Choosing the Right Security Controls for Consumer-Orientated Mobile Apps.... And why EMM does not work.
Author: Denis Joannides
Posted on November 21, 2016
In this blog I would like to explain that an enterprise mobility solution (EMM) does not work for consumers apps. Consumer apps are different because you cannot control the device. Instead of focusing on the device security, you need to focus on App security. You do not have any control over the device, so the security needs the be more advanced, layered, end-2-end, to protect your data.
Why EMM does not Work
Enterprise Mobility Management (EMM) is a staple of many organizations, providing the tools to give mobile workers the freedom to use the enterprise apps they need on their devices whilst providing assurance and security. An EMM implementation can include the protection of both corporate and employee-owned, “bring-your-own” devices (BYOD) and give an enterprise the confidence to allow access to internal systems or sensitive data with the appropriate controls in place.
While EMM has been successful for many organizations in enabling a remote workforce, it does not necessarily suit consumer-orientated secure mobile apps in industries such as banking or payments; the reasons for this are threefold.
EMM works well in an environment where the organization has significant control over the devices being managed; either they are owned by the corporation which is therefore disposed to configure them as they see fit, or employees of the company agree (or acquiesce) to controls being added to their personal device.
However, EMM is an imperfect fit for consumers. In a consumer environment the end user of the device is significantly removed from the technologies, processes and procedures that make EMM work inside a corporation: Their touchpoint with the app they are installing is the App or App stores, which naturally gears apps towards simple installati0n and initialization processes. Anything over and above these expectations is likely to make consumers look elsewhere.
EMM is an Intrusive Technology
With EMM being an imperfect fit in terms of the consumer experience, EMM technology also tends to be intrusive, with features and functionality that may put consumers off using a given app. For example, the majority of EMM solutions involve a mobile device management (MDM) app that is installed on a user’s device. MDM alters the configuration of the device to ensure minimum standards of security are met and allow the enterprise administrator to take corrective action in the case of loss or theft.
Whilst technologies such as MDM can be appropriate with corporately- or employee-owned devices, in a consumer environment or BYOD users are unlikely to be happy to install such applications on their devices: The idea of installing an app that could allow an unknown administrator to remotely control your ‘phone or is again likely to encourage consumers to look for apps that do not implement such features.
EMM is a great solution for organizations that can excerpt considerable control over the devices they manage, but consumer-orientated mobile apps require an alternative, application-centric security solution that meets a number of criteria:
Is self-contained i.e. deployed and removed with the app;
Provides security for the entire data journey, from app to backend to compensate for having fewer controls on the device;
Is easy for the consumer to comprehend and act upon without explicit domain knowledge;
Provides a frictionless user experience (UX).
In terms of technologies and approaches, consumers-orientated mobile apps are therefore likely to employ one or more of the following:
Multi-factor authentication: Many consumer apps employ authentication mechanisms that require more knowledge to use an app than simply unlocking the device. The solutions are varied but will be easy for a consumer to understand and use and may include biometric or known secrets from other sources to ensure only an authorized person can use the app;
Easy onboarding: Consumers need to be identified so they can be linked to the internal systems. The level of identification depends on the organization. In some cases entering a validated email is enough will at Banks, a face-2-face validation is required.
Platform Integrity: Platform integrity is an approach to delivering secure mobile apps that ensure that all parts of the architecture, from the client to the backend are secured and not susceptible to attacked. For example, the Onegini Mobile Security Platform deliver components such as a secure SDK, token server and built-in authentication to ensure all parts of the app are strongly protected: These components together act cohesively to ensure end-to-end security.
By using such approaches and techniques, organizations will have a much greater of chance of creating a mobile app that is both secure and delights the consumer in offering the features and functionality they are looking for.