Best Practices for Mobile Application Management: Mitigating Mobile App Risk to Ensure Safe, Reliable Deployments

Executive Summary

Driven by the trends of Bring Your Own Device (BYOD), Bring Your Own App (BYOA), and the consumerization of IT, the mobile device tsunami is inundating enterprises around the world. In many organizations IT is responding by giving employees unfettered access to these apps. But that can expose the organization to considerable risk.

One of the major sources of risk is that IT is still building institutional knowledge related to how these apps behave, and some behaviors can have unintended consequences with serious business impact. Here are two examples:

  • An employee of the U.S. Environmental Protection Agency (EPA) Office of Water was playing a popular game on a mobile device that he also uses for official purposes. Without the employee’s knowledge, the game automatically tweeted an invitation to join in the game. The recipients of that tweet were the 52,000-plus followers of the EPA’s official Twitter account. As Figure 1 illustrates, this resulted in considerable embarrassment to the organization.
  • The Brightest Flashlight Free app from Goldenshores Technologies, LLC, which has been downloaded by millions of Android users, brightly illuminates the mobile device screen to create a handy flashlight. But that’s not all it does. It also automatically sends the user’s real-time location information to third parties such as retailers.

IT organizations face a tough challenge. IT wants to empower users by permitting them to download business apps to their personal mobile devices. At the same time, IT has to minimize the associated risk. But IT has only limited ability to control personal mobile devices. To meet the challenge, IT needs to understand, weigh and mitigate the risk posed by a mobile app before making it available for download.

Leveraging its extensive experience working with enterprise customers around the world to manage application usage, Flexera Software has developed a six-step Application Readiness process. This process enables IT to maintain a rich portfolio of authorized and approved applications, at current revision and patch levels, ready for immediate distribution to users in a variety of formats. By passing all applications through this process, IT ensures that they will operate reliably and safely when deployed. Already being used extensively for desktop and laptop applications, this process easily extends to accommodate mobile application management.

This paper describes the unique challenges associated with maintaining mobile Application Readiness. It discusses how the six-step Flexera Software Application Readiness process can enable IT to meet the challenge. It also describes the requirements a solution must meet to support the process. With this process, supported by the right Application Readiness solution, IT can give business people the mobile apps they need while minimizing risk.

Mobile Apps Introduce Risk

In addressing Application Readiness, IT has to ensure that all applications required by the business are packaged and ready for immediate distribution to all the devices and operating systems on which they are required to run. Applications must be maintained at the latest secure, licensed versions and patch levels. Each application must be packaged in all required formats to run on the target devices and operating systems. And applications must run reliably when deployed, with no incompatibilities with devices or operating systems.

Extending Application Readiness to include mobile apps requires adding the formats, devices, and operating systems necessary to support mobile apps. But that’s not all. It also requires understanding and minimizing the risks associated with mobile apps.

Lack of Institutional Knowledge of Mobile App Behavior

Over the years, IT has acquired considerable institutional knowledge regarding the behavior of desktop and laptop applications. The IT staff knows what to expect when these applications are deployed or updated. But because of the enormous and rapidly increasing number of mobile apps and the relative newness of the mobile environment, IT has not yet gained comprehensive institutional knowledge in this area.

Mobile apps have access to much user information such as contact lists and calendars. They also have access to social and corporate networks. What’s more, mobile devices have a number of built-in hardware features such as GPS and photo, video and audio recording, all of which can be used by mobile apps.

Although most mobile apps are not meant to be malicious, many have not been designed with a focus on enterprise security. As a result, many apps exhibit behaviors that are risky to the enterprise. For example, an app may automatically trigger a behavior without the user’s knowledge as in the Kim Kardashian tweet example cited earlier. Or data gathering software may be embedded that captures user information, such as location, and sends it to third parties

Giving users unrestricted access to apps without IT having a thorough understanding of all the behaviors the app performs and all the device features it uses introduces risk.

Consequently, it’s essential that IT gain an understanding of app behaviors and the mobile device features each app uses. With this insight, the IT staff can determine if the app’s use of certain features results in a behavior that presents a risk. That determination should be based on risk assessment criteria established by the enterprise. These criteria vary from one enterprise to another and from one industry to another. Defense contractors and financial institutions, for example, have different risk criteria than online toy retailers.

As IT continually builds institutional knowledge around mobile app behaviors, the IT staff will become better positioned to establish processes to address mobile app behaviors. For example, IT will be able to:

  • Determine which behaviors are risky
  • Identify which apps exhibit these behaviors
  • Establish policies to deal with apps that exhibit risky behaviors
  • Use the policies to manage the apps and mitigate risk

Rapid Fire Software Updates

Mobile OS vendors release updates far more frequently than desktop and laptop OS vendors. What’s more, unlike with Microsoft Windows, IT doesn’t control updates to mobile OSs, the mobile device vendor does. The vendor notifies users of an update and the users can download it at their convenience. It’s interesting to note that about 80 percent of users of Apple mobile devices upgrade to a new OS within the first few months of its availability.

Unfortunately, a new OS sometimes breaks certain apps, and users don’t always discover the problem until they try to use the app. That discovery not only delivers a blow to user productivity but also increases the load on the IT service desk as users frantically seek assistance.