What's the role of mobile anti-malware? Currently there are more questions than answers.

Whenever mobile malware is in the news (which is pretty often), questions always come up about the role of anti-malware in enterprise mobility management environments. The problem is there's not very much consensus on mobile anti-malware, and there are more questions than answers.

Whenever mobile malware is in the news (which is pretty often), questions always come up about the role of anti-malware in enterprise mobility management environments. The problem is there’s not very much consensus on mobile anti-malware, and there are more questions than answers. For today’s article I want to do some thinking out loud and take a look at some of these issues.

No consensus

First of all, there’s not much consensus about enterprise mobility management in general. There’s even less agreement about whether or not it’s necessary to use mobile anti-malware, how to use it, or if mobile malware is something we should even be spending our time worrying about at all.

Traditional security vendors talk about mobile anti-malware more than pure-play EMM vendors

No doubt you’ve noticed that mobility vendors tend to fall in one of two camps. There are traditional security vendors who talk a lot about anti-malware and antivirus, publish reports about malware threats, and sell products with the words like “security,” “shield,” or “protection” in the name. Then on the other side there are the pure-play EMM vendors who talk less about anti-malware and more about mobile device management, mobile app management, other new M-X-M acronyms, and enabling mobile access to corporate data and applications. Which do you go with? It depends! (Probably a lot on whether you ask the desktop folks at your company or the security folks.)

Mobile devices place us in a good starting point

To look at the wider picture for a second, at least we have a better security starting point for mobile than we have for desktops. Mobile OSes benefit from sandboxed apps, limited permissions, and apps that by default only come from curated sources. There’s no question that mobile devices create a far more friendly and forgiving environment than the internet and desktop computers of 10 or 15 years ago. (Though on the other hand, mobile devices could be considered less secure because they’re portable, always connected to the internet, and the data on them is very “personal.” Plus we have all the traditional threats we’ve been facing for years: physical access, compromised networks, social engineering, etc. But you get the point—mobile OSes are a whole different ballgame than desktop OSes.)

Yes, mobile malware exists

This part is pretty simple. Yes, mobile malware does exist. Even if there’s not consensus about how much of a problem it really is, it’s there. That even includes apps in the Apple App store. Having said that, by all accounts the vast majority of mobile malware is for just for Android, the majority of that exists outside of the Google Play store, and a lot of the really nasty stuff only works on rooted devices.

We really have to worry about ALL the apps, but that’s why we have app reputation

Besides apps that are outright malicious, we still have to worry about the fact that almost any app can intentionally or unintentionally be used to leak corporate data. This is where app reputation services com into play—they use a variety of techniques to learn about the risks posed by various apps.

In most cases, there are higher priorities than anti-malware

Consider three points: First, even though the tools exist to blacklist mobile apps, I’ve never met any IT pro who wants to be in the business of policing what apps users have installed on their smartphones and tablets unless they absolutely have to. Then you have the fact that a lot of people don’t want to—or can’t—(for various reasons) get into managing devices in the first place. And if you’re not managing the device, then anti-malware is a moot point, because there’s nothing you can do about user-installed apps. Finally, a more pressing issue for those dealing with mobility is enabling access to email, documents, and other enterprise resources so that users don’t have to go rogue in order to work from their mobile devices. Taken together, these all point to mobile anti-malware being a lower priority.

Security vendors will have to be more like EMM vendors

All this means that traditional security vendors have to make sure they also do a good job of providing other aspects of EMM, and not just anti-malware. Fortunately some are starting to do this already, though they still tend to be behind what the pure-play EMM vendors are doing.

EMM vendors have to answer to the malware threat

This doesn’t mean that the pure-play EMM vendors can rest. We’ll need apps that can keep corporate data secure on hostile, unmanaged devices and anti-malware and app reputation when it’s needed. There’s some crossover here, too, as several EMM vendors have partnerships with anti-malware and app reputation vendors.

What do you make of this?

Like I said, for today I’m just thinking out loud about mobile anti-malware and app reputation. For sure this is something to keep an eye on, but for now it seems like we have more pressing issues to worry about first. What do you think—is this where you are today? Am I way off base? Where does anti-malware and app reputation fit into your plans?

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

So what's the actual risk or threat here? If I decide to say, "No, I'm not going to worry about malware protection," am I putting myself in a compromising position?

What really strikes me is your statement that you can't protect against malware unless you're getting involved in between the device and the user's ability to download whatever apps they want. So does that mean if I'm not doing full-device-control old-school MDM that I have no chance?

Are there mobile malware protection products that let users download whatever they want, but then they, what.. delete? disable? the apps that the malware tool deems as bad?

Put another way. All your best practices are about the dual-persona, containerize your corporate apps, etc. So if I have that.. if I'm only worrying about protecting the corporate container on my devices, then does that mean I have no practical ability to stop malware that users get on their own? If so, am I back to just making sure my corporate container is good and sort of "damn the torpedoes with whatever the users do on the personal side?"

Of course we also have the rooting issue, but I feel like if a user roots their phone, then they've essentially undermined anything I'm doing anyway since they'd be running under the corporate sandbox.

I dunno.. I'm having a hard time seeing how mobile device malware protection offers any practical value. Given the best practices you outline in your book with dual persona and everything, can you articulate a scenario or use case where mobile malware protection is worth a damn? Because to me it seems like it's not at all??


In most cases, the anti-malware apps can’t delete or disable other apps on their own, but obviously they can take other actions like warning the user or temporarily disabling corporate apps.

But like you said, if you’re not managing the device, then for iOS it is damn the torpedoes. Your apps can do jailbreak detection, but then on top of that the jailbroken device could lie to your apps, and then we’re back in that ‘thieves will be thieves’ situation. On Android normal apps can look up the installed packages, so you could still take action in the corporate apps even if you couldn’t do anything about the device.

For devices that are managed (like for when you want to use the native email client or other built-in MAM capabilities) then you gotta figure it’s a good idea to know what’s going on, even if you’re not doing anything about it or only using a very light touch.

But really, I don’t know. I haven’t heard many (or any that I can remember) stories from the wild about companies using mobile anti malware. (Yet?) Maybe we’re still in a honeymoon phase? Because on the one hand, it could be a real problem, and if so, that conflicts with the goal of “hey, let’s not worry about the device.” On the other hand, right now most people aren’t concerned? Like I said, I’m thinking out loud here, wondering if it will become standard practice like it is for desktops, or if the fundamental nature of mobile devices means that in most situations it won't have to become standard practice.


Brian, I think you're right, there is little value in mobile anti-malware products at present (though I would still run Avast on an Android device personally). They are largely reactive so new threats are often not detected until late in the game, by which time Apple or Google would have had the ability to invoke their app kill switches on devices anyway. The key with Android devices is I believe to use the MDM restrictions available to prevent the use of app stores other than Play, or just not to use Android at all. No secure container is ever going to be 100% but if you choose something that is FIPS 140-2 compliant you're probably doing the best you can - or better still add 2FA to the container.


sandbox the sandboxes


Talk about hypocritical IT folks who do not want to police users' phones but have no issue policing their laptops and other connected devices.

This reminds me of the saying "It's not my job..."

I think many of us know that mobile malware is uncommon and that may be the justification but not the means for protecting company data. It is this mentality that allows hackers to go unknown for so long.

I am a firm believer in protecting company information even to the point of remote wiping devices (that is Draconian!) but to put your head in the sand is not a policy; it's silly ignorance.


@Jack Would love to read more about this space from you in the mobile world. It's a big gap that is compelling enough for many people I know to switch EMM providers amongst all the noise.