iOS 7, App Security & Star-Bellied Sneeches

A lot of people are eagerly awaiting Apple’s iOS 7 - none more eagerly than mobility and security professionals. While the new OS is sure to have an impact on the burgeoning enterprise mobile management marketplace, we don’t agree with the prognostications of others that the new release will wipe out entire companies and categories.

Let’s consider some of the new security and management features promised in iOS 7 that might be of interest to the Enterprise:

• Apple is promising a kind of "per app VPN" – but from descriptions we’ve seen, its not quite what people might be expecting. Apple’s new VPN is still a basic device-level VPN, though one that "filters" which apps can use it. Apple’s VPN still begins and ends at the edge of the device, not at the app itself. Bringing the VPN tunnel the “last inch” to the app perimeter instead of the device perimeter might not seem like a big deal, but to security professionals, its crucial. A true per-app VPN enables apps to create and maintain completely separate and independent encrypted tunnels (which minimizes the risk of cross-app data leakage or sniffing by on-device agents). As such, the iOS 7 VPN doesn’t qualify as a real per-app VPN the way security professionals define one.

• Apple is also promising to extend its MDM APIs to enable certain kinds of app management. For example, a new API would let admins specify which apps are allowed to open email attachments. In theory, that should cut down on corporate data leakage. In practice we see that iOS 7 will allow admins to configure some settings for apps under management, and as long as the app already has security features built into it, presumably these could be turned “on” or “off” through the new API. But these APIs won’t do anything to add security (like data-at-rest encryption) to apps that didn’t already have it coded-in in the first place.

• Apple is offering a Kerberos single-sign-on utility as part of iOS7. So if the app you wrote uses Kerberos authentication, you could use this utility to authenticate users to the app.

So while iOS 7 offers some helpful app controls, the knobs-on offer doesn’t put much of a dent in the Enterprise’s requirements for comprehensive mobile app management and security. Limiting data leakage from the iOS 7 email app is useful, but that doesn’t do anything to help protect leakage from other apps. And the functionality promised in iOS 7 certainly comes nowhere close to the robust security policy choices available in modern app-wrapping solutions, like Mocana’s Mobile App Protection™ (MAP).

Thus far, Enterprises have used one of a few different strategies for managing apps. Containers and Hypervisors are supposed to separate personal from work content, and prevent work data from “leaking”. But users bridle at these artificial separations, and recent work presented at Black Hat and other venues has called their security utility into question.

Another app-management approach was the SDK. But that meant every enterprise app would need to be re-coded from scratch to work with the SDK, so this approach hasn’t gotten much traction, either mainly as the result of the backlog of apps to deploy is greater than any cumbersome SDK approach can support.

We think the easiest (and most secure) approach is App Wrapping, wherein new security features (like true per-app VPNs) are added to the apps you already have, simply by uploading them to a special portal. No muss, no fuss. No coding! A little bit like how Sneeches got stars on their bellies in that Dr. Seuss book.

App wrapping like that found in Mocana MAP™ allows you to wrap certain critical resources – like a keychain and an IP stack – directly into each app. That helps keep apps and their data safer, even when the device gets jailbroken or infected with malware. Unwrapped apps on iOS 7 must rely solely on the system-level keychain, which is up for grabs once the handset is rooted. Furthermore, app-wrapping enables true per-app VPNs, which create encrypted and authenticated tunnels for data all the way down to your app, even on devices outside your organization, or devices not on an MDM. iOS 7 can’t do that.

App wrapping also lets companies de-couple app security from app development. That lets them focus on making great apps instead of worrying about being adequate cryptographers. Mocana MAP’s integrated browser securely extends access to existing SharePoint instances, corporate intranet sites, web apps, and portals within minutes, across Apple and Android devices, even for devices you don’t manage.

Of course, virtually all modern enterprises are a mix of iOS and Android devices, and the iOS management features do nothing to address Android app management concerns. We certainly don’t expect Apple to solve Google’s problems. But Enterprise admins have to live with both platforms in this brave new world of BYOD. Using a single app wrapping approach for both iOS and Android does a lot more to help enterprise admins simplify and unify security policy than these new iOS features can.

Mocana’s App Security Strategy

For Mocana, the app is the endpoint – and it always has been. Mocana invented modern app wrapping, and while several others have tried to duplicate the technology, most have failed, and consequently some are very quietly stepping off the stage, essentially saying, “Gee, this wrapping stuff is harder than we thought. Well, Apple will probably take care of security for you… see ya!”

We love Apple. We love, love, love Apple. But they (quite understandably) have little vested interest in simplifying cross-platform app management between iOS and Android. It’s important to remember, too, that Enterprise is a relatively tiny market for them. For many of us, though, Enterprise is everything.

The new extended enterprise – the modern organization whose influence transcends the devices they own and control, to encompass devices owned by partners, customers and contractors… iOS 7 won’t do much to make them any safer. In order for any of these iOS 7 features to work, the device and app must be managed by an MDM -- and that automatically excludes much of the modern extended enterprise.

At Mocana, we don’t believe that iOS’s new app management APIs will adequately address the serious security and EMM needs of most enterprise customers. Most enterprises want (and need) more.

As security geeks, in iOS7, Apple has thrown us a bone. But it’s a pretty meager bone. A cross-platform, drop-in solution like App Wrapping (like Mocana’s Mobile App Protection™) is still the fastest and simplest way to deploy enterprise apps at scale on any device.

We invite you to learn more about Mocana, App Wrapping and Mobile App Protection by visiting us on the web at

Kurt Stammberger, CISSP PMC, is the VP Market Development at Mocana