-side of the application. Again, such a scenario is where the server-side nature of attestation serves as an advantage. App attestation policies are dynamic and flexible in nature, and can be switched on and off. But, they also have the ability to be updated without initiating a rebuild. Thus, when sophisticated threats are identified, security policies are adjusted in real-time and no deployment required to combat threats in the moment. The risk and impact of these threats is significantly minimized, and your mobile app security remains intact.
Getting started with mobile app attestation
Protecting your APIs from unauthorized access and abuse is critical for maintaining a secure and trusted app experience. App attestation provides a frontline defense that ensures only legitimate, trusted apps can interact with your APIs and protect your application from bots, malware, fraud, and targeted attacks. Start leveraging mobile app attestation today with Guardsquare.
Connect with an expert to learn more today.
