Mocana will offer its "injectable" app security features for existing and new enterprise iOS apps as well as for Android. Developers don't need to access the source code or write new code to protect mobile apps.
Mocana's Mobile App Protection 2.0 automatically analyzes an app, and lets IT groups choose up to four key security policies to add to it: automatic data encryption, passphrase authentication, secure cut-copy-paste to prevent data being moved outside of the app, and a per-app VPN tunnel. MAP 1.0 was released for Android in November 2011; the 2.0 release now works with iOS apps.
"We assume the underlying device is corrupted and we assume that the enterprise does not have control over the device," says Adrian Turner, CEO for Mocana, based in San Francisco. The combination of the four protections reflect this: They can protect the data on the device, protect it in transit between the device and the enterprise, limit access to authorized users, and block users from moving the data into unsecured documents, storage, emails or IM sessions.
The Mocana server decompiles the app's binary image, and analyzes its structure, including the I/O and information flows. The company specifically targets custom iOS and Android apps developed by or for a given enterprise, according to Turner. Via a Web-based portal, an IT staffer selects from the available security features to add to the app, and the Mocana server generates and inserts the necessary code automatically.
"We have a [patent-pending] code analysis capability," Turner says. "We can decipher how the app works independent of the underlying logic. We focus on how the app interacts with the network, for example, abstracted from the application's business logic. Then, we can inject code into the right places where it doesn't affect the app."
For encryption, Mocana relies on FIPS 140-2 certified encryption and Suite B algorithms; its digital certificate/public key infrastructure combines standards-based and proprietary technology, optimized for mobile apps; and it can set up individual apps with a VPN client for secure communications with an array of VPN termination products.
Mocana's approach dramatically simplifies what otherwise is a major development burden. Typically, developers have to use a set of APIs, and make sure they implement security correctly for each app. An alternative approach is to sandbox the app and its components, but Turner argues this doesn't give developers fine-grained control over specific security features for an app.
A third alternative is to create a virtual machine on a device and run a separate OS for the enterprise mobile apps. "But the second OS is not secure just by being separate," says Turner.
By contrast, Mocana's server and injected code can add specific security features to each app. According to the vendor, four of the top five Android tablets license the company's technology.
Mocana's software is deployed in partnership with software vendors that sell enterprise app store and mobile device management (MDM) applications. An IT administrator creates the Mocana app security policies using the MDM console, then loads a completed enterprise app into the Mocana MAP server, along with the policy file. The server adds in the security features and the app is transferred to the corporate app store (or to Mocana's own App Catalog). There can be different versions of the same app, with different security policies depending on the user, their job function and so on. The apps are download and installed as they usually are.
Mocana 2.0 is available now as part of an early adopter program. General release is scheduled for June 1. The software is available via enterprise app store vendors and mobile device management vendors, so pricing can vary. These vendors typically offer a yearly, per-device subscription, that's heavily discounted at higher volumes, according to Turner.
John Cox covers wireless networking and mobile computing for Network World. Twitter: http://twitter.com/johnwcoxnww Email: [email protected] Blog RSS feed: http://www.networkworld.com/community/blog/2989/feed
Read more about anti-malware in Network World's Anti-malware section.