I read about an approach to BYOD and mobile security that involves taking various applications -- consumer and enterprise -- and applying an application wrapper around them to implement encryption, security protocols and other measures. Do application wrappers provide adequate security, and is this approach better than mobile device management software?
Enterprises have a wide range of mobile device management (MDM) and mobile application management (MAM) products to choose from to help manage their BYOD environments. The problem with MDM is that it takes a full-device approach to securing and controlling smartphones and tablets that can be too heavy-handed in situations where employees own their devices. MAM, on the other hand, offers more granular control, but is limited to the security capabilities of a mobile device's underlying operating system. While vendors like Microsoft, Google and Apple continue to improve the security of their operating systems, they can never be 100% secure, and poorly written apps can enable hackers to exploit potential vulnerabilities.
Most MAM products operate on the assumption that the mobile apps being used on BYOD devices have been built to function securely and protect the data they process. A recent report from BlueBox Security shows this is a false premise, as more than 50% of developers surveyed admitted to using shortcuts or temporary solutions to produce their app faster, with 96% using third-party software frameworks that were potentially unsecure. This "rush and release" approach leaves many apps without basic security controls or privacy policies, and sometimes causes them to contain coding errors that leave them and the device vulnerable to attack.
App wrapping is a way of modifying mobile application binaries to give them more security and management features, and it can play a useful role in a MAM scenario. The application wrapper applies a management layer to a mobile app by "wrapping" it inside a new single containerized program that has the desired app-level MAM capabilities built in. The process doesn't require any changes to the underlying application -- it does require access to the application binary -- but it still enables an administrator to set specific policy elements, such as whether user authentication is required, data encryption is on by default, and whether data associated with an app can be stored on the device or shared. It's a useful approach when devices lack sufficient device-level MAM features like various Android phones and tablets. An application wrapper can also be a useful tool when managing devices using a MDM product isn't practical, which is often the case in BYOD environments where there's an abundance of contractors or other third-party users.
Unfortunately, as application wrappers can change the behavior of an app and have the ability to resign and redistribute it, they introduce various licensing issues that the industry as a whole is still undecided on. The general consensus is that using application wrappers falls foul of the rules of public app stores, otherwise anyone could wrap an existing app and redistribute it. The Apple Developer Enterprise License Agreement that came out with iOS 9 has new language in it that prohibits the practice of app wrapping public apps. Bluebox Security, which previously provided app wrapping for public apps, no longer offers application wrappers for apps from Google Play or the Apple App Store. Microsoft maintains the only way to manage Microsoft apps is with Microsoft Intune or by using a device-level MAM.
The case for using application wrappers may be diminishing as mobile device OS vendors are introducing built-in separation features for work and personal data and applications. In addition, software vendors targeting the enterprise market are making their apps more manageable via MAM. However, an application wrapper can still add an additional layer of security on top of that provided by the OS, or in the case of apps built in-house, abstract the implementation of MAM and security features from the general development process. There are various vendors offering app wrapping products such as Mocana Atlas Appliance, Citrix and AppSense, Nukona -- now a part of Symantec -- and OpenPeak, but enterprises should ensure they fully understand any licensing issues before developing an app wrapping strategy.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Michael Cobb
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading