Billions of mobile applications were installed on iPhones and Androids last year, bringing benefits and risks to users and employers. Part one of this tip discussed the challenges of ensuring mobile application security, particularly on BYO devices.
Fortunately, IT can use mobile device management (MDM) and mobile application management (MAM) tools to centrally manage both personal and business mobile application security. Here, we discuss mobile application security best practices and policies, as well as the tools needed to implement them.
1. Use acceptable use policies (AUPs) to drive enrollment
For each user and device type, start by defining rules of engagement:
- Which mobile device makes and models can be enrolled for business use?
- What minimum requirements must they satisfy?
- Which corporate networks, services, applications and data are they permitted to access?
- What rights must the user grant the employer to monitor and control device settings, applications and data to manage business risk?
These AUPs should be explicitly agreed to by each user and enforced throughout each device's lifetime.
MDM tools can help IT implement this best practice by supporting over-the-air enrollment of corporate-owned and employee-liable devices. During enrollment, an MDM tool can authenticate the user and prompt for ownership to apply the right AUP, compare device make/model and settings to mandatory requirements, display the AUP and require the user's consent before deciding whether to enroll the device and issue it a certificate.
2. Provision enrolled mobile devices with secure settings
Successful enrollment may depend upon provisioning to satisfy AUP mandatory requirements. Common provisioning best practices to protect against mobile device loss, theft or unauthorized use include settings, passwords and enabling remote wipe. But mobile apps also come into play during provisioning by filling gaps in native mobile device security, properly configuring mandatory apps and disabling unauthorized apps.
MDM tools can implement general mobile security best practices, including app whitelist and blacklist enforcement, by querying each device's hardware and software. If deviations are found, MDM tools can directly disable unauthorized native apps -- for example, by pushing profiles over the air to iOS devices to hide YouTube, FaceTime or other blacklisted apps. Short of removing user-installed apps, MDM tools may support blacklist alternatives such as notifying the user, disabling device synchronization with corporate services or even disenrolling persistently non-compliant devices.
3. Install whitelisted apps to bolster mobile application security
To install missing whitelisted apps -- including mobile apps like firewalls or spam filters to fill native gaps -- MDM tools may hand the ball off to their mobile application management counterparts. Historically, employers managed only corporate-owned device apps, such as BlackBerrys. But experience shows that relying on users to install and configure business or security apps is risky. Using MAM to transparently install and maintain those apps without impacting usability is preferable, even on BYO devices.
Mobile application management tools can help IT implement this best practice by supporting over-the-air app installation and maintenance. Specifically, enterprise application packages, profiles and associated data can be uploaded to an MAM tool and bound to user/device groups. The MAM tool takes responsibility for mapping each user/device to mandatory and optional apps, to be pushed during enrollment and whenever updates become available. Note that this may require the user to first install an MAM agent on the device.
Unfortunately, user-pull marketplaces prevent this process from being used to manage public apps. Instead, mobile application management tools can help IT create a "catalog" of employer-recommended, known-safe public apps. The catalog is composed of descriptions and links to the Android Market or iTunes App Store pages that users must visit to self-install the apps.
Although mobile application management tools cannot force market apps to be installed, they can supply the corporate licensing information and configuration files needed to use those apps. For example, to install a secure mail client on Android devices, an employer might deploy an app catalog to prompt users to install a recommended client from the Android Market and then push a configuration file to the device containing ActiveSync and other security settings.
4. Monitor mobile application security
One big benefit of using mobile device management and mobile application management to automate these mobile application security best practices is establishing a platform with which to track app downloads, installation results and ongoing usage. Complement your enrollment, provisioning and installation practices with continuous mobile application security monitoring to detect outdated, disabled or deleted apps -- including blacklist enforcement. Define mobile application management policies to deal with not only non-compliance, but also mobile device loss and retirement.
For example, MAM tools can push updates for existing enterprise apps and remind users to install updates to public market apps. The tools use daily or on-demand software audits to detect non-compliant devices. Similarly, MDM tools can audit device settings to detect risky or potentially malicious activity, such as a jailbroken iPhone or rooted Android. When auto-remediation is not possible, deciding what to do next is critical.
On BYO devices, look for alternatives that minimize the impact on personal apps and data. For example, removing the native MDM relationship with an iOS device removes all enterprise apps, data and settings installed via MDM, leaving only user-installed apps, files and accounts. For public market or native apps, it may also be possible to remove profiles and settings required to run the app or access corporate data. Save remote device wipe for a last resort. These policies should, of course, be included in your AUP.
As we have seen, there are many facets to securing mobile applications. Using MDM and MAM tools to automate these emerging mobile application security best practices can give IT central insight into and control over mobile application security, even on employee-liable smartphones and tablets. Of course, not every MDM or MAM tool supports all of the capabilities mentioned in this tip. Start by defining the policies that you want to implement and then do your homework, selecting product(s) that can support them.
About the author:
Lisa A. Phifer is president of Core Competence Inc. She has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for more than 25 years and has advised companies large and small regarding security needs, product assessment and the use of emerging technologies and best practices. Lisa teaches about wireless LANs and mobile device security and management, and has written extensively for numerous publications.