Enterprise app stores are all the rage, but do they solve the BYOD security conundrum?
The short answer: “no.”
The trend that Forrester Research famously dubbed the “consumerization of IT” is, just a short time later, accepted practice in the modern workplace. We see it every day, as workers migrate off of older generation cell phones to powerful smart phones like the iPhone and Android devices and companies abandon the enterprise friendly Blackberry platform en masse. Security has taken a back seat, as it often does. In just one measure of this phenomenon, Price Waterhouse Coopers found in its latest “Global State of Security” report that 88% of consumers use a personal mobile device for work purposes. Alas, just 45% of the companies responding to the PWC survey said they had a security strategy to address personal devices in the workplace. An even smaller share - 37% - said they had taken steps to protect those devices from malicious software. “Technology adoption,” PWC concluded “Is moving faster than security.” Nowhere is the push and pull of technology adoption and security more evident than in the running debate over the wisdom of BYOD – or “bring your own device” – policies. And one of the biggest bones of contention in the BYOD debate is over mobile application stores. Employers who have embraced BYOD have a lot more confidence in the integrity of Apple’s iOS and Google’s Android operating system than they do of either company’s application marketplace. There’s a good reason for their apprehension. Most of the malicious activity in the mobile space has come by way of malicious applications that were downloaded from official and unofficial application marketplaces. As Veracode’s Tyler Shields noted here in May, mobile application related risks are among the most serious in the mobile space. (http://www.securelist.com/en/blog/208193641/Find_and_Call_Leak_and_Spam)
So what’s a security-conscious enterprise to do?
An emerging consensus is that a “walled garden” approach – in the form of closed enterprise-specific mobile application stores - is best. The concept has attracted the attention of both large companies and venture-funded startups. Cisco Systems has its AppHQ and SAP’s SAP Store offering a platform for enterprises to offer their own mobile app stores. Companies like Zenprise have followed suit. Just this week, the mobile security firm Good Technologies acquired enterprise app store startup AppCentral to compliment Good’s mobile device management platform. There are rumors, as well, that Apple, itself, may get into the enterprise mobile application marketplace business, allowing companies to manage their mobile device population with branded versions of the iTunes app store. Employees can still use their own phones and tablets at work – but enterprises have more control over what they can do with them. Perfect, right? Well, maybe not. True: enterprise mobile app stores provide a much needed management infrastructure for mobile applications and a choke point for security-conscious firms that want to support BYOD. By shutting out the long tail of dodgy and possibly malicious applications, they close off a pathway for malware, spyware and other mobile threats. But it’s also true that enterprise application stores are only as good as the storekeeper. They don’t ensure security or privacy so much as provide a safe environment- mostly by channeling mobile users into downloading “brand name” applications rather than knock offs. However, recent events remind us that malicious applications are only part of the problem. Enterprises have more to fear from the larger population of apps that aren’t malicious, but are deceptive – or just poorly constructed. Reporters at the Wall Street Journal exposed how a majority of the 101 top mobile applications for iOS and Android collected and shared personal information from mobile device users with advertisers and business partners. Typically, that information was wholly unrelated to the ostensible purpose of the application, including the user’s phone ID, geographic location and personal information. In the context of enterprise data, such ‘oversharing’ poses both security and risk management problems. And enterprise app stores do nothing to shore up holes in the larger mobile ecosystem or the mobile software stack. In the case of Android devices, for example, enterprise app stores won’t change the fact that half of all Android devices are using older and vulnerable versions of that mobile OS. Unlike RIM’s Blackberry, enterprises have no ability to update their employees’ Android phones, while handset makers and carriers are often slow to push out their own updates. And security experts like Jon Oberheide of Duo Security warn that companies concerned about mobile threats might want to consider the less visible parts of the mobile stack, such as the drivers and other binaries (Oberheide calls them “bloatware”) that often ship with common handsets from HTC, Samsung and consumer-focused carriers. Any of those vulnerable components (and there are lots of them) might reasonably be the target of a sophisticated attacker. Embrace enterprise app stores? Sure. Why not. But be aware that, without the ability or know-how to properly audit handsets and the white-listed applications your company is promoting to employees, you’re doing little more than pushing responsibility for your security onto “brand name” application development shops, handset makers and the like. That might turn out to be a safe bet. Or it could not.
Where does this leave enterprises?
Where they started – in a situation with lots of potential upside (increased worker mobility, productivity and job satisfaction), but some clear downside, and no easy fixes. No surprise: enterprise app stores are no panacea and companies that want to secure their BYOD environment will have both build the walled garden and do a careful job of cultivating it and keeping the weeds out.