Skip Links

The science of app-wrapping

By Carlos Montero-Luque, chief technology officer, Apperian, special to Network World
May 07, 2013 01:55 PM ET

Network World - BYOD brings out the classic problem between control of corporate information and individual freedom. It kicks it up to a whole new level because the devices belong to the users, but at least some of the apps and information belong to the company and as such need protection and policy enforcement.

One approach to this problem is mobile device management (MDM), but the problem with MDM is it requires managing a device that belongs to the user. What's more, containerization at the device level compromises the user experience. A better approach is mobile application management (MAM), which can be applied, as the name implies, at the application level, wrapping corporate apps and data, but not wrapping Facebook or Roku.

This approach provides a high level of administrative control while still offering a superior user experience for all mobile applications, both the wrapped and unwrapped, so to speak. So let's explore, at a high level, how app wrapping works.

[ IN PICTURES: 10 mobile device management apps to take charge of BYOD 

MORE: Forrester Research calls mobile-device management 'heavy-handed approach' ]

The essential operation of app wrapping lies in setting up a dynamic library and adding to an existing binary that controls certain aspects of an application. For instance, at startup, you can change an app so that it requires authentication using a local passkey. Or you could intercept a communication so that it would be forced to use your company's virtual private network (VPN) or prevent that communication from reaching a particular application that holds sensitive data, such as QuickBooks.

The end result is the policies set by an administrator become a set of dynamic libraries, which are implemented on top of the application's native binary. On iOS, for example, using XCode, the developer can take an iPhone Application Archive (.ipa) file, add the dynamic libraries and create a new app that behaves differently when started, or when a certain type of communication happens. The normal call made by an app to an API is now "front-ended" to look in a local dynamic library for instructions.

This technique can be used to create advanced security processes, such as embedding an individual application's communication with an endpoint in a VPN the company controls. This VPN is outside the control of the application, but does not affect how the application looks or functions on the device. This is far superior to the alternative taken by many MDM vendors, which use a device-level VPN that requires all communications from the device to access the corporate VPN. That approach slows performance to a crawl and negatively impacts that most delicate commodity, battery life.

App wrapping can also apply a passkey to the clipboard of the device to intercept cut-and-paste activities. Clipboard contents will be encrypted or turned into illegible garbage if cut and paste is attempted when it's not allowed by the app. The purpose of this intervention is to prevent an employee (or someone who should not have the device) from copying information from a restricted application onto the device clipboard, where it could be made available to other apps on the device.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News