Better Mobile Security is one of a handful of vendors pioneering a new “third” category of mobile app management (MAM): getting in between apps and devices. These techniques have a lot of promise, but at the same time they’re still a long way from being mainstream.
What is the “third” category of MAM?
Over the last few years we’ve been talking about two main categories of mobile app management: (1) You can have specialized apps with built-in management features, or (2) you can use a device that has mobile app management and work/personal data separation frameworks built into the OS. Both of these techniques have their tradeoffs: you have to have either a specific device or specific apps. (More on that here.)
To get around these tradeoffs, a new “third” type of MAM finds a way to get in between apps and devices so you can manage “any app on any device.” The problem is that with the tight bonds between mobile devices and public app stores—and in particular Apple’s tight control of iOS—the conventional knowledge has always that there was no way to do this without jailbreaking or rooting devices.
However, this obstacle is falling away.
Better Mobile Security
Better Mobile Security, a New York City-based startup, has apps for iOS and Android that provide both MDM and MAM functionality. Here’s a quick run-down of their main features:
- The Better agent app is just like any other app, working entirely within the user space on normal, non-rooted and non-jailbroken devices.
- The Better app can observe the behavior of other apps on the device in order to identify malicious activity.
- The Better app can apply management and security policies to other apps in order to protect corporate resources. Examples include: encryption; wiping app content; preventing apps from launching; disabling cut and paste and other content sharing; VPN; and requiring users to authenticate before an app is allowed to launch. None of this requires app wrapping—this all works with any app (though Better does offer app wrapping, too).
- The Better app can also interface with devices’ built-in MDM APIs.
- There’s an off-device management service to set policies and analyse apps.
I got a live demo of most of these features back at AirWatch Connect in Atlanta with Senai Ahderon, the founder of Better, and Azi Cohen, the executive chairman, and believe me, I was completely blown away.
How does this work?
You can see that Better is pretty interesting, because as I mentioned before, it does things that we’ve all assumed weren’t possible with modern mobile OSes—especially Apple iOS. How do they do it?
Obviously there’s a lot of secret sauce involved. But for their part, Better says their agent app does not violate any of Apple’s security mechanism, sandboxing, or policies. They say that it does use some non-public APIs, but that those APIs are not private APIs.
The Better agent is not available in the Apple App Store or Google Play. Better says this is because they want to keep attackers from reverse engineering it. On the other hand, any app that can prevent other apps from launching would probably have a hard time getting approved.
Better isn’t alone in providing this “third” type of MAM. There’s also Bluebox Security (with a slightly different app wrapping-based approach) and Pulse Secure (which has an "app virtualization" technology for Android). (You can find articles on them here and here.)
Of course Apple isn’t likely to come out and publicly endorse these approaches—that would involve admitting that iOS isn’t 100% perfect and secure. Gasp! But clearly there’s a need for security-oriented customers to go deeper into devices as well as a general desire to avoid the trade-offs of existing MAM techniques, and it’s great that Better (and others) are serving this need. For the near term I think it’s likely that Apple will continue to be hands off on this.