Mobile App Containers: Product Or Feature?

Mobile  App  Containers:  Product  Or  Feature?  

APPLE  AND  SAMSUNG  HAVE  TAKEN  BIG  STEPS  WITH  CONTAINERIZATION    

Author  –  Andrew  Braunberg  

Overview  

Secure  workspaces,  or  containers,  used  for  isolating  corporate  applications  (apps)  and  data  on  mobile  devices  are   becoming  a  mainstream  approach  to  mobile  security  strategies.  While  software  solutions  have  been  on  the  market   for  several  years,  and  have  even  been  available  as  carrier  services  (as  dual  persona  solutions),  adoption  has  been   slow.  This  is  likely  to  change,  however,  because  the  two  biggest  players  in  mobile  device  markets,  Apple  and   Samsung,  have  embraced  the  approach.  Apple’s  recently  released  iOS  7  supports  multiple  enterprise-­‐friendly   features,  including  several  that  allow  for  a  richer  capability  to  separate  personal  and  corporate  apps  and  data.  

Samsung  has  gone  even  further  by  embracing  containerization  within  its  Samsung  KNOX  framework.    

While  the  containerization  features  in  iOS7  are  not  nearly  as  comprehensive  as  the  Samsung  KNOX  container   capability,  that  fact  that  Apple  plays  so  strongly  in  the  enterprise  has  generated  significant  attention  on  those   features.  Interestingly,  VMware  believes  that  the  release  of  iOS  7  has  eliminated  the  need  for  third-­‐party  container   and  wrapper  technologies  on  Apple  devices.  VMware  Workspace  1.5  shipped  without  the  iOS  application  wrapping   capabilities  that  VMware  had  developed  for  the  product.¹    

Mobile  OS  vendors  and  device  original  equipment  manufacturers  (OEMs)  might  well  subsume  the  secure   workspace  market  over  time,  but  Apple  would  have  to  continue  to  extend  the  features  it  has  only  recently   introduced,  and  a  broader  set  of  Android  device  OEMs  would  need  to  move  in  this  direction.  Regardless  of   whether  containerization  eventually  becomes  a  standard  product  feature,  today,  both  Apple  and  Samsung  rely  on   third-­‐party  solutions  to  provide  the  server  side  components  of  their  container  features,  which  leaves  ample   opportunity  for  pure-­‐plays.  Samsung  has  even  coined  a  term  for  these  partners:  Mobile  Container  Management   vendors.  

1  http://cto.vmware.com/vmwares-­‐strategy-­‐for-­‐ios-­‐7-­‐and-­‐industry-­‐implications/  

NSS  Labs  Findings  

• Apple  has  introduced  rudimentary  containerization  features  in  iOS  7  that  will  meet  the  needs  of  some   enterprise  clients.  

• Samsung’s  KNOX  solution  provides  an  integrated  secure  workspace  on  a  small  but  growing  number  of   Samsung  devices.  

• Apple  and  Samsung  both  are  reviewing  third-­‐party  mobile  device  management  (MDM)  vendors  to  extend  and   fully  enable  their  secure  workspace  capabilities.  

• Third-­‐party  secure  workspace  solutions  will  continue  to  find  customers,  but  increasingly  as  components  of   much  broader  enterprise  mobility  management  (EMM)  solutions.  

NSS  Labs  Recommendations  

• Organizations  using  Apple  products  are  urged  to  leverage  the  new  enterprise  features  in  iOS  7,  particularly   those  that  enable  better  app  and  data  segmentation  and  isolation.  

• Enterprises  that  have  been  hesitant  to  allow  Android  devices  onto  their  networks  should  examine  Samsung   KNOX,  which  adds  robust  security  features  to  a  popular  consumer  device  line.    

• Enterprises  that  have  fully  embraced  bring  your  own  device  (BYOD)  policies  should  consider  best-­‐of-­‐breed   secure  workspace  solutions  to  augment  the  security  of  these  devices.  

• EMM  vendors,  the  majority  of  which  have  been  moving  into  the  secure  workspace  market,  should  continue  to   expand  their  footprints  with  the  expectation  that  client-­‐side  mobile  security  features  will  continue  to  be   subsumed  within  mobile  operating  systems.  

• EMM  vendors  should  continue  to  work  closely  with  device  manufacturers  to  add  value  beyond  basic  device   management  in  complementary  gateway,  server,  and  cloud  products.  

Analysis  

Apple  iOS  7  

Apple  iOS  7  has  introduced  some  techniques  to  better  enable  dual  persona  segmentation  on  iPhones  and  iPads.  

These  include  the  introduction  of  Managed  Open  In,  and  additional  MDM  configuration  controls  that  make  the   availability  of  managed  apps  and  managed  accounts  much  more  useful  for  creating  secure  workspaces.  

Volume  Licensing  

Perhaps  the  most  important  new  feature  in  iOS  7  is  the  volume  licensing  support  from  Apple.  This  feature  allows   enterprises  to  take  a  more  app-­‐centric  approach  to  security.  Organizations  can  now  order  and  deploy  apps  in  bulk   and  they  have  the  right  to  reclaim  a  license  when  an  employee  leaves  the  organization.  There  are  also  no  longer   geographic  (national)  usage  restrictions  on  licenses.  These  improvements  make  it  much  easier  for  organizations  to   manage  applications  deployed  on  employee  devices,  regardless  of  who  actually  owns  a  device.  

Enterprise  Management  Features  

iOS  7  includes  several  important  new  enterprise  features.  The  encryption  capabilities  for  app  data  at  rest  that   Apple  introduced  in  iOS  4  are  now  automatically  enabled  on  all  devices  that  have  passcode  lock  enabled.  All  third-­‐

party  apps  now  automatically  have  data  protection  enabled.  Data  stored  in  third-­‐party  apps  will  be  protected  with   the  user’s  passcode  until  they  unlock  the  device.  

This  change  has  clear  security  benefits,  and  it  simplifies  the  app  development  process.  Also  now  supported  by  iOS   7  are  per-­‐app  virtual  private  network  (VPN)  connections  that  enable  specific  VPN  controls  on  individual  managed   apps.  The  ability  of  administrators  to  configure,  or  reconfigure,  VPN  settings  is  just  one  example  of  a  broader   capability  to  enforce  managed  app  provisioning  and  configuration  changes  within  iOS  7.    

This  ability  to  push,  delete,  and  update  managed  apps  on  Apple  devices  provides  much  richer  control  to   administrators.  The  distinction  between  “managed”  (i.e.,  corporate)  and  “unmanaged”  (i.e.,  personal)  apps  that   iOS  7  allows  is  most  useful  in  its  new  Managed  Open-­‐In  feature,  which  restricts  data  sharing  between  managed   and  unmanaged  apps.  As  the  name  implies,  the  Open-­‐In  feature  controls  which  apps  are  used  to  open  documents.  

Managed  Open  In  will  not  allow  a  document  from  a  managed  app  to  be  opened  or  shared  in  an  unmanaged  app.  

This  restriction  can  also  be  enforced  the  other  way,  providing  additional  privacy  enforcement  for  personal  data  on   a  device  by  not  allowing  it  to  be  opened  within  a  managed  app.  

An  app  or  account  is  “managed”  when  it  is  provisioned  on  the  device  by  a  mobile  device  management  (MDM)   server.  Third-­‐party  MDM  solutions  remain  an  important  adjunct  to  iOS  as  they  are  the  mechanism  for  leveraging   enterprise  device  APIs.  Managed  iOS  devices  (and  accounts)  are  by  definition  provisioned  and  managed  by  MDM   solutions.    

Apple’s  maturing  MDM  framework  supports  the  following  features:  

• Managed  accounts:  Installation,  management,  and  removal  of  accounts  that  provide  access  to  corporate   services.  

• Managed  configurations:  Configuration  of  settings  such  as  passcodes,  restrictions,  and  voice  and  data  roaming   policies.  

• Managed  apps:  Installation,  configuration,  management,  and  removal  of  App  Store  and  custom  in-­‐house  apps.  

• Device  queries:  Scheduled  querying  of  device,  network,  application,  and  security  information.  

• Security  commands:  Ability  to  clear  a  user’s  passcode,  and  remotely  lock  or  wipe  a  lost  or  stolen  device.  

Third-­‐Party  Integration  

MDM  systems  interact  with  iOS  devices  through  the  Apple  Push  Notification  Service  (APNs).  If  an  MDM  server   must  communicate  with  an  iPhone  or  iPad,  it  must  first  notify  the  APNs,  which  will  then  alert  the  device  to  check  in   with  the  MDM  server.  All  communication  between  the  device  and  the  MDM  server  is  via  an  encrypted  SSL/TLS   connection.  The  MDM  server  performs  all  provisioning  and  configuration  of  the  managed  apps  and  accounts.  

These  controls  are  maintained  in  configuration  profiles  (XML  files),  which  are  signed  and  encrypted  before  being   installed  on  the  device.  

iOS  7  has  added  several  important  enterprise  features  that  can  be  leveraged  by  MDM  partners  to  create  better   data  isolation  for  corporate  apps  on  Apple  devices.  These  include:  

• Control  of  Open-­‐In  –  With  iOS  7,  Apple  has  introduced  a  new  API  that  allows  information  technology  (IT)   administrators  to  dictate  which  apps  users  can  use  to  open  attachments.  These  controls  currently  only  enforce   policy  based  on  whether  an  app  is  “managed”  (installed  through  an  MDM  system)  or  “unmanaged”  (installed   directly  by  the  end  user).  

• Per-­‐application  VPN  –  iOS  has  supported  device-­‐level  encryption  for  some  time;  however,  with  the  release  of   iOS  7,  the  OS  now  supports  application-­‐level  VPN  connections.  To  be  functional,  the  organization’s  server  side   VPN  hardware  must  also  support  this  capability.    

• Single  sign-­‐on  –  With  iOS  7,  Apple  has  also  enabled  application-­‐level  Kerberos  authentication.  

• Configure  application  settings  –  iOS  7  allows  administrators  to  configure  settings  for  individual  apps.  This   includes  installing  and  deleting  apps,  as  well  as  specific  configurations  within  the  app  or  managed  accounts   (for  example,  server  names,  Lightweight  Directory  Access  Protocol  (LDAP)  credentials,  and  certificates).  

Additional  Considerations  

These  features  make  the  devices  that  are  running  iOS  7  more  secure  and  useful  in  the  enterprise,  with  the   Managed  Open-­‐In  feature  in  particular  providing  basic  containerization  capabilities.  Unfortunately,  it  does  not   allow  fine-­‐grained  policy  controls.  Administrators  can  ensure  that  corporate  documents  are  opened  only  in   managed  apps,  but  they  cannot  limit  Open-­‐In  to  particular  managed  apps.  For  example,  any  managed  app  can   open  any  document  that  is  attached  to  a  corporate  email  account.  The  only  real  restriction  is  that  a  corporate   email  attachment  cannot  be  opened  in  an  unmanaged  app.  (A  policy  can  also  be  set  so  that  an  attachment  in  a   personal  email  cannot  be  opened  in  a  managed  app.)  Clearly,  some  corporate  documents  are  more  sensitive  than   others.  However,  beyond  the  distinction  between  managed  and  unmanaged,  there  are  no  supported  restrictions   that  are  based  on  document  type.  

Enterprises  currently  using  third-­‐party  secure  workspace  solutions  will  find  the  iOS  7  features  fairly  rudimentary,   while  organizations  that  have  yet  to  deploy  broader  EMM  solutions  likely  will  find  them  a  positive  and  useful   evolution  in  the  Apple’s  products.  The  new  iOS  7  features  are,  of  course,  limited  to  (up-­‐to-­‐date)  Apple  devices  but   in  fact  may  be  used  only  on  Apple  devices  where  users  have  allowed  some  degree  of  management  of  the  device.  

Samsung KNOX

In  early  2012,  Samsung  signaled  an  interest  in  expanding  the  target  market  for  its  Android  devices  to  enterprise   customers  with  its  introduction  of  the  first  Samsung  Approved  for  Enterprise  (SAFE)  devices.  SAFE  devices  support  

Samsung  On  Device  Encryption  (ODE)  and  a  software  development  kit  (SDK)  that  allows  partners  to  leverage  a   richer  set  of  security  and  management  APIs  than  is  found  in  the  base  Android  build.  In  February  2013,  Samsung   further  extended  its  security  differentiation  with  the  introduction  of  KNOX.  Containerization  is  a  core  component   of  Samsung’s  enterprise  security  strategy  and  KNOX  framework.  The  main  security  features  in  KNOX²  are:    

• Trusted  Boot:  a  hardware-­‐assisted  feature  that  ensures  that  the  device  boots  only  from  an  authorized  kernel    

• TrustZone-­‐based  Integrity  Measurement  Architecture  (TIMA):  provides  a  continuous  security  check  of  the   integrity  of  the  kernel  

• Security  Enhancements  (SE)  for  Android:  leverages  the  SE  for  Android  kernel,  which  allows  the  use  of   Mandatory  Access  Control  (as  opposed  to  Discretionary  Access  Control)  

• Secure  Workspace:  provides  a  secure  container  for  work  apps,  and  widgets.  The  Samsung  KNOX  Application   Container  is  a  virtual  Android  environment  within  the  mobile  device.    

Samsung  KNOX  Application  Container  

The  Samsung  container  is  managed  through  a  third-­‐party  MDM  system.  KNOX  secures  apps  and  data  within  its   container  through  the  following  features:  separation  of  data  file  systems  used  by  the  personal  space  and  the  KNOX   container;  encryption  of  all  data  within  the  KNOX  container;  isolation  of  apps  and  data  within  and  without  the   KNOX  container.  A  separate,  dedicated  encrypted  file  system  is  employed  for  data  stored  within  the  container.  The   data  is  encrypted  using  an  Advanced  Encryption  Standard  (AES)  cipher  algorithm  with  a  256-­‐bit  key  (AES-­‐256).  

Apps  that  are  installed  in  the  container  must  be  wrapped  first.  Wrapping  apps  for  use  in  Samsung  KNOX  devices  is   a  two-­‐part  process.  Samsung’s  web-­‐based,  automated  app  wrapping  service  unpacks  an  app’s  original  Android   application  package  (APK)  file  in  order  to  extract  the  app  certificate  then  repackages  the  app  with  additional  files   to  further  secure  it,  and  finally  adds  a  new  digital  signature  and  KNOX  container-­‐specific  certificate.  Samsung  also   offers  a  quality  assurance  service.  Wrapped  apps  are  checked  for  device  compatibility  and  basic  function  and  are   also  inspected  for  malware  or  “risk  behaviors.”  Apps  that  pass  the  testing  may  be  distributed  and  deployed   through  the  Samsung  KNOX  App  Store  or  enterprise  app  stores.  

These  third  party  and  custom  apps  can  be  installed  either  by  enterprise  IT  administrators  via  MDM  or  by  the  end   user  from  the  container  app  store.  The  KNOX  container  has  the  following  apps  preinstalled:  personal  information   manager  (PIM),  email,  web  browser,  and  device  utilities.  These  are  essentially  the  same  apps  with  which  consumer   users  of  Samsung  devices  are  already  familiar,  but  the  containerized  versions  enforce  several  use  restrictions.  

For  example,  users  cannot  copy-­‐and-­‐paste  text  or  images  from  the  container  into  the  personal  space,  nor  can  they   access  container  data  (i.e.,  browser  bookmarks)  from  the  personal  space  and  move  files  from  the  container  to  the   personal  space.  With  KNOX,  Samsung  now  supports  more  than  500  policies  that  IT  administrators  can  use  to   configure  devices  through  an  MDM  console.  This  is  in  addition  to  the  almost  300  policy  controls  available  through   Samsung  SAFE.  All  told,  Samsung  has  exposed  more  than  1000  APIs,  which  can  be  leveraged  through  third-­‐party   MDM  solutions.  Samsung’s  current  KNOX  partners  are:  Centrify,  AirWatch,  SOTI,  Fixmo,  MobileIron,  Famoc,  and   SAP.  

2  For  additional  detail,  see  https://www.nsslabs.com/reports/building-­‐enterprise-­‐ready-­‐android-­‐devices-­‐0  

Market  Impact  

While  the  Samsung  approach  to  providing  a  secure  workspace  offers  a  more  comprehensive  solution  than  do  the   containerization  features  found  in  Apple’s  iOS  7,  it  also  requires  more  from  end  users  and  thus  has  more  impact  on   the  user  experience.  For  example,  the  Samsung  approach  requires  the  use  of  two  versions  of  several  core  apps,   including  the  native  PIM.  This  may  confuse  some  users.  For  example,  the  native  calendar  found  on  the  personal   side  of  the  phone  cannot  view  all  events  in  the  PIM  on  the  container  side  of  the  device.  KNOX  is  also  a  value-­‐added   feature,  whereas  the  Apple  container  capabilities  are  standard  features  in  iOS  7.  Current  KNOX  pricing  is  per  device   and  licensing  is  available  on  a  monthly  (USD  $3.60)  or  annual  (USD  $43.20)  basis.  

Clearly,  enterprise  requirements  are  being  paid  considerable  attention  by  Samsung  and  Apple,  the  two  largest   mobile  device  manufacturers.  It  is  also  likely  that  other  Android  device  OEMs  will  also  introduce  enterprise-­‐friendly   features,  particularly  since  Google  has  shown  little  interest  in  baking  enterprise-­‐specific  features  into  the  core   Android  kernel.  Secure  workspaces,  enabled  by  container  and  app  wrapping  techniques  are  emerging  as  viable   solutions  to  solving  the  dual  persona  requirements  of  enterprises  that  are  adapting  to  the  world  of  consumerized   IT.    

Enterprises  should  expect  that  both  Apple  and  Samsung  will  continue  to  mature  and  extend  their  containerization   capabilities,  but  on  a  refresh  cycle  that  is  considerably  slower  than  third-­‐party  providers.  Enterprises  can  find  utility   in  the  Apple  and  Samsung  features  today,  but  they  should  consider  their  ability  to  restrict  device  choice  to  one   device  vendor  to  fully  exploit  these  solutions.  It  is  expected  that  third-­‐party  vendors  will  continue  to  thrive  in  the   secure  workspace  market  for  some  time.  Even  as  these  vendors  are  pushed  off  the  endpoint  as  more  container   features  are  baked  into  the  devices,  there  will  continue  to  be  opportunity  for  managing  heterogeneous  device   ecosystems  from  the  server  side.  

Reading  List  

Need  for  Data  Isolation  Drives  Innovation.  NSS  Labs  

https://www.nsslabs.com/reports/need-­‐data-­‐isolation-­‐drives-­‐innovation   App  Hardening  to  Protect  Mobile  Device  Data.  NSS  Labs  

https://www.nsslabs.com/reports/app-­‐hardening-­‐protect-­‐mobile-­‐device-­‐data   Building  Enterprise-­‐Ready  Android  Devices.  NSS  Labs  

https://www.nsslabs.com/reports/building-­‐enterprise-­‐ready-­‐android-­‐devices-­‐0  

©  2014  NSS  Labs,  Inc.  All  rights  reserved.  No  part  of  this  publication  may  be  reproduced,  photocopied,  stored  on  a  retrieval   system,  or  transmitted  without  the  express  written  consent  of  the  authors.    

Please  note  that  access  to  or  use  of  this  report  is  conditioned  on  the  following:  

1.    The  information  in  this  report  is  subject  to  change  by  NSS  Labs  without  notice.  

2.    The  information  in  this  report  is  believed  by  NSS  Labs  to  be  accurate  and  reliable  at  the  time  of  publication,  but  is  not   guaranteed.  All  use  of  and  reliance  on  this  report  are  at  the  reader’s  sole  risk.  NSS  Labs  is  not  liable  or  responsible  for  any   damages,  losses,  or  expenses  arising  from  any  error  or  omission  in  this  report.  

3.    NO  WARRANTIES,  EXPRESS  OR  IMPLIED  ARE  GIVEN  BY  NSS  LABS.  ALL  IMPLIED  WARRANTIES,  INCLUDING  IMPLIED  

WARRANTIES  OF  MERCHANTABILITY,  FITNESS  FOR  A  PARTICULAR  PURPOSE,  AND  NON-­‐INFRINGEMENT  ARE  DISCLAIMED  AND   EXCLUDED  BY  NSS  LABS.  IN  NO  EVENT  SHALL  NSS  LABS  BE  LIABLE  FOR  ANY  CONSEQUENTIAL,  INCIDENTAL  OR  INDIRECT  

DAMAGES,  OR  FOR  ANY  LOSS  OF  PROFIT,  REVENUE,  DATA,  COMPUTER  PROGRAMS,  OR  OTHER  ASSETS,  EVEN  IF  ADVISED  OF  THE   POSSIBILITY  THEREOF.  

4.    This  report  does  not  constitute  an  endorsement,  recommendation,  or  guarantee  of  any  of  the  products  (hardware  or   software)  tested  or  the  hardware  and  software  used  in  testing  the  products.  The  testing  does  not  guarantee  that  there  are  no   errors  or  defects  in  the  products  or  that  the  products  will  meet  the  reader’s  expectations,  requirements,  needs,  or  

specifications,  or  that  they  will  operate  without  interruption.    

5.    This  report  does  not  imply  any  endorsement,  sponsorship,  affiliation,  or  verification  by  or  with  any  organizations  mentioned   in  this  report.    

6.    All  trademarks,  service  marks,  and  trade  names  used  in  this  report  are  the  trademarks,  service  marks,  and  trade  names  of   their  respective  owners.    

Contact  Information  

NSS  Labs,  Inc.  

206  Wild  Basin  Rd   Building  A,  Suite  200   Austin,  TX  78746  USA   +1  (512)  961-­‐5300   [email protected]   www.nsslabs.com    

This  analyst  brief  was  produced  as  part  of  NSS  Labs’  independent  testing  information  services.  Leading  products   were  tested  at  no  cost  to  the  vendor,  and  NSS  Labs  received  no  vendor  funding  to  produce  this  analyst  brief.