alphaspirit - Fotolia


How to vet and deliver secure mobile apps

With a growing consensus that mobile app management and security are more important than managing the device, IT needs to learn how to implement effective MAM.

IT departments must proactively manage the apps on mobile devices in the enterprise to ensure security and to get the most from the organization's mobility investment.

Mobile devices have become key tools for improving productivity among business users because they allow employees to work when and where they want to. And IT is starting to realize it's not so much the devices that drive productivity as the applications that run on them.

That’s why it’s critical to select the proper apps and manage them in a secure way, rather than focusing solely on device management. Mobile application management (MAM) involves software and services responsible for provisioning internally developed and commercially available mobile apps. MAM enables administrators to control access to apps and ensure data security.

MAM is different from mobile device management (MDM), which focuses on managing devices and ensuring proper security measures are in place on the entire device. MDM also includes provisions for remotely wiping data if a device is lost or stolen. As the enterprise mobility market matures, these two areas of IT management are beginning to merge as many MDM vendors already have added mobile app management capabilities to their products.

Lock down user app selection

The first strategic issue IT should tackle is determining which apps you need to support.

Applications typically fall into several distinct categories. One is the set of native apps that come with the device, including the browser, email, calendar and personal information management software. In some implementations, IT can duplicate those apps with enterprise versions that they can house in secure containers.

Store-bought apps that users can purchase or download for free from public app stores are the largest category of mobile apps. Employees using Apple iOS and Google Android devices at work have an almost infinite selection of business and productivity apps available through those companies' app stores. The selection on other platforms, such as Windows Phone, is much more restricted.

With all those choices out there for users, it’s important that MAM allows enterprises to ban or blacklist certain apps that they find inappropriate or offensive. Those policies may vary based on who owns the device, such as in corporate-owned, personally-enabled or bring your own device programs.

As a general rule, employees are less put off by restrictions regarding company-provided devices than limits placed on personal devices. In either case, devices brought into the workplace must adhere to the organization’s overall policies for security, privacy and appropriate behavior.

For paid applications, Apple offers a volume discount plan, which IT also needs to manage. Typically, your mobile app management platform can track the number of licenses in use and recover licenses when employees leave the company, allowing you to reassign those licenses to other workers.

Invest in ISVs or custom apps

Many organizations have not progressed beyond native and store-bought apps, but a company can achieve the biggest productivity gains by integrating mobility into line-of-business processes. However, not all organizations have the expertise -- or the budget -- to develop customized apps for their various job roles. One useful shortcut is to use apps developed by independent software vendors (ISVs).

Enterprises have begun to recognize the value of a well-managed MAM initiative.

ISVs such as Oracle, SAP, McKesson and Cerner offer professionally developed suites that allow mobile access to their systems. Whichever of these back-end platforms the organization deploys, it can allow mobile users to efficiently access that data without having to invest in a major development effort.

If the task you need your app to achieve doesn’t fit into one of those easy-to-deploy categories, organizations should consider custom application development. Many companies have developed a customer-facing app, but far fewer have developed custom apps for internal or business-to-employee use. The marketing or digital channels groups typically develop and maintain those customer-facing apps rather than IT, which means they usually don't meet enterprise security and management standards.

However, the complexity of developing a mobile app that works on all the required platforms is increasing. That’s where mobile app development platforms such as those from IBM, Sybase, Antenna, Appcelerator or Kony come into play. These platforms allow developers to write one version of the app that can run on different systems.

Control through containerization

When an organization develops custom apps for internal use, MAM becomes entwined with mobile content management. Those apps can have access to countless back-end systems and a hoard of sensitive data. So, IT departments need to ensure that none of that information gets out of its control.

To respond to this challenge, MAM providers now often incorporate data loss prevention (DLP) techniques into their systems. The standard DLP method MAM providers use is a secure container, which is a separate encrypted region on the device, designed to store corporate information and applications apart from the user’s personal apps and data. Within the container, IT can enforce measures such as data encryption, app-level security and compliance controls, and secure communications for access to resources behind the firewall.

App containerization embeds security libraries within a custom app. Although applications in public app stores generally cannot be included in the container, many EMM or MAM suppliers do the next best thing and develop containerized versions of popular apps.

Another way to secure an application is through app wrapping, where those security libraries are incorporated into the mobile app binary. The beauty of app wrapping is that the developer doesn’t need to build those components into the original app. To wrap an application, you need the app file, the authentication certificate and the password for the certificate.

The other option for delivering secure mobile apps is via a software developer’s kit (SDK). With the SDK approach, the developer actually builds the security components into the app. This option is more technically challenging, but the advantage is that the organization gains more granular control over security.

Look to enterprise app stores

In addition to enforcing policies for acceptable applications, EMM or MAM products typically allow organizations to operate their own internal app stores to distribute custom apps. The ability to distribute and update apps is a major asset, but forward-looking organizations use enterprise app stores for other purposes, too. Internal app stores give IT a way to communicate with users and suggest apps proven to be effective in different job roles. The downside is that internal app stores can usually distribute only custom-developed apps.

Enterprises have begun to recognize the value of a well-managed MAM initiative. Vetting and managing secure mobile apps should now be a top priority for CIOs and mobility managers.

Next Steps

Why mobile apps are more important than devices

How to manage a mobile application's lifecycle

A look at three methods of containerization

Dig Deeper on EMM tools | Enterprise mobility management technology