To Wrap or Not to Wrap

There are many tools, technologies and practices that can be used to bolster security on mobile devices. One of the more well known of these technologies is App Wrapping. The goal of app wrapping is to put a layer between the app and the operating system to ensure that the app abides by a set of policies that is acceptable. You could also envision this as putting a sort of sand box or container around a mobile app.

What is wrapping?

Wrapping is the act of taking an existing app and physically modifying the binaries of the app to put a wrapper around it such that the wrapper sits between the apps core code and the operating system. The wrapper can then intercept app actions and allow or disallow functionality as well as add more security as may be desired. In essence, wrapping takes an app executable file and puts it through another piece of software that will wrap it and spit out the wrapped app at the other end in no time at all. The wrapping process typically also injects libraries intended to provide additional functionality/security into the wrapped app.

Who do you trust?

Conceptually there is nothing really wrong with wrapping from a purely software engineering point of view. But like all powerful things this technique can and has been misused over the years. It is a concept that has been used by hackers for years to modify executables on a computer and inject viruses or malware into what would appear to be a trusty program. So the first problem with wrapping is that you now need to trust the programmers who developed the wrapping technology. In many cases companies’ license or white label wrapping technology from other companies, who may in turn leverage libraries created by others. So to trust wrapping technology you need to first understand who all were involved in creating all parts of the wrapping technology and determine if you trust them.

Are you allowed to wrap?

There are many cases when an app vendor will legally stipulate that their apps cannot be wrapped. They do this because they are concerned about putting the quality of their app in the hands of others, because they do not know what changes the wrapping technology will make to their app. There can be financial and legal ramifications if an app does not perform as expected. For all of these reasons it is quite common that many high quality apps cannot be wrapped, legally. So the apps you can wrap, very quickly gets reduced to internally developed apps or those for which you own the IP. If this is the case, it begs the question. Do you not trust your own people? Even so, be aware that wrapping can cause quality issues with your own apps. Note that it is difficult to say that you have consistent and safe security policies if you are allowing a mixture of wrapped and non-wrapped corporate apps on the same devices.

Who to blame?

When you wrap you are physically modifying an existing app and the wrapped app may now have newly injected libraries as well as a different set of APIs as a result of being wrapped. These changes mean that there is a probability that the wrapped app will not work as expected after being wrapped. From our testing of a sample set of apps using some of the wrapping technologies out there, we found that close to 40% of the apps we wrapped did not function as expected after wrapping. It is important to note that the 40% number is likely low, since it is extremely difficult to test all of the usage scenarios of the apps to make sure they were unaffected. But even if a wrapped app does seem to work, when there is problem in the future who should you call for support? Should you call “The app vendor” or “The wrapping company”? All the warranties that come with high quality apps that have undergone rigorous testing are now lost. The app vendor may rightfully question if the operation of the app was affected by wrapping, and may refuse to provide support. The wrapping vendor may as well suggest that the problem was not created by wrapping. The customer is caught in the middle.

The problem of Upgrades

Ok, let’s assume that you managed to jump through all of the hoops and managed to make things work. What happens when the app vendor releases a new version of the app? You can’t grab the new version from the app/play store, or the vendor’s web site, and use your EMM solution to push the new app to your corporate devices. That’s right you need to go through all the hoops again, making sure it is still legal to wrap the new version, wrapping it, testing the app on all platforms, making sure that the wrapped app will work with your old data, etc. To make matters worse, what if there is an update from the app wrapping vendor to perhaps fix a security hole in their wrapping technology, now you need to re-wrap all of your apps. Really, it is a heck of lot of extra work, time, cost and risk.

So how do you secure Apps?

In the early days of mobile, operating systems were not well developed. The security controls and APIs that needed to be built at the OS level were simply not there. To fill these gaps, many solutions arose. But times have changed, mobile operating systems have come a long way. Google, Apple, and Microsoft have been busy. They have strengthening their OS offerings, and have created a rich set of APIs that provide app management as well as many other features to provide enterprises with granular control of corporate applications and data. Containerization of corporate apps and data with rich controls for managing those containers is now native to mobile operating systems.

Companies like SOTI who build Enterprise Mobile Management Solutions (EMM) have built on top of these APIs to give IT administrators the power to set policies to control and secure their corporate assets. Enterprises that have an EMM in place now have granular control over a wide variety of app functions, and can set consistent policies across all of their corporate assets.

The Future

There are special cases when wrapping could just be the right solution, but times have changed from the early days of mobile, and those special cases are now rare. The OS vendors are fully aware of the need for security and have responded with security that is now engrained at the core of modern mobile operating systems, as it should be. Google, Apple, and Microsoft have added the following native capabilities and a lot more:

• A secure app container that isolates corporate apps and data
• Control of which/if any third parties apps can open a secure document
• Ability to disable copy/paste from a corporate approved app to a not-approved app
• Enforce encryption of stored corporate data
• Manage and force encryption for network connections, e.g. enforce per app VPN
• And much more

While every company has a different set of security requirements, choosing an EMM solution that has the right mix of controls can give your organization solid protection as well as other tools that are needed to ensure the success of your mobility projects.

A good EMM solution provides a set of management tools that goes well beyond mobile app management (MAM) policies. The tools included allow management for both white collar/BYOD operations, as well as advanced management features needed for mission critical/application purpose mobility operations. In addition to a rich set of MAM policies they also provide features like, integrated helpdesk, remote diagnostic tools, real-time remote control, device kiosk mode, geo-fencing, speed controls, silent app installation, content management, secure access to intranet sites, reporting, data analytics and much more. The point being that a good EMM solution provides organizations with a rich set of tools, allowing them to choose the right tool for both today's and tomorrows needs. 

To learn more about what SOTI is doing to ensure the security of corporate apps and data, please visit us at www.soti.net or contact our sales team at sales@soti.net