In this post, I will share some lessons learned from projects I did, creating mobile apps with cross platform technologies and managing them with an Enterprise Mobility Management platform. Most of my experience is with Xamarin technology in combination with AirWatch EMM, but most of the lessons learned are applicable to other technologies as well as they are generic to the way EMM systems and cross platform technologies usually operate. If you’re using PhoneGap, Titanium, Citrix XenMobile, GOOD Technologies, etc. you may have to deal with the same gotcha’s.
DISCLAIMER: innovation in the EMM and Cross Platform Mobile Development area is progressing swiftly. The information in this article may quickly go outdated. I’ll try to revise this post every once in a while.
EMM, BYOD, MDM, MAM?
EMM, or Enterprise Mobility Management, is a broad topic, ranging from making corporate email available on mobile devices to corporate app stores to full-on mobile device management. In projects I’m involved with, EMM usually means that we are dealing with a controlled environment in which the apps that we build are made available and secured through the EMM platform.
Most existing EMM vendors have offered products that support MDM – Mobile Device Management. Traditionally, corporate owned devices are put under MDM, through which the IT department can enforce strict policies and fully control the device, such as wiping it or locking it from a distance once it is compromised. “All your device are belong to us!”
With the rise of the BYOD trend – Bring Your Own Device – many EMM vendors are moving away from pure MDM, and are also offering an MAM model – Mobile Application Management. The main distinction is that in the MAM mindset, the device is considered property of the employee, and rather the apps and more specifically the data in those apps, are controlled by the company. This means that on the device, there are both private and corporate assets, something we call a Dual Persona situation. This means that a device wipe will not be possible, but instead an Enterprise Wipe will only remove corporate data, apps and policies and leave the private data intact.
One important thing to note is that these MAM products are heavily under development and not always very stable of feature rich as the MDM tools. There’s also a couple of vendors popping up in the market, that focus solely on MAM and leave the MDM features behind. Depending on the security requirements within an organization, MAM may not be suitable yet for the situation at hand.
Features and stability aside, the level of support for the different mobile OS-es also varies heavily. Some mobile OS-es are more mature than others in support of enterprise features, which can either enable or limit an EMM vendor. iOS for example, has very rich API’s for enterprise management, Android is catching up and Windows Phone is adding some of these features since version 8.1. Combined with the slow market adoption of Windows Phone, there aren’t many vendors that have very rich support for Windows Phone yet.
Tip: be sure to assess the stability of the MAM product on the desired features and support for your target OS-es before deciding on a product.
EMM and Cross Platform Mobile Development
Most EMM platforms offer two ways of securing apps: first through app wrapping and secondly by using an SDK inside the app. These technologies – especially app wrapping – make it very easy for a company to apply and enforce security policies without the developer worrying about these security measures in the app’s code. This way, security measures are always standardized, and can be applied transparently to the developer. Moreover, app wrapping lowers the vendor lock-in, which makes it easier to replace an EMM platform if necessary.
Many enterprise architects are fond of thinking in these generic terms and like to decree things like “security must be applied in a standard and transparent way”, or “thou shalt prevent vendor lock-in”. The features on the EMM vendor’s marketing slides are a perfect fit with these 10,000ft statements, so in theory this sounds great, right?
Companies that build corporate apps and want to support a BYOD strategy, have to deal with a wide diversity of device types and mobile OS-es. This means that building apps can become a hassle, unless you use a cross platform mobile development tool or platform. Examples of these are HTML5, PhoneGap, Appcellerator or Xamarin. At Info Support, Xamarin is the primary tool of choice, so in most of our projects we will be working with Xamarin. These Cross Platform Mobile Development platforms are also heavily under development and are rapidly improving.
So on one hand, we see the need for transparent and standardized security through app wrapping, and on the other hand we see a desire to build apps in a cost efficient way using cross platform technologies.
So here’s the catch… Combining these two goals can be challenging. For tight integration on the device and secure wrapping of apps, EMM vendors rely heavily on native features of the underlying OS. This means that wrapping and the SDK will work fine primarily for native built apps.
Most EMM vendors will therefore not guarantee their product to work with a cross platform app.
Furthermore, the development of both EMM and Cross Platform tools is going in rapid but independent speed, which means that both worlds have not come together yet in such a way that integration is guaranteed to work.
Tip: when evaluating EMM and Cross Platform tools, look for a combination that works for the most important scenarios. Do a proof of concept, and dig deep to see if it really works. Enterprisey 10,000ft princples won’t work here (if they ever do).
Let’s look at some examples…
Data-in-transit is data that is being sent over the network between device and a second party, usually a server side API.
EMM platforms typically secure data-in-transit by intercepting network traffic (http/https) and adding extra encryption or routing it through a secure tunnel. This means that the wrapper must be able to intercept these network calls.
The way this works is as depicted in the following figure:
So if you’re not careful, and don’t have a good understanding of how your cross platform framework works, network calls may go unnoticed and bypass the security layer of the EMM container. Whoops.
With most cross platform tools, you won’t easily be able to have your network calls intercepted, unless you have a way to redirect this traffic through the original API layer. In Xamarin, one way to do this is to use the ModernHttpClient library, which is available as a component on the Xamarin Component store.
Data-at-rest (DAR) is data that resides on the device, either in memory or persisted on the local storage as a file or database. In some cases, security guidelines may require this data to be encrypted.
Most EMM vendors also promise to support automatic data-at-rest encryption. Also here, carefully read between the lines to discover what level of support you will get per mobile OS.
Most of the time, DAR encryption is added to the app during the wrapping process. For Android, this means that the actual Java code inside the APK is altered. For example, whenever there is a call to File I/O or the SQLite database, this code would be replaced by calls to IOCipher and SQLCipher respectively. This means that local storage in wrapped apps will be automatically encrypted.
In a cross platform app however, the app code will usually reside some shared layer/language (a Mono DLL in case of Xamarin.Android for example) inside the APK. A wrapping engine looking for Java calls to File I/O or SQLite will therefore not detect them in the app. Unless the wrapping engine is aware of the cross platform tool being used, an app may go into production without the DAR-encryption policy applied.
This means that EMM security cannot be applied “transparently” to the app developer, since there has to be a mutual understanding of the tools that are being used, and the level of integration between the two. In one of my projects, we had to do our own DAR-encryption inside the app.
A SQLCipher component is available for Xamarin. You can see a presentation on this component on the Evolve 2013 site. There are however no C# bindings for IOCipher available. It may be wise to resort to the open source Conceal framework from Facebook.
For iOS, wrapping engines mostly don’t support the same type of automatic DAR-encryption. This is due to the limitations of the iOS OS. This means that an app developer has to deal with DAR-encryption himself anyway.
An excerpt from the documentation of an EMM vendor on the topic:
iOS supports Data Protection in iOS 6 but requires the application developer to explicitely implement it in the App; there is no way to force data protection from the wrapping engine.
iOS 7 offers Data Protection for all apps as long as the user has set a passcode AND only applies between the time the device has been rebooted and unlocked for the first time.
You can read more in the Apple SDK docs.
Beware that for using the Data Protection API’s in iOS, the user must have a PIN-code enabled on the device. In a BYOD situation, you cannot always rely on this being the case.
Both EMM tools and Cross Platform Development tools are still evolving rapidly. Given the diversity of both product categories, it will be hard to find two tools that perfectly integrate. This means that you have to be aware of some pitfalls and limitations when combining the two. I would always advise my customers to do a deep technical validation of a proposed solution based on an “out of the box” feature of the EMM platform.
I’d be interested in your experiences!