MSaaS: Mobile Security As A Service.
Everybody says that they want strong encryption of data and communications, but many developers push security to the wayside in the name of shipping fast.
Add the need for speed with the fact that professional developers have a ton of different responsibilities and functions to keep track of and sometimes something like security—which people can’t necessarily see and is therefore forgotten—is left on the cutting room floor.
Really, developers often just have too much to keep track of. What are the functional and design differences between iOS, Android and Web apps? How many damn SDKs or third party modules need to be added and maintained anyway? What did this 11-line NPM module do to break the Internet? How will discovery and monetization work after the app is shipped?
With Apple’s fight against the FBI making encryption an international news conversation and a series of never-ending high profile hacks, developers are starting to take encryption and security more seriously.
But here’s the rub: the proportion of security engineers to app developers is significantly lacking. The barrier to entry to build an app or a website is very low these days while security is as hard as ever.
A company called Appmobi may just have a bespoke solution for end-to-end data and device encryption that theoretically makes it much easier for developers to add security to their apps.
“What I learned is that developers in general don’t like to add security. They think it is boring. It is not sexy,” said Appmobi CEO Marcel E. Smit in an interview with ARC. “They would rather prefer to be working on other things.”
The Resurrection Of Appmobi
Astute technologists may remember Appmobi from several years ago as a company that built and championed HTML5 tools for Web and mobile development. At ReadWrite we declared Appmobi “the most promising company of 2012” and its various HTML5 tools engendered excitement (and maybe a little controversy) among Web developers. Appmobi released the tools for free and banked on cloud services and support to make money (kind of like a backend-as-a-service company).
Intel eventually bought Appmobi’s HTML5 tools and developers in 2013, leaving behind the company name and the cloud services business. Appmobi become the core of what is now Intel’s XDK mobile development tool.
Appmobi sat dormant for a couple of years before cofounder and former CTO Sam Abadir decided to resurrect it under his new Aspire VC venture firm. Abadir brought in experienced entrepreneurs such as Smit and Mark Stutzman (CEO of Digital Variant until acquired by Appmobi) to build, initially, what was supposed to be an encrypted push notification product.
Trustworthy and fully encrypted push messaging is generally a worthy goal. But encrypted push messaging is not a market niche that really needs to be solved (companies like Urban Airship have been working on it for years, let alone Apple and Google’s efforts). What Appmobi found was that it would be more beneficial to create an entire bespoke encryption platform easy for developers to employ and then build features—like push messaging—on top of it.
What Appmobi created is what Smit calls “mobile-security-as-a-service.” Stutzman promises that Appmobi’s encryption tools will take hours for developers to set up.
“Really enable [encryption] in a couple of minutes rather than a few weeks or a couple of months, depending on the project,” Stutzman said.
App And Device Encryption, On The Code Level
Appmobi has three levels of encryption depending on the needs and requirements of developers in its Security Kit:
- Level one: App level shared key encryption.
- Level two: App and device level shared key encryption.
- Level three: App and device level shared key encryption with authentication.
“Level One is really this app-level shared key. That means that our platform, in the cloud or on-premise, is generating the key and pushing it down to the app,” Stutzman said. “Level Two is the app-level key plus a device-level key which means when that app is actually launched, a unique AES-256 key is generated on-device as well and that is pushed to the platform.”
Level three adds authentication through o.Auth and LDAP with a variety of other authentication standards in Appmobi’s roadmap. The addition of authentication software adds a level of identity to the encryption to make sure the right person is reading the right message or data that has been encrypted by Appmobi’s platform.
Appmobi initially developed security kit specifically for Apache Cordova (formerly PhoneGap) hybrid apps with the belief that Cordova was the growth vector for most enterprise app deployment. Appmobi has a history of Cordova development before the Intel acquisition. On March 17th, Appmobi rolled out native app integration for iOS, Android and Windows Phone.
Appmobi built its encryption platform in nine months with about 15 engineers, led by Stutzman.
The basis of Appmobi’s offering is called Security Kit. Secure Push Messaging—the original idea for the product—is included in Appmobi’s suite. Secure Data Store allows developers to store data encrypted on the device or on a server (with mirroring capability between from the device). Secure Analytics is a security-focused version of mobile analytics that track all the things you would normally expect from mobile analytics while keeping a keen eye on security through user behavior patterns.
One of the most interesting aspects of the Appmobi encryption suite is Secure Live Update. Appmobi can let Cordova hybrid apps automatically send updates to the device level so that enterprises can install critical patches or new functions to apps with a simple code push. Appmobi saves all version history of app updates so that developers can rollback and update if it breaks user devices (this capability is not available for native apps, Stutzman said).
Who Holds The Keys?
Appmobi envisions that the mobile-security-as-a-service product will be of great use in the enterprise, especially the health and financial services sectors that often deal with draconian compliance issues around messaging and communication security.
But Apple’s battle with the FBI hangs over just about every device manufacturer and app developer right now. Encrypted email and messaging companies have been targeted by the government before and have not come out on top (see: Lavabit and its entanglement with Edward Snowden).
One of the reasons that the FBI came after Apple is because Apple’s security system was centrally nested. All the eggs were in one basket and the FBI was trying to take that basket for its own purposes. Cryptologists and security experts have long said that a distributed security system—where no single entity has all the keys—is best to protect data.
Appmobi has the ability to create cryptographic keys on the app and on the device and on the server (on premise or via private cloud). Appmobi only has one half of the key for data stored on its servers and could not decrypt the key or access the data without the other have of the key from the developer.
“This data needs to be secured in a way that even we, as the developers of this platform, don’t have a way to decrypt it unless we have that matching key pair,” Stutzman said. “Keep in mind that we have two levels of encryption. The first is that app level key. In that case, all of the apps installed on all on all of the devices share the same key. That in itself makes it more secure than, I would say, 90% of the apps out there.”
Developers have the ability to set the length of the cryptographic key for their particular needs. A key could last for every new app session or for 30 days.
“For the environments that it is a really high security need, let’s say a password management app or a HIPAA compliant, then you are really moving on to level two and that is generated at application launch for the first time,” Stutzman said. “That key can live whatever length the developer wants it to live. So, if you want to regenerate a key once a day, if you want to regenerate a key every 30 days, that is totally up to the developer.”
In the end, what Appmobi has created is a turnstile security service for app, device, data and communication encryption of the code level. The “as-a-service” moniker may be played out in other aspects of the mobile ecosystem, but a real need for easier-to-build security functionality exists in the enterprise.
“The mobile workforce will double in the next couple of years. And not that they will bring one or two devices to the workplace, but easily five to six. No matter what analyst at the moment you talk to, there is a huge backlog when it comes to making mobile apps for the enterprise,” Smit said. “Depending on the analyst you talk to, it is like 60% to 80% of the apps out there won’t pass basic security tests.”