Sierraware Blog

Wrap Gifts, Not Apps: The Problem with App Wrapping for BYOD


As employees bring their own devices to work, IT teams face an assortment of challenges, from managing mobile apps on a myriad of different devices to backing up and restoring business data. But bar none, the greatest burden for IT staff is securing business data on mobile devices.

The Good, the Bad, and the Ugly
(in Reverse Order)

The Ugly: the BYOD phenomenon has spawned an array of new security risks. These risks include data breaches caused by lost and stolen phones, data exfiltration from insiders, wireless or man-in-the-middle attacks, and mobile malware.

While the insider threat might not seem daunting, a lack of oversight makes it easy for employees to abuse trust. From their mobile device, employees can easily open sensitive email attachments and then upload them to a cloud-based storage site and then—poof—they are gone.

The Bad: Lost and stolen phones are the top mobile security risk for organizations. Thieves steal a whopping 3.1M smartphones every year.[i] Users can also simply lose or misplace their phones. Unfortunately, both scenarios expose organizations to data loss. An experiment by Symantec revealed that 96% of people that find a lost phone will attempt to access sensitive information such as an HR or password file stored on a recovered phone.

The Good: Malware, the cyber-attack of choice in the PC world, has only penetrated a small percentage of mobile devices. But risks increase dramatically on jailbroken phones.

Mobile Device Management: Intrusive
Mobile Device Management (MDM) can help reduce mobile security risks. With MDM, IT administrators can remotely wipe lost devices, control which apps can be installed on a device, and manage encryption settings. However, MDM solutions cannot monitor app usage or prevent insider abuse.

Moreover, employees aren’t thrilled about corporate-mandated MDM solutions. In a recent report by Webroot, 55 percent of respondents would be extremely or very concerned if their employer could access personal data and 47 percent are concerned about personal data being wiped by an employer.[ii]

The Rise of Mobile App Ma nagement and App Wrapping
To satisfy privacy concerns and app auditing requirements, mobile security vendors have introduced Mobile Application Management (MAM). MAM solutions can manage, monitor, and secure individual apps. MAM relies on secure containers or app wrapping to protect custom apps.

With app wrapping, MAM vendors provide customers business apps developed by the MAM vendor or by app partners with built in security controls. These apps typically include email programs, contact lists and secure browsers.

Alternatively, organizations can wrap their own apps by integrating code from the MAM vendor’s software development kits (SDKs) into their app. SDK integration is only available if organizations have developed their own apps.

While application wrapping avoids the privacy concerns introduced with MDM, it also imposes its own unique set of problems.

Unwrapping App Wrapping
While app wrapping provides greater control over mobile apps without intruding on users’ personal data, it is not practical for most organizations.

The drawbacks of app wrapping and MAM include:

  • MAM vendors that offer pre-wrapped apps only support a small number of apps. As of May 2015, Google Play featured 1.5M apps while Apple App Store hosted 1.4 million apps.[iii] MAM vendors support a miniscule fraction of total apps, preventing organizations from supporting the business apps they need.
  • Employees might dislike apps developed by MAM vendors. Some MAM vendors offer their own browser, email and calendaring apps. Unfortunately, your employees may complain that these apps are not as feature rich as their favorite browser, email client, or calendar app.
  • SDK integration can be costly. Some MAM vendors offer SDKs that allow organization to wrap their own apps. Unfortunately, app development can be costly for smaller businesses, especially if businesses need to support multiple types and versions of mobile devices.
  • Lack of coverage for all types of mobile devices. Employees with Blackberry, CyanogenMod, Windows Phone, and Firefox OS devices may be unable to access mobile resources if MAM vendors do not support these platforms.
  • Even with app wrapping, sensitive data is still stored on devices. While MAM security measures like strong authentication and data encryption drastically reduce the risk of data loss, if phone owners choose weak passwords, then phone thieves may still gain access to sensitive apps and data.

As a result of these shortcomings, organizations may want to consider alternative approaches to mobile security before plowing ahead with an investment in MAM.

Alternative BYOD security solutions like virtual mobile infrastructure (VMI) mitigate security risks by preventing data from being downloaded and stored on mobile devices. Organizations can monitor app activity to prevent insider abuse and data loss. To learn some of the use cases for VMI, check out our choose your own adventure eBook, “What Virtual Mobile Infrastructure Can Do for You.”


[i]  Consumer Reports study

[ii]Fixing the Disconnect Between Employer and Employee for BYOD”, Webroot

[iii] Statistica, 2015