BYOD: What Containers and Wrappers Don’t Tell You

Gartner predicts that within the next few years, half of employers will require employees to use their own device for work and 90 percent of organizations will have data on external IT systems. When looking at the topic of secure and reliable mobile solutions in the increasing BYOD workplace trend, several very important issues need to be addressed. Alongside MDM, many enterprises are using, or thinking about using, containers and application wrappers on users’ smartphones to separate and secure work and private data. This is a crucial issue, in particular, for highly regulated industries such as government and healthcare.

The difficulty with these makeshift solutions, containers and wrappers, is that they are simply band aids for a larger and more complicated problem. These are flawed solutions that run the risk of compromising security and the very relevant BYOD user experience.  Furthermore, like any bandage, they do very little to solve the actual problem.

The use of containers requires a company to recompile apps with the container SDK. This presents a nearly impossible task for enterprise IT departments, who often do not have the necessary means to do so. Sourcing the application code for recompiling is problematic as it would require deal-making with every application provider. Even in a perfect world where code is sourced and an app recompiled, mobile apps are frequently updated and any enterprise IT department must be able to support these updates.  Containers might be relevant for home-grown applications, but even then they make the enterprise dependent on the container provider.

Wrappers use different techniques to contain an application by manually or automatically adding code. Unfortunately, this typically breaches the application EULA, raising questions of who is to be held responsible when something goes wrong.  (Hint:  the Enterprise!).  For example, think about the following scenario:

Company X decides to use a cloud-based file sharing service in their enterprise.  They use a wrapper from Company Y to secure the file sharing tool.  While this results in a modified file sharing tool that may have better security, it also results in new security exploits added by the wrapper, which a hacker then uses to penetrate into the file sharing service.  

In this situation, with whom does the responsibility lie?  Technically, the hacker, of course. But who is responsible for the vulnerability existing in the first place? Enterprises need to be aware that adding another layer of indirection may result in degraded performance and need to consider the potential issues of using such wrappers. As you can see, each bandage has its own individual issues, but they also share several that are little known. So what are containers and wrappers not telling you?

They’re not telling you that you are unable to use native OS applications such as calendar, contacts, and email clients. This is why enterprises are forced to purchase third party alternatives for PIM, and as a result, need to convince their employees to work with apps with which they are not familiar. Such a limitation translates in to a longer provisioning time, and consequently, a loss of productivity

Containers and wrappers are also not telling you that you cannot secure applications and services that require direct access to hardware, such as the phone dialer, VOIP clients, video players, etc.  Phone dialers, for example, need to be secure because if an employee installs a simple call recorder (many of which are available for free) in the private zone, it will intercept and record all business calls. If an employer forbids the employee from installing such an app then it is subsequently no longer a BYOD.

Lastly, and maybe most significantly, containers and wrappers are not secure. Bad apps such as malware are running in the same environment as corporate apps. In a recent CEO conference held by USVP, the product VPs of three leading security companies admitted that containers and wrappers cannot provide security for the enterprise unless they are well integrated into the OS, which is currently not the case.

This is why containers and wrappers are simply bandages for a problem and are not real, long term, and salient solutions. Only a persona based separation between work and private use, on a single smart mobile device, which supports any unmodified app, whether native, third party or homegrown, and which does not degrade performance or UX, will build the foundations for a real solution, one that employees want and need. So let us find a cure that fits.