According to the App Genome Project, 28% of Android Market apps and 34% of free App Store iOS apps can access the user's location, while 7% of Android and 11% of iOS apps can access contacts. Although many do so for legitimate reasons, mobile malware is now growing at an alarming rate, especially on Android. In short, mobile apps are double-edged swords to be wielded with care -- especially on devices used for business.
Mobile application security square-off: App stores versus IT control
Employers long ago developed processes to centrally control OS patch and application installation on corporate laptops. These processes and the platforms that implement them have two goals: to provide workers with the tools they need to do their jobs and to ensure the integrity of their environment.
BlackBerry and WinCE started down this path, but then along came Apple and Android, disrupting the market while putting users in control of managing mobile apps. Today, new iPhones must be individually activated while tethered to each user's computer; OS updates must be installed this way as well.
Worse, users must install their own apps from public marketplaces and are responsible for pulling available updates. And even if they wanted to, employers cannot use that same process to install corporate-licensed or privately developed apps.
Public markets and self-management were instrumental in drawing consumers to iPhones and Androids. But when the "bring your own device" (also called "BYOD" or "BYO device") wave broke and employees began bringing their own smartphones into work, lack of central control became a thorn in IT's side. Vendors are now filling this gap by delivering both mobile device management (MDM) and mobile application management (MAM) tools.
Rein in mobile devices, apps to ensure mobile application security
MDM and MAM are related tools with distinctly different goals. MDM focuses on device activation, enrollment, configuration and monitoring -- tasks required to put a smartphone into service and keep it that way. MAM focuses on software installation, maintenance, usage tracking and auditing -- tasks that at least today must be executed differently for public and private mobile apps.
Located at the intersection of MDM and MAM are several related tasks, such as provisioning apps on newly enrolled smartphones based on device type, ownership and user/group affiliation. MDM may be responsible for authenticating the user, inventorying the device and kicking off MAM, which takes the handoff and runs with it. MAM then identifies mandatory and optional apps, locating corresponding packages (and perhaps profiles), pushing either an app catalog or private apps to each device, and recording results to facilitate software maintenance, audit and compliance reporting.
In practice, MDM and MAM tasks may be performed by the same system, by two integrated systems or by adding an a la carte MAM module to an MDM platform. However, both MDM and MAM are needed for an IT organization to effectively manage mobile application security. Moreover, traditional IT software management processes must be adapted to meet unique challenges posed by smartphones -- including devices owned by employees.
Mobile app security on a BYO device: Ownership changes everything
According to Forrester Research, more than half of enterprises now provide some degree of support for employee-liable BYO devices. A few provide full IT management of employee-purchased devices, but most offer limited IT support for specified device types and users/groups, enabling secure access to selected enterprise services and applications. The latter has direct impact on mobile application management.
- First, users expect to install personal apps on BYO devices. IT must not only tolerate self-installed apps; IT must assess risk and take steps necessary to ensure the safety of co-resident business apps and data.
- Second, users expect freedom in BYO device purchasing. Increasingly, IT cannot ban popular consumer smartphones but must instead find ways to selectively embrace them. This often involves installing third-party mobile device management and mobile security apps.
- Third, when users lose smartphones, leave their jobs or otherwise place a provisioned BYO device in jeopardy, IT must be able to stop further access to and use of business apps and data -- preferably without impacting personal apps and data.
Fortunately, MDM and MAM products exist to help IT groups control and secure both personal and business apps installed on iPhones, Androids and other smartphones, even accommodating BYO device needs. In part two of this tip, we will discuss mobile application security best practices and policies, as well as the MDM and MAM capabilities needed to implement them.
About the author: Lisa A. Phifer is president of Core Competence Inc. She has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for more than 25 years and has advised companies large and small regarding security needs, product assessment and the use of emerging technologies and best practices. Lisa teaches about wireless LANs and mobile device security and management, and has written extensively for numerous publications.
This was first published in October 2011