The science of app-wrapping

BYOD brings out the classic problem between control of corporate information and individual freedom. It kicks it up to a whole new level because the devices belong to the users, but at least some of the apps and information belong to the company and as such need protection and policy enforcement.

One approach to this problem is mobile device management (MDM), but the problem with MDM is it requires managing a device that belongs to the user. What's more, containerization at the device level compromises the user experience. A better approach is mobile application management (MAM), which can be applied, as the name implies, at the application level, wrapping corporate apps and data, but not wrapping Facebook or Roku.

This approach provides a high level of administrative control while still offering a superior user experience for all mobile applications, both the wrapped and unwrapped, so to speak. So let's explore, at a high level, how app wrapping works.

[ IN PICTURES: 10 mobile device management apps to take charge of BYOD 

MORE: Forrester Research calls mobile-device management 'heavy-handed approach' ]

The essential operation of app wrapping lies in setting up a dynamic library and adding to an existing binary that controls certain aspects of an application. For instance, at startup, you can change an app so that it requires authentication using a local passkey. Or you could intercept a communication so that it would be forced to use your company's virtual private network (VPN) or prevent that communication from reaching a particular application that holds sensitive data, such as QuickBooks.

The end result is the policies set by an administrator become a set of dynamic libraries, which are implemented on top of the application's native binary. On iOS, for example, using XCode, the developer can take an iPhone Application Archive (.ipa) file, add the dynamic libraries and create a new app that behaves differently when started, or when a certain type of communication happens. The normal call made by an app to an API is now "front-ended" to look in a local dynamic library for instructions.

This technique can be used to create advanced security processes, such as embedding an individual application's communication with an endpoint in a VPN the company controls. This VPN is outside the control of the application, but does not affect how the application looks or functions on the device. This is far superior to the alternative taken by many MDM vendors, which use a device-level VPN that requires all communications from the device to access the corporate VPN. That approach slows performance to a crawl and negatively impacts that most delicate commodity, battery life.

App wrapping can also apply a passkey to the clipboard of the device to intercept cut-and-paste activities. Clipboard contents will be encrypted or turned into illegible garbage if cut and paste is attempted when it's not allowed by the app. The purpose of this intervention is to prevent an employee (or someone who should not have the device) from copying information from a restricted application onto the device clipboard, where it could be made available to other apps on the device.

Most mobile devices have some form of native encryption, but app wrapping can significantly raise the protection bar by providing certified encryption on the Federal Information Processing Standard (FIPS) 140-2. When corporate data is at rest on the device, app wrapping can protect it using FIPS 140-2 Level I Suite B encryption libraries, the same level used by the U.S. Department of Defense Logistics Agency. It is decrypted only when the correct passcode is entered. Therefore, if an unauthorized party acquires the phone, they won't be able to read data even if they succeed in downloading it.

When a user "jailbreaks" an iOS or "roots" an Android device, they essentially remove all operating-system level protections against fraudulent or malicious use. Effective app wrapping technology, at a server level, must be able to detect whether a device has been jailbroken or rooted, then trigger a mechanism that prevents all enterprise-installed apps from running.

Of course, it is inevitable that, at some point, a phone or tablet will become lost, and both the corporate and personal data on it is at risk. In these scenarios, app wrapping offers at least two remedies.

One remedy remotely removes the applications and data over which the enterprise has established control. At the server level, effective app wrapping technology keeps an inventory of all applications deployed by the company. Any other apps or data are assumed to be personal.

If needed as a fail-safe mechanism, the server can do what MDM companies routinely do, which is remotely lock or wipe the phone, so that it is unusable by anyone. The problem with this approach in the MDM world is that it's the only option and so users are understandably hesitant to report their devices missing since they know that all their personal apps and information will be wiped when they tell IT that the device is missing.

There are times when wiping the device makes sense, but it's better (from everyone's point of view) to wipe out sensitive corporate information without impacting the user's own apps and data. Pictures of the 6-year-old's smile with the missing teeth can be preserved while sensitive corporate data is safely wiped most of the time. Since apps and data are synchronized, that corporate data is preserved on the server anyway (and hopefully the user knows how to keep that semi-toothless grin backed up as well).

App wrapping resolves many of the deficits of the essential enterprise mobility conundrum -- how to protect data while delivering a user experience on par with consumer devices. Setting controls at the app level provides much more subtle and even-handed control for enterprise IT than the draconian "on/off" conditions or downgraded performance and user experience of prior solutions. With techniques like app wrapping, enterprise mobility and BYOD will reach their full potential as indispensable platforms for productivity.

Read more about anti-malware in Network World's Anti-malware section.

Join the CSO newsletter!

Error: Please check your email address.

Tags MDMNetworkingwirelessmobileIT managementbring your own deviceFacebookMAMconsumerization of ITBYODmobile application managementsecurityMobile device managementRokumobile appsapp wrapping

More about FacebookForrester ResearchRokuRoku

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Carlos Montero-Luque, chief technology officer, Apperian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts