Best Practices for

Mobile Application Lifecycle Management

Security from Design through Deployment
www.maas360.com
1

MaaS360.com > White Paper

Copyright 2014 Fiberlink Communications Corporation. All rights reserved.

This document contains proprietary and confidential information of Fiberlink, an IBM company. No
part of this document may be used, disclosed, distributed, transmitted, stored in any retrieval system,
copied or reproduced in any way or form, including but not limited to photocopy, photographic,
magnetic, electronic or other record, without the prior written permission of Fiberlink.
This document is provided for informational purposes only and the information herein is subject to
change without notice. Please report any errors to Fiberlink. Fiberlink will not provide any warranties
covering this information and specifically disclaims any liability in connection with this document.
Fiberlink, MaaS360, associated logos, and the names of the products and services of Fiberlink are
trademarks or service marks of Fiberlink and may be registered in certain jurisdictions. All other names,
marks, brands, logos, and symbols may be trademarks or registered trademarks or service marks of
their respective owners. Use of any or all of the above is subject to the specific terms and conditions
of the Agreement.
Copyright 2014 Fiberlink, 1787 Sentry Parkway West, Building Eighteen, Suite 200, Blue Bell, PA 19422.
All rights reserved.
2

MaaS360.com > White Paper

Security Best Practices for

Mobile Application Lifecycle Management
Table of Contents
The Role of Security in Mobile Application Development. . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Proactive Application Security Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Single Sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Data Loss Prevention (DLP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
In-App VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
App Blocking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Enterprise App Store Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Benefits of a fully integrated app store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Deploy and update apps without delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Integration with existing enterprise security and identity infrastructure . . . . . . . . . . . 7
Comprehensive control of app security and management. . . . . . . . . . . . . . . . . . . . . . . 7
App version control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
App discovery and user collaboration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Real-time app inventory control and reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Think One Platform for Simplicity and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Passive Application Security Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Secure Browser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
MaaS360 WorkPlace SDK for Application Developers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
MaaS360 Instant App Wrapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Another Critical Step on the Path to Enterprise Mobility . . . . . . . . . . . . . . . . . . . . . . . 9

MaaS360.com > White Paper

The Role of Security in Mobile Aplication Development

Organizations
are facing a new
challenge: how to
extend compliance and
security best practices
to laptops and other
mobile devices.

Mobile devices are now a reality in most organizations. Building on Mobile Device Management
(MDM) and Mobile Application Management (MAM), organizations are increasingly developing
their own enterprise apps for specific job tasks to improve productivity, business partnerships,
customer satisfaction and bottom-line performance. But to achieve these benefits, it is imperative
that mobile security best practices are incorporated throughout the lifecycle of the application.
Mobile Application Lifecycle Management (MALM)
inherits all of the issues introduced at the start of the
mobile era security, compliance and privacy. This
includes the security of corporate and personal data,
compliance with government and industry regulations,
and employee privacy. While building custom mobile
apps might seem like an onerous task, the greater
challenge is ensuring the security of apps and associated
data once deployed.
MaaS360 by Fiberlink, an IBM company and recognized leader in Enterprise Mobility Management
(EMM), offers application security best practices for use during app development and deployment.
For enterprises designing and developing their own mobile apps, these features can be delivered
through a Software Development Kit (SDK) or automatic app wrapping.

Proactive Application Security Best Practices

Its great to have a security policy and implement it after an app is ready for deployment, but
incorporating security into your apps design and development simplifies and strengthens your
efforts over time. In addition to the data encryption available with device operating systems,
there are several proactive security features that can be added through MaaS360 during app
development. These features include:

Authentication
In addition to device authentication with MaaS360, which can include basic passcode enrollment
or two-factor authentication synchronized with your Active Directory or LDAP, you can embed
authentication into your apps as well. Only the users intended to access specific apps and
associated data will be able to open them, even if distributed to an unauthorized user by mistake.

MaaS360.com > White Paper

Single Sign-on
You can design apps for a user to access all of their authorized enterprise apps with a single, shared
passcode. This MaaS360 support feature provides a more user-centric approach when building
mobile apps with a developer platform such as IBM Worklight. You can ensure strong authentication
without impacting the productivity of users. MaaS360 WorkPlace simplifies app design for
Authentication, Single Sign-on, Data Loss Prevention (DLP), In-App VPN and App Blocking across
mobile platforms.

Data Loss Prevention (DLP)

MaaS360 supports a dual persona environment that fully separates corporate from personal
data on mobile devices. Developers and MDM administrators can leverage this secure container,
MaaS360 WorkPlace, in a variety of ways to prevent data leakage, stem the comingling of corporate
and personal data, and address any employee privacy issues.
MaaS360 WorkPlace: This container with FIPS 140-2 compliant AES-256 encryption can be
password protected and inaccessible without the device owners authentication. Should a
device be lost or stolen, corporate apps, documents and data remain secure while the incident
is reported and the container is remotely wiped. Company information is protected, even if an
employee embarrassed by losing their device waits days to notify IT.
Selective Wipe: Any and all information that was pushed to a device through MaaS360 can
be remotely wiped from the container without affecting any information downloaded by a user
for personal use. (MaaS360 also offers a Full Wipe feature that can restore the device to factory
settings.)
Restrict Copy-and-Paste: MaaS360 provides the ability to disable copying and pasting
information outside the container. If the user tries to paste from the container to a resource
accessible from their personal space, such as to a notepad, native email application, file sharing
website or backup data cloud, a message reminding the user of your corporate security policy
is pasted instead. An automatic alert about the attempted activity can also be sent to the
MaaS360 administrator.
Open-In Controls: MaaS360 also provides open-in controls so that users can only open
documents and files in an app that belongs to and is controlled by the company in the
WorkPlace container. Company information cannot be opened or moved outside the container.

MaaS360.com > White Paper

In App VPN
Because mobile devices
are beyond the direct
control of managers and
IT personnel, they are
particularly vulnerable to
employee mistakes and
employee wrongdoing.

While all of the above solidifies security for data at rest on a mobile device, enterprise app
developers must also secure data in motion i.e., any information transmitted from the MaaS360
Workplace container to your corporate servers. To secure those transmissions, there needs be a VPN
connection. App-level tunneling ensures user transmissions can be sent securely through only an
app-level VPN connection without needing a device-level VPN. Leveraging the MaaS360 Mobile
Enterprise Gateway, this can be done independently of any VPN infrastructure.

App Blocking
Your app development can also set policies to block an app from being opened on a device that is
non-compliant with MaaS360s automatic security monitoring features.

Enterprise App Store Best Practices

Once apps are developed, the easiest and most secure method of distribution and control is an
Enterprise App Store. In fact, many MaaS360 customers already use the systems App Catalog feature
to manage public apps from stores such as the iTunes App Store, Google Play and the Windows Store,
as well as in-house enterprise apps. More granular control of apps can be achieved by using the
MaaS360 WorkPlace container in tandem with the App Catalog. With this approach, IT-procured apps,
whether 3rd party or homegrown, are completely separated from personal apps.

Benefits of a fully integrated app store

The MaaS360 App Catalog offers a consolidated interface independent of mobile operating systems so
you can manage apps across all different platforms from one window. Among other advantages of a
fully integrated App Store:

MaaS360.com > White Paper

Deploy and update apps without delay

In addition to your custom enterprise apps, the App Catalog integrates with public app stores. You
can push apps and track their installation over-the-air to individual devices, groups of users, or all
users with bulk distribution. If you want, for example, to get a purchased iOS app to your employees
using Apples Volume Purchase Program (VPP), you can upload the VPP file directly and manage those
licenses through MaaS360. If a user leaves the company, you can remove that application from their
device and redistribute the license. If a user ever needs to delete an app and reinstall it, they dont
have reach out to IT to get another license or go through a public app store. Instead, they simply go to
your organizations App Catalog and hit the apps install button.

Integration with existing enterprise security and identity infrastructure

Many organizations need to deploy apps for specific user groups. While you can set up user groups
in MaaS360, coordinating your Enterprise Mobility with existing user identities based on Active
Directory or LDAP saves steps to ensure that the right apps are distributed to the right people. This
can be achieved with the MaaS360 Cloud Extender. For custom functionality, web services are highly
recommended for integrating MaaS360 with any type of IT infrastructure because they are robust,
flexible, efficient, easy to code and easy to expose to the Internet while keeping apps, documents and
data secure.

Comprehensive control of app security and management

When managed through MaaS360, custom enterprise apps have the same protections as those
provided for all other apps. (See next section on Passive Application Security Best Practices.)

App version control

With public apps, you typically have only one version of an app for all intended end users. With your
custom enterprise apps developed in-house or by a third party, you can have a newer version of the
app that you would prefer to push to just a handful of users before a full enterprise distribution. Using
MaaS360, you can deploy and manage different versions of the same app.

App discovery and user collaboration

Users must be able to discover and access authorized apps recommended or required by your
organization to do their jobs. With the MaaS360 App Discovery Portal, apps can be easily found in
a simple-to-use interface. Users can also securely share and link apps approved for their WorkPlace
container. They can comment and rate apps to help identify their usefulness and easily communicate
which apps need to be updated or enhanced to improve job value.

Real-time app inventory control and reporting

Your MaaS360 administrator can see and report on all apps available in the App Catalog, authorized
users, and apps in each users WorkPlace container on their device in real time. The administrator can
delete apps from any user, group or all devices, such as an earlier version of an updated app.

MaaS360.com > White Paper

More sophisticated
products are also
becoming available
that can monitor
and log the transfer
of sensitive files to
storage devices and to
other computers via
email, file transfer or
instant messaging, or
alternately can block
all such transfers
completely.

Think One Platform for Simplicity and

Security
Use one window for app development across mobile
platforms with IBM Worklight. Use one window for MDM,
MAM and MALM across platforms with MaaS360. These
integrated approaches increase the advantages of Enterprise
Mobility with higher levels of control, security, compliance
and productivity while lowering demand on resources, time
and budget.

Passive Application Security Best Practices

When managed through MaaS360, all public and enterprise
apps have the same organizational control and protections,
such as:
Application whitelisting and blacklisting
Configuring security and restrictions
Automatic enforcement actions for non-compliance
(alerting, device blocking, selective or full device wiping)
Automatic monitoring of jailbroken, rooted and non-compliant devices
Real-time visibility into the compliance status of all devices
Reporting on security and compliance history

Secure Browser
Many organizations have invested significant resources and have well-established business
processes that rely on existing web applications. With the MaaS360 Secure Browser and Enterprise
Gateway, you can enable your employees with secure access to corporate intranet sites and
applications such as private SharePoint, Windows File Sharing, and internal websites from mobile
devices. This allows you to mobilize all your web apps without having to rewrite them as a mobile
app or set up a full device-level VPN.
The Secure Browser also allows your MaaS360 administrator to restrict access to websites from
any device by category, and make exceptions to access restrictions for business purposes. For
instance, if your organization blacklists social networks, the administrator can make exceptions
for a marketing or PR person to use LinkedIn if needed for business posts. Should anyone else try
to access social networks, they will be denied. (The administrator will get audit logs with a time
and date stamp identifying the user and the device for each instance of a user trying to access a
restricted website. Repeat offenders can be warned via the MaaS360 messaging system.)

MaaS360.com > White Paper

MaaS360 WorkPlace SDK for Application Developers

The MaaS360 WorkPlace SDK enables developers to embed MaaS360s robust security features in
their app as a configurable security layer in as little as a few hours. MaaS360s robust security can
be embedded in apps in as little as a few hours with the WorkPlace SDK or in seconds with app
wrapping. Enterprise apps can have all MaaS360 protections tuned to an apps precise needs by
incorporating the SDK during development. The WorkPlace SDK also allows developers to integrate
MaaS360 with many features that are built into iOS, Android and Windows Phone devices.

MaaS360 Instant App Wrapping

For apps already developed, MaaS360 app wrapping automatically injects the necessary code into
your app. You dont have to do anything but hit a button to add MaaS360s full app security and
management capabilities in seconds.

Another Critical Step on the Path to Enterprise Mobility

While BYOD took organizations a few years to accept, MALM will occur at a much faster rate. The
value of Enterprise Mobility tuned to an organizations mission and operations is undeniable in
terms of productivity, customer and partner relationships, employee satisfaction and bottom-line
performance. From job hire to exit interview, the employees mobile phone will eventually be the
primary access point to all authorized digital and physical assets within an organization. Custom
enterprise mobile applications are a critical next step that most organizations are eager to take if
mobile security can safeguard information at the same level as fixed IT infrastructure. MaaS360
is already helping thousands of organizations worldwide ensure their mobile initiatives address
MDM, MAM and MALM with solutions that are quick for IT to implement and manage, easy for
end-users accept, and rapidly nimble for an evolving mobile world.

All brands and their products, featured or referred to within

this document, are trademarks or registered trademarks of
their respective holders and should be noted as such.

For More Information

To learn more about our technology and services visit www.maaS360.com.

1787 Sentry Parkway West, Building 18, Suite 200 | Blue Bell, PA 19422
Phone 215.664.1600 | Fax 215.664.1601 | sales@fiberlink.com
WP_201110_0033