Removing Security as a Barrier to Deploying B2C Mobile Apps
Blue Cedar | Aug 24, 2017
While enterprises have long relied on business-to-employee (B2E) mobile apps to increase employee productivity, they are increasingly turning to business-to-consumer (B2C) mobile apps to help drive revenue and improve the customer experience. Many enterprises view mobile apps as a cost-effective, scalable way to personalize each customer’s experience with their brand while collecting valuable data for enhancing sales and marketing strategies.
Seemingly, it shouldn’t be too hard to adopt the same development approach for B2E and B2C mobile apps. After all, a mobile app is a mobile app, right? Actually, it isn’t. Enterprises leveraging mobility to improve service delivery and create a great customer experience must consider the unique security challenges of deploying apps to customer-owned devices.
For one thing, enterprises generally either own or otherwise manage employee devices, so employee apps benefit from enterprise mobile device management (MDM), mobile application management (MAM), and other device-centric control solutions. Customer devices, on the other hand, are generally beyond the reach of these traditional enterprise mobile security measures. Customer device usage is also unpredictable. Devices vary greatly in terms of hardware, OS version, and state. For example, a customer smartphone might be jailbroken or run an older version of a supported operating system. A laptop might be compromised by malware. Customer devices not compliant with enterprise best practices increase risk for both the enterprise and the customers.
So why not ask customers to secure their devices? Because that requirement creates a poor customer experience. Enterprises simply can’t expect customers to download security software before they can use the app or to go through cumbersome enrollment and authentication processes each time they log on—they simply won’t use the app. For these reasons, it’s impossible to assume that customer devices can be secured. A much better approach is to secure the app itself.
When you combine the high level of device variability with the fact that every enterprise is different, it’s easy to see that there is no “off-the-rack” way to secure a variety of B2C mobile apps. One company’s customers will use its app differently than they will use an app for doing business with an organization in a different industry. For example, an in-store shopping app for a major retailer will offer a much different level of functionality than a mobile loyalty app for a fast-food restaurant. A patient diary app for chronic disease treatment will be used completely differently than an app for public transportation. Each company’s security and compliance requirements and deployment scenarios vary.
In addition, B2E app security relies on “wrapping” techniques that add extra protection and management features that can be deployed in enterprise app stores. B2C apps are quite different—they are generally distributed through public app stores like iTunes and Google Play, which have automated code scans and strict guidelines regarding the use of the above techniques.
Finally, some enterprises develop their own security to secure B2C apps. This approach has significant cost and time-to-market impact, which is only heightened as the number of customer apps increases. How do you ensure that all of your apps are tested consistently for vulnerabilities and patched without huge cost and effort?
New advances in app-centric security now make it much easier to employ consistent security for all enterprise mobile apps—for employees and consumers. Blue Cedar allows organizations to secure mobile apps that can be used securely on company-owned and customer-owned devices (without the need for MDM or MAM), distributed through both enterprise and public app stores, and secured, without writing code.
Blue Cedar’s patented injectable security technology enables enterprises to secure existing apps automatically. Simply upload the app and choose the policies you want, and the app is secured—no additional coding is required. Developing new apps? Integrate Blue Cedar security functionality using RESTful APIs without having to change SDLC or UAT processes. Whether securing existing apps or apps in development with Blue Cedar, you can implement rigorous security without needing to dedicate a team of experts to app security.
Security is comprehensive and “per-app.” Blue Cedar can inject a full IP stack, an IPsec client, secure web stack, and FIPS-compliant crypto module into every app. Any data written to the device or transmitted over the network is encrypted, and a secure, encrypted connection is established to the organization’s trusted infrastructure and data. Blue Cedar also enforces app-specific authentication, data sharing, and device posture policies.
The security policies are transparent to employees and consumers, eliminating awkward logins and authentication processes that are common obstacles to mobile app adoption. Organizations don’t have to write code, enabling them to deliver apps quickly and achieve faster time-to-value. And new capabilities—such as code obfuscation and anti-tampering features—prevent reverse engineering once the app is deployed. At last, enterprises have a security technique available that minimizes the risk of hacked apps, accelerates value, and helps them achieve both enterprise and customer satisfaction goals.