BYOD security: a standards dilemma

If there’s one thing the mobile industry is known for is standards. There’s a lot of them. In networking technology you have multiple Wi-Fi standards in use, 802.11 a, b, g, n, ac. In wide area wireless there are GSM, CDMA, WCDMA, LTE. And for mobile OSes you have iOS, Android, QNX, Windows Phone, et al.

The problem for mobile operating systems is that there are too many standards–and none that have the weight in the market to become de facto (as driven by adopters), just like what happened in the PC world when it was Microsoft vs. IBM (who won that one?).

When enterprises could dictate their own individual standards, this wasn’t an issue. But in today’s world of BYOD, this is only getting worse, especially when it comes to mobile software and app management. Each mobile platform has its own app Software Development Kit (SDK) and with consumerisation, very little thought has gone into securing and managing these consumer apps for enterprise users. But as enterprise users adopt these apps for work, this needs to change.

I covered some of the strategies for implementing app management and security in my January research note on containerisation. Using one method, where there is a proprietary SDK from the multitude of mobile device management (MDM) vendors, what we call app specific has been around for a couple years now. But at best only 40-50 apps have been developed this way.

The problem is the management SDK is proprietary to each vendor so a management tool can only support its specific (hence app specific) app. Plus pre-existing apps need to be rewritten. Most app developers have held off of committing because of this. Another method is to wrap the app, but getting access to the binary, especially for third-party apps found on public app stores is difficult–and still proprietary to the application wrapper for management. 

What’s needed is some type of standard that app developers could use, that all MDM and app management vendors could integrate into. Of course that would mean getting all those vendors to agree on one method–probably some type of open source mobile app management SDK.  Then these vendors could compete on managing and securing apps, not on wooing app developers to use their standard. Another method would be to use app wrapping, but separate the admin functions and APIs from the wrapping technology itself. This does have the advantage of quickly adapting existing apps without a lot of recoding.

One well known MDM vendor, MobileIron, is beginning to create an open SDK standard it’s calling (for now) the Open App Alliance, which was mentioned last month on brianmadden. It’s hoping to go public with the details in the next few weeks, but the alliance should include some big app providers, app development tool vendors and maybe even some adopter companies at the start. MobileIron would rather compete on its MDM platform than spend the time convincing adopters and developers to use its proprietary app SDK. One thing missing, at least for now, is other MDM vendors. In the end, their buy-in is essential for this to succeed. Maybe if enough adopters and app providers hop on board, this may convince other MDM vendors to head in this direction. Many of the big MDM vendors I talked to around this are interested, but have not committed yet.

It remains to be seen whether this will have the momentum to move forward. There’s a lot of work left to do and not a lot of time to do it, but in my mind, something needs to be done to alleviate the fragmentation of the mobile technology, get apps manageable and secured– and this is at least a step in the right direction.

Phillip Redman is a research vice president in Gartner Research,