App hardening emerges as a key component of mobile security strategies
The consumerization of information technology (IT) takes many forms, but the three technologies that employees have become comfortable with in their role as consumer and now wish to leverage in their role as employee are mobile devices, cloud services (for example, file storage), and social networks. All three technologies raise security and compliance concerns for enterprises because of the difficulties surrounding control of their use. The loss of control experienced by IT teams regarding enforcing IT and security policy is a result of employees’ ability to use these technologies to create shadow IT operations on their own.
While each of these three technologies is having a far-reaching impact on enterprises today, the use of mobile devices is most impactful because it allows employees to more easily access both cloud services and social networks. Securing the use of mobile devices is therefore an absolutely critical requirement for businesses today. Actually securing a device that might be owned by an employee and will therefore be unmanageable is, however, a tall order. A better strategy is to assume the device is in fact untrustworthy and to decide that trust is better established at the application level. Secure mobile apps can be built that are isolated from the rest of the device.
In practice, however, many mobile apps lack even basic security features. This is not surprising given that most mobile apps are focused on consumers and that time to market is a particularly critical metric in the mobile world. In a perfect world, app developers would have the time, expertise, and inclination to include appropriate security features in their software products. But, even for enterprise applications, this is not typically the case.
Two important classes of app hardening tools are available in the market today to help address this issue. Several software vendors sell software development kits (SDKs) that assist app developers in building security features into their app development life cycles. While these tools simplify the process of hardening apps by reducing the expertise required to add security features to apps, they still require a significant commitment in time and resources.
This is why app wrappers have emerged as an alternative method for app hardening. With app wrappers, security functionality similar to that which can be achieved with SDKs during the development process can simply be added to existing mobile apps. Typical features found in app wrapping and SDK products include:
- Authentication (for example, app level passcode enforcement)
- Encryption of data at rest (for example, FIPS 140-2)
- Encryption of data in motion (for example, app-level VPN support)
- Content controls (for example, copy-and-paste and “open in” restrictions)
- Jailbreak detection (Android and iOS support)
For a more detailed look at the app hardening market and the players in the SDK and app wrapper segments, see the recent analyst brief "App Hardening To Protect Mobile Device Data".
For the last 18 years, NSS Labs’ Research Director Andrew Braunberg has focused on the market landscape, trends and innovations in technology, initially as a technology journalist and then as Research Director at Current Analysis for the Business Technology and Software group. His core areas of focus include Enterprise Mobility and Network Security. Andrew holds a BS from Rensselaer Polytechnic Institute in Engineering Physics, and a MA from George Washington University in Science, Technology, and Public Policy.