Securing your data wherever it goes

Transform Any Mobile Apps into Self-

Defending Apps

Sean Frazier, Sr Sales Engineer

sean@bluebox.com

March 31, 2015

Agenda

3

Security Risks in Mobility

Options for Securing Mobile Apps

How to Make Your Apps Self-Defending Apps

Live Demo

Security risks at every level of mobility

App Level

Device Level

User Level

Application Level Risks

75%of mobile apps will fail basic

security tests in 2015

Application Level Risks

Insecure

Data on

device and in

transit

Reliance

on device,

OS or

MDM for

security

Reliance on

rational

user

behavior

Application Level Risks

75%Don’t use

proper

encryption

when storing

data on a

mobile device

97%Having access

to private data

without

appropriate

security

measures

75%Mobile Security

breaches by

2017 will be the

result of

exploiting

poorly

developed

mobile apps

Device Level Risks

Change of

device posture

by other apps

on deviceUncontrolled

OS versions

Undue focus

on

jailbreaking

and rooting

alone – what

about non-

root system

exploits?

Device Level Risks

52Vulnerabilitie

s patched in

iOS in 2014;

40% of those

were critical code exploits

24%Android devices

run the latest

KitKat 4.4

version

Change of

device posture

by other apps

on device

User Level RisksUser Level

Failure to

report lost or

stolen devices

Mobile

devices

connect to

more public

hotspots and

unknown

servers than

laptops

Basic device-

level

protection like

password and

encryption

turned off

User Level RisksUser Level

34%Take no

security

measures at all

26Number of

apps the

average mobile

user has

downloaded

113Number of

smart phones

lost every

MINUTE in the

U.S.

Securing Mobile Apps

Option 1: MDM

12

Enroll users to MDM

Distribute MDM profile

Enforce device-level passcode

and encryption

Distribute apps via

Enterprise App Catalog

Needs to be enabled for

the entire device

Requires profiles to be

installed on device – including

BYOD. Users rejecting due to

privacy concerns

Hard to scale for external

vendors and customers

Drawbacks:

Securing Mobile Apps

Option 2: Containerization

13

Implemented via SDK or App

Wrapping

App developer involvement

Covers Email, PIM and Browsers

as well

Substantial developer

involvement required

Unstable first gen

technologies

Non-native experience

results in low user adoption

Drawbacks:

Free developer time

from security

Focus on building

business logic

Developers

Business

Owner

Accelerate Time To

Market

Meet ever-

increasing user

demand for apps

Competitive

Advantage

Stay current with

mobile threats

Ensure compliance

Security

Mobile App Security Needs

14

What you really need

15

Easy, secure access to any app for any user on any device

Containerization of any app – on demand, instantly

Apps that assume they are at risk, ALWAYS, and defend

accordingly

Minimal management of updates across the mobile app lifecycle

Self-Defending Behavior

Bluebox Self-Defending Apps

Enterprise Controls

• Protect commercial or

custom apps in seconds

• Detect and defend against

mobile threats

• Respond quickly to keep

corporate data secure

Data Wrapping

Triple Layer Defense

16

1. Data Wrapping: The Unique Bluebox Approach

User

Data

App

Device

Network

OTHERS

▪ Data Security on Devices,

Apps and Network

▪ Support for ANY 3rd party or

internal apps

▪ Native app experience

▪ Clear separation of

personal and corporate

data

Bluebox Triple Layer Defense

1. Data Wrapping

17

Bluebox Triple Layer Defense

2. Enterprise Controls

▪ Per App VPN

▪ App eventing and logging

▪ Data sharing controls

▪ Data visibility and control

18

Bluebox Triple Layer Defense

3. Dynamic App Integrity for Self-Defending Behavior

19

Beyond Jailbreak and Root Detection

• Device Integrity

• Detection of sandbox security tampering

▪ App tampering detection

▪ Detection of tools used to reverse engineer apps

▪ Detection of hostile device environment, debuggers, hooks

▪ Checksum violations for tampering of Bluebox wrapper

▪ App tampering deterrents

▪ Honeypots, or traps, to mislead and deceive attackers

Web-based

Bluebox Admin Portal

(portal.bluebox.com)

Upload

your App

Apply Policies

and

Enterprise

Signing

Instantly

Assign Users

and Groups

Specify 3rd

Party Apps

to secure

How to Create Self-Defending Apps with Bluebox

20

Summary

21

Assume that your apps are perpetually at risk at all layers – Device, App and

User

Get beyond jailbreak and rooted detection!

Make your apps self-defending

Focus on the user – allow easy access to your apps on any device

Fortify your Apps – don’t just manage them

Bluebox User Enrollment

Proprietary and Confidential 22

▪ Easy 3-step process via

Bluebox App

▪ SAML 2.0, OAuth 2

(using Google as

provider) and ActiveSync

supported for user auth

▪ Elegantly off-board users

via SAML and SCIM