Mobile app management nirvana: Bluebox Security does “app wrapping” for apps from public app stores

Earlier this year, mobile security vendor Bluebox released an app wrapping product with a twist: Unlike just about every other product in the space, it can do app wrapping with apps that come directly from the Apple App Store or Google Play. This upends the conventional wisdom around app wrapping, and that alone would make Bluebox a notable player.

Earlier this year, mobile security vendor Bluebox released an app wrapping product with a twist: Unlike just about every other product in the space, it can do app wrapping with apps that come directly from the Apple App Store or Google Play.

This upends the conventional wisdom around app wrapping, and that alone would make Bluebox a notable player. However on top of that, Bluebox’s app wrapping is also best-of-breed. Bluebox came out of stealth in February of this year.

The conventional wisdom on app wrapping

If you’re not familiar with app wrapping, it’s a technique that can take a generic mobile app and add typical mobile app management (MAM) features after the app was created. Essentially, it takes an app package (.ipa or .apk) and adds a “shell” or “container” around it. That shell then provides management hooks like remote wipe, secure connectivity, authentication, and encryption. After the wrapping process, the new version of the app is re-signed (in the case of iOS, with an enterprise certificate) and distributed to employees.

There was a lot of enthusiasm around app wrapping a few years ago. The idea was that instead of only using special apps that were purpose-built to work with a MAM platform, you could take any best-of-breed app—that was likely lacking suitable management features—and turn it into a secure, enterprise-appropriate app.

The major catch with this is that the conventional wisdom has always been that you cannot wrap and re-distribute apps from public app stores. Instead, you have to obtain app binaries directly from developers or ISVs. This means that app wrapping is inherently limited, because you can’t just wrap any app any time you want. (App wrapping is also used as an easier alternative to MAM SDKs.)

More recently we’ve seen the rise of MAM features built directly into mobile OSes, as an alternative to having MAM built into apps. These make it possible to achieve the original goal of app wrapping and managing any app, but they have their catches, too: You have to manage the entire device, you’re putting all your trust in the device’s integrity, and for Android you’re limited to certain devices.

Since both app-based MAM and OS-based MAM have inherent tradeoffs, a third option that could get in between devices and app stores would have obvious benefits.

The new wisdom of app wrapping?

This is where Bluebox Security comes in: In a reversal of the conventional wisdom, they say that it is permissible to use app wrapping techniques on apps from the Apple App Store and Google Play. (For obvious reasons this is  only for free apps.)

Bluebox has had their legal team review all the applicable licensing agreements and regulations, and they regularly meet with both Apple and Google to brief them on what they’re doing. Of course it’s rare that Apple or Google publicly endorses third-party security products, but after talking with Bluebox, I’m quite reassured about everything they’re doing.

You might be wondering why nobody figured this out earlier. Like I said, for a few years now just about all of the EMM industry (including analysts and bloggers like me) has subscribed to the conventional wisdom that wrapping apps from public app stores isn’t allowed.

According to Bluebox, one of the main early issues was that first generation app wrapping tools weren’t very smooth, so technical problems clouded the conversation. In addition, it was simply too early for there to be significant demand for app wrapping, and EMM vendors had other priorities. So for various reasons, the app wrapping question just never really got solved.

(On a related note, you might also be familiar with MobileSpaces (now a part of Pulse Secure), another EMM vendor that can get in between devices and app stores (though only on Android). MobileSpaces is slightly different from Bluebox, because instead of actually wrapping apps, they utilize a set of alternative storage repositories for app data, providing MAM functionality. (Think of it as something like Windows file system filter drivers except for Android.) Another company, cheekily called Better, also appears to also get in between devices and apps, though at this time it’s not exactly clear what techniques they’re using.)

Bluebox’s EMM product

The concept behind Bluebox is important, but as I said it’s also backed up a by a good product. First off, it has all the standard MAM features you’d expect:

  • Local passcodes
  • Authentication
  • Encryption
  • Remote wipe
  • Multiple options for secure connectivity
  • Geofencing and other conditional policies
  • Control over data flow through document sharing, AirDrop, printing, and cut/copy/paste

And more:

  • Analytics
  • Anti-tampering and anti-reverse engineering
  • Policies on wrapped apps can be updated in real time without re-wrapping apps
  • Offline authentication via key caching is coming in Q4.

One of the unique features of Bluebox is selective document-level tracking and security. Since the wrapper can see everything that passes through it, and the device is talking to the wrapper (instead of directly to the app), the wrapper can wipe individual documents that the app writes to local storage.

BlueBox is intended to work in all sorts of situations—it can work in conjunction with other EMM products; it can work on completely unmanaged devices; or it can provide its own MDM.

What does this mean for the industry?

There’s no doubt that wrapping apps from public app stores is a significant leap forward, but we should also to put it in the proper context: It’s one of several different MAM techniques that customers will have at their disposal. Still, when a piece of the conventional thinking changes, it’s a big deal no matter what.

Now does this mean that all EMM vendors will start doing this? That’s hard to tell.

If the answer is yes, then that’s great for the industry, but obviously not as good for Bluebox. But who knows if this is the case? Even though Bluebox has implicitly gained the blessing of Apple and Google to do its thing, that doesn’t necessarily mean that there’s an explicit new precedent and the doors are wide open for others.

If the answer is no, then Bluebox’s unique selling point will continue, and they could become a go-to solution for best-of-breed MAM.

Either way, with Bluebox (and also Pulse Secure and Better) on the scene, it’s clear that we have new ways to think about mobile app management, and that’s good news.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

You wrote "For obvious reasons this is  only for free apps." But why is that? I mean at first, yeah, duh, you don't want people stealing apps that they're supposed to pay for. But from a technical standpoint, how do paid apps and free apps differ? Aren't they both "locked" to a device and/or Apple account? And if so, doesn't Bluebox have to break into this to wrap an app? And if they're doing that and then re-signing an app with an enterprise certificate, why couldn't they do that for a paid app?

Is that a technical limitation, or just something they enforce to be good corporate citizens, or something that's just enforced with a wink?