MobileSpaces is the most brilliant and unique mobile app management solution I’ve heard of all year.

MobileSpaces can essentially manage any Android app on any Android device.

Recently I became acquainted with MobileSpaces, a mobile app management startup that has a completely unique solution for Android: MobileSpaces can essentially manage any Android app on any Android device. Before we dig into it, though, I want to take a second go over the current state of mobile app management

The conventional MAM landscape

For a while now, mobile app management has mostly only been available for special mobile apps that have management and security features built directly into them. (This is known as third-party MAM or containerization.) There are a variety of ways to get these special manageable apps, but no matter what, they’re just a small subset of all apps in existence. The good news though is that if you're able to use these specially-modified apps, there’s less of a need to worry about managing the devices they’re running on.

One of the big stories of 2013 has been the rise of MAM features built directly into mobile operating systems (OS-enabled MAM). Examples include Samsung KNOX, VMware Horizon Mobile, and iOS 7. With this type of MAM, administrators can manage any app they want, not just certain special apps (though with KNOX, the apps have to be sanctioned by Samsung). Naturally, this type of MAM requires the device to be managed, and for Android-based solutions, fragmentation means that only certain devices will have these features.

If you’re tasked with making sure that work data can’t be leaked into personal apps, then you pretty much have to deal with the two options I just outlined, each with its own tradeoffs: Third-party MAM works for only a subset of apps, but can run on any device, while OS-enabled MAM can work with any app, but only works on a subset of devices, and the devices have to be managed. If you’re okay with having work and personal data mix, then you have some more options, but overall the point is clear: there are tradeoffs no matter what.

Enter MobileSpaces

This is where MobileSpaces, a mobile app management startup founded in 2011, comes in. For iOS 7, they offer MAM by utilizing the MDM protocol, just like many other EMM vendors.

For Android, MobileSpaces has a proprietary solution that works with any app and works on any device (without need to manage the device, either). When David Goldschlag, the CEO of MobileSpaces, first told me about this I was incredulous, but as we dug into the details of how they do it, I realized that they had come up with a completely new and unique type of mobile app management.

How does MobileSpaces work?

MobileSpaces can provide its functionality thanks to the modular way Android is built. Android provides users’ apps with various frameworks and built-in apps that give access to the file system and other resources such as contacts, cameras, photo galleries, calendars, sharing, and so on. All mobile OSes provide resources in a similar way, but what makes Android special is that it’s possible to replace any of the built-in resources with alternatives versions.

This is exactly what MobileSpaces does—it provides a set of apps that act as alternatives for various system resources. You can see where this is going. By controlling which particular apps may access these alternate resources and by controlling under what conditions they may do so, corporate data can be kept separate from personal data and apps. MobileSpaces calls the set of corporate resources the “app virtualization layer.”

Under normal circumstances, when a user launches an app, it can access and interact with all of the resources that are normally available on Android—the user’s contacts, calendar, the internet, SD cards, and so on.

To access corporate data, first the app virtualization layer (the collection of MobileSpaces resources) must be activated. After that, the app is launched, and now instead of having access to the user’s personal data, it instead can access the corporate data. To be be clear, it’s the same instance of the app, it’s just presented with a different set of resources. You can think of it like the equivalent of a file system filter driver in Windows.

To make this useful as a MAM solution, a few more things have to go on. To prevent just any app from accessing the app virtualization layer, MobileSpaces provides an agent app that acts as an app launcher. (This app is also used for enrollment.) Instead of users launching apps into the app virtualization layer on their own, MobileSpaces presents a list of apps that administrators have approved for use in the corporate environment. The user selects an app from the list, and MobileSpaces launches it. (It’s also possible for users to make shortcuts that appear on their home screen, but the concept is the same—the shortcut launches MobileSpaces, and then the corresponding app is launched.)

The result is that corporate data can only be access under special conditions, and it cannot be shared outside of the MobileSpaces environment. The corporate environment can be password-protected, encrypted, and wiped remotely, and network connections can either be routed through a VPN or be passed directly to the internet.

When the app virtualization layer is not activated, all of the corporate data is just like any other private app data. The only way for another app to access it would be if the device were rooted, and to that end, MobileSpaces includes root detection functionality.

Where this could go

For right now this article is just scratching the surface of how MobileSpaces works and all it can do (I’d love to spend an hour in front of a whiteboard with them and get a video) but you can get the idea for now. Their Android mobile app management solution is completely different from anything else that I’ve ever heard of. The fact that it can work with any app and that it can work on any unmanaged device is game-changing and revolutionary. Instead of the tradeoff between third-party MAM and OS-enabled MAM, we now have a third option without the tradeoff.

There are more places this concept could go, too. One idea that MobileSpaces is working on is being able to dynamically pass personal calendar or contact data through the corporate app virtualization layer, so that apps can use both sets of data concurrently.

Of course, this doesn’t absolve companies of the need to figure out how to provide mobile access to corporate resources in the first place. They still have to figure out things like mobile file syncing and how to mobilize existing apps, and third-party MAM, containerization, and specialized devices will still have their place.

Having said that, this brand new option for MAM is something that we should be excited about. It’s certainly the most unique solution I’ve learned about all year, and I hope we hear a lot more about it in 2014.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

If MobileSpaces can work with any Android app, what's to prevent a user from just launching the app directly and/or changing what helpers are registered with it? (I ask just because I'm curious as to how they work, not because I think this is a loophole.)

Also if what they have is so good, what do you see for their future? Do they stay on their own? Do people really buy this instead of MobileIron or Airwatch? Or does someone buy them?

I wonder if their techniques are patentable or whether they just have a 6-month head start over the competition?


Good questions, I'll ping them to pass them on. For the future, on one hand there are a lot components that other EMM vendors have that MobileSpaces doesn't have, and MobileSpaces would have a steep ramp ahead of them if they tried to compete directly with them. On the other hand, I do think this concept (barring any loopholes or caveats nobody has thought of yet) really does have a place in the array of EMM technologies. So maybe MobileSpaces starts forming partnerships or licensing the technology?


MobileSpaces indeed works with any app, but the user cannot select which set of resources the app sees.  The virtualization layer presents separate resources to the Workspace apps, while personal apps can only interact with the non-virtualized resources.  The user sees it as two instances of the same app, running concurrently but seeing different resources, filesystem, network, etc.

To give a concrete example, let's look at the Contacts resource.  Android stores the contacts in something called Contacts Provider, and when an app wants to access the contacts it interacts with this provider.  An app inside the Workspace cannot see the real Contacts Provider.  Instead, it is presented with a virtualized instance of that provider, providing contacts from the corporate account.  The same app outside the Workspace would see the real Contacts Provider, with personal contacts, but would not be able to see the virtualized provider with the enterprise contacts.

The same is true for any content provider, filesystem, network interface, and any other resource we virtualize.

With regard to patents, our techniques are patentable and we have filed a series of patents starting in December 2010.


Hi Jack,

Why haven't you mentioned MAM Wrapping?

Isn't wrapping a third MAM flavor which can handle a lot of third party apps without managing the device?

(Maybe not "any app" but most of them probably)

Yoav and the guys from MobileSpaces - Kudos! Eager to see how it develops :-)

Are you in TA?


Hi Ron,

You are right that app wrapping can handle most any app without having to do MDM, but the issue is that you need to get access to the package (.apk or .ipa) itself, which isn't possible directly with apps directly from the Apple App Store or Google Play. You could get the package directly from the ISV, but if the app is already in a public store, then this could be prohibited by app store rules.


Hi Ron,

App-wrapping can handle certain types of apps and early on we considered it, but decided to go with virtualization instead.  The advantage of wrapping is that it is relatively easy to develop, but the benefits of virtualization far outweighed the development effort.

As Jack mentioned, wrapping requires modifying and redistributing the app.  It works for apps developed in the enterprise, but not for apps from public appstores.  That requires the consent of the ISV and might break the rules of public appstores.  With virtualization, we don't need to modify or redistribute apps.  They come straight from the public appstore to the device.

There are also technical challenges that were easy to overcome with virtualization but would've been difficult with wrapping.  For example, many Android apps rely on GCM (Google Cloud Messaging).  MobileSpaces Workspace, being a full virtual device, run Google's framework and support such features.  Supporting features like GCM by wrapping would be tricky.

A good example of apps that wouldn't work well with wrapping is Google Apps.  MobileSpaces Workspace can run apps like gmail, google drive, quickoffice, etc. and use an enterprise Google Apps account.  Doing the same by wrapping would be difficult technically, due to things like GCM, and would also require Google's consent for redistributing a modified version of their apps.

Another thing that wrapping wouldn't let us do is connecting the Workspace to the enterprise VPN.  With our virtualization layer, if the enterprise uses VPN, e.g. Cisco AnyConnect or Junos Pulse, they can install the publicly available VPN client inside the Workspace and have it appear as an endpoint in the corporate network.  We seamlessly attach Workspace apps to the VPN.  With wrapping, you'd have to implement proprietary tunneling solutions rather than leverage the existing apps and infrastructure.

We believe virtualization is the right approach to solve the problem.  The hard part was to do it as a normal app and have it run on any device without modifying the operating system.  Our architecture does just that.

And yes - we're near TA.