About a year ago, I wrote about Bluebox Security, a company that was challenging some of the usual assumptions about mobile app management by providing app wrapping for public apps. Apple has recently given a definitive answer on this issue, and the answer is no. Even though that particular door is closed now, Bluebox has plenty else to do by providing MAM for in-house enterprise apps and now consumer apps. Last week I spoke to Adam Ely, the co-founder of Bluebox, and Pam Kostka, CEO, to learn more.
New app wrapping stance
If you’ve followed mobile app management and app wrapping, you know there have been questions about it for years. Most people have assumed that using app wrapping to modify and then redistribute apps downloaded by public app stores was against various licensing agreements. But Bluebox wanted to challenge that assumption, and according to their interpretation and after conversations with Apple and Google, they determined it was okay to do for free apps.
That’s changed now, though. The Apple Developer Enterprise License Agreement that came out with iOS 9 has new language in it that Bluebox says definitively answers any remaining questions about app wrapping for public apps and prohibits the practice. As a result, Bluebox is no longer providing app wrapping for apps from the Apple App Store. (Other people I've spoken to in the EMM industry agree, too—it's a closed door.)
So far there hasn’t been any similar move from Google, but Bluebox is no longer offering app wrapping for apps from Google Play, either.
Use cases for app wrapping public apps began to decrease when iOS 7 first introduced built-in work and personal separation features; now with additional advances in iOS 8 and 9 and Android for Work, the uses cases are diminishing further. On top of that, more ISVs are making their apps manageable and enterprise-friendly in various other ways.
As I’ve said many times before, mobile app management is complicated, and there are tradeoffs with all techniques. Without being able to wrap public apps, there are some situations that could be difficult. If you need to manage an app and you can’t make arrangements with the ISV to add MAM features, and you can’t use device-based MAM frameworks or they don’t meet your needs, then you could be out of options. (Though virtual mobile infrastructure could provide an option.)
This doesn’t mean app wrapping is dead!
It’s still often desirable to have an app with built-in MAM and security features that devices—even iOS 9 and Android for Work devices—can’t provide. For this reason, SDKs and app wrapping will be around for a long time. And as many have pointed out, app wrapping is valuable because it can abstract the implementation of MAM and security features from the actual development of the app.
Naturally Bluebox is continuing their work with app security for enterprise mobile apps. To recap my previous coverage of Bluebox, their product has many of the MAM features you’d expect, like identity integration, encryption, remote wipe, secure connectivity, share controls, and other conditional policies. In addition, Bluebox provides other security features like anti-tampering and anti-reverse engineering, analytics, jailbreak and rooting detection, honeypots, and dynamic policy updates.
In August, Bluebox made an announcement about open distribution, which means that apps secured by their technology can be used alongside other MDM platforms or enterprise app stores. Especially considering that there are a lot of vendors that just leverage OS-level MAM techniques, this makes a lot of sense.
Bluebox’s next move is in the consumer space; they released a version of their product aimed at B2C developers in November.
As you can guess, there are a lot of consumer apps that don’t have great security. Bluebox had customers that were using their product for employee-facing apps and also wanted it for consumer-facing apps.
The app wrapping approach is good for the consumer space, too, because of how it abstracts security implementation from development. There are all sorts of issues common in B2C app development, like outsourcing, lots of third-party libraries, and contracts that don’t cover extra security development.
We had an interesting conversation earlier this year about what features you’d want to implement in a consumer app versus an enterprise app. (Like should a consumer app be able to function on a jailbroken phone?) But in general, even outside of banking and health apps, the stakes can still be pretty high—companies don’t want customers to get around paywalls or redistribute hacked versions of their apps.
Now we finally have an answer to at least one question about mobile app management, but I don’t expect the space to settle down any time soon. There’s still a long ways to go before enterprise app management is “solved” or at least routine, and we’ll continue to see companies like Bluebox come out with new innovations.