Integration of app vetting with EMM is still an ’emerging’ option for agencies, report says
Two established ways of monitoring an enterprise’s mobile technology — continuous app vetting and enterprise mobility management (EMM) — can be integrated, but no single combination of existing solutions is ideal, according to a new Department of Homeland Security report.
Continuous vetting is designed to catch the exploitable vulnerabilities, malicious code or privacy-violating behaviors in applications, while EMM centrally manages an enterprise’s mobile devices, including their security, and can restrict use of an app or resources until a threat found through vetting is addressed.
The Homeland Security Systems Engineering and Development Institute (HSSEDI) independently evaluated two EMM solutions and six vetting solutions in 43 tests with commercial and custom apps between November and May. While all EMM and vetting solutions passed HSSEDI’s tests, each of the latter offerings were missing features — like the detection of “sideloaded” apps that circumvented normal installation — that prevented them from being recommended as the preferred option.
While some EMM solutions integrated better with particular vetting solutions than others, vetting solutions differed more widely in their strengths and weaknesses, according to HSSEDI’s report, which was finalized in late June and released Wednesday.
Together a vetting solution can share an inventory of installed apps with EMM, which can in turn update agency blacklists and whitelists to reduce their threat exposure.
HSSEDI performed the market analysis on behalf of the Mobile Security Research and Development program within the Department of Homeland Security Science and Technology Directorate.
All six vetting solutions satisfied HSSEDI’s tests by producing comprehensive, easy-to read threat reports — most also able to share a device’s app inventory and rescan updated apps quickly.
“However, most services could not perform reputation analysis, and all offerings either incorrectly labeled custom, non-market apps downloaded from the enterprise app store as sideloaded or failed to detect a sideloaded app in some way,” reads the report. “Detection of spoofed and sideloaded iOS apps was a weak point, almost certainly due to iOS platform restrictions.”
HSSEDI further found not all EMM solutions enforced compliance linked to threats that app vetting detected, and few solutions flagged out-of-date apps.
Integration remains an “emerging” process, so HSSEDI shared its results with the solutions’ respective vendors so improvements could be made — and in some cases they already have been made.
HSSEDI did not evaluate mobile threat detection, which detects and defends against runtime security threats — often using app vetting along with device- and network-level protections — and can similarly integrate with EMM.
The agency further plans to examine how continuous app vetting might work within the Continuous Diagnostics and Mitigation program run by DHS.
As a result, the agency didn’t recommend an integration scheme in its report.
“HSSEDI recommends that agencies review and understand the strengths and limitations of each tool combination and select the EMM and app vetting solution that fits their needs and desired capabilities,” reads the report.