Appmobi: A look at a secure mobile app development platform
According to Statistic.com, over 100 million mobile apps have been downloaded worldwide, and this figure is expected to more than double next year. Free mobile apps outnumber paid mobile apps by a figure of 10 to 1. Lots of great opportunities out there for cost-free mobile apps, right?
Well, yes, but free mobile apps can also come with a price tag: lack of security. At least with paid apps you’ve got a vendor on the other end who is receiving revenue directly from customers and therefore more likely to have a stake in app security since their business model – and reputation – is on the line. This is why the development of secure mobile apps is critical for both these vendors and the customers that patronize them.
Malware and its adverse impacts are only getting worse. McAfee stated in their “Mobile Threat Report” for 2016 that over 1.4 million mobile malware threats occurred in December, 2015 alone – and September through December showed a steady upwards hike in these threats. According to a 2015 Cost of Data Breach Study from IBM X-Force Research, the average cost of a data breach was $3.8 million per incident, which has gone up 23% since 2013.
And then there’s the problem of dependency on app stores. If your business or users rely on updated apps from Google Play or iTunes, which can adversely impact operations if an app has vulnerability. Granted, Google and Apple usually work rapidly to address this, but in a one-size-fits-all arrangement that doesn’t always meet the specific needs of various organizations.
The need for the ability to develop, administer and maintain secure mobile apps via customized processes that fit the needs of your users, customers or organization has become more prominent as mobile malware risks have increased. With that in mind, I’ve been reading about an organization called Appmobi, which facilitates the development of secure HTML5 Cordova enterprise mobile apps via their cloud-based platform. It works with existing development tools.
Appmobi consists of five components:
Security Kit Securing mobile apps with various levels of encryption
Secure Data Store Storing data on devices/servers in a secure fashion
Secure Push Messaging Sending app information securely
Secure Live Update Pushing out app updates to users via a direct and safe method
Secure Analytics Reporting functions for app activity and data
To learn more about these features, I went directly to the source: the folks who created them.
Chatting with Appmobi
I spoke with Marcel E. Smit, CEO of Appmobi, and Mark Stutzman, CTO of Appmobi, about the company’s background and how the platform works.
TechRepublic: “Can you tell me about the company and your background?”
Marcel E. Smit (MES): Appmobi was one of the first with a cross-platform compiler and very quickly there were 100,000 mobile developers using Appmobi. In July 2013, Intel acquired most of Appmobi – the SDK (software development kit), and three-quarters of the developers – all of which now forms the basis for the Intel XDK, with hundreds of thousands of developers using it.
I ran a European mobile company previously, and I noticed that most mobile developers don’t think security is cool. They’d rather focus on other features. Security is an afterthought more often than not.
The Appmobi Secure Mobile Platform helps address this global problem by offering solutions that help solve the growing security threats in today’s market.”
Mark Stutzman (MS): I’ve been in this role for a number of years in startups, back in Internet 1.0. Thirteen years ago I started Digital Variant, a tech consultancy and development shop that Appmobi acquired just over a year ago based on the experience and the team of technologists. During the past year, we’ve been exclusively focused on the right mobile security product and solution for the app market.
TechRepublic: “How about the security aspect?”
MES: “Security is a big thing – it has to be done but it can also be quite complex. We talked to a number of CIOs in Europe and the U.S. and asked, ‘What’s keeping you up at night?’ They replied: ‘Well, we have all these people bringing their phones, iPads, smartwatches, etc. to the workplace and want to use those.’ On the other hand they have huge pressure from inside the organization to select and roll out the right mobile apps. We heard at a conference this past January that for most large organizations the number of possible enterprise apps will grow from five to 10 million in the next couple of years.
It’s an enormous bedrock challenge for the CIO. Most organizations are deciding to develop their own apps, and they don’t want to wait since there’s a huge backlog. 50% of companies have a backlog of 10-20 applications they need. On the other hand the number of breaches is growing rapidly – and so is the cost per breach. That’s how we came up with the idea to build a secure mobile platform. Security can be added in minutes. The development of an MAM (mobile application management) suite can take 6-12 months, but it should be done easier.
SM: I then spoke with Mark Stutzman regarding how the platform works and some of the technology behind it.
MS: “The goal of Appmobi is to serve as a solution for securing mobile applications as well as providing a number of services developers will need for building mobile apps in a secure way. We think of ourselves as MSaaS or Mobile Security as a Service.
The Security Kit is the heart and security foundation of the platform, generating and managing encryption keys for all of the features built on top of it. In its simplest form, it has three levels and is as simple as a developer choosing a radio button:
Level 1 – a key is generated at the app level
Level 2 – a key is generated at the app and device level
Level 3 – a key is generated at the app and device level and adds authentication
We handle encryption in about five seconds and our authentication supports third party services such as LDAP, OAuth, Active Directory, and so forth.
The second component is the Secure Data Store, which is encrypted data storage on both the device and server side, with syncing between them. Most of the existing mobile application companies provide a data store on the server, but that doesn’t really close the loop for building a security solution. Appmobi allows data to be stored locally via key pair instead. We store all keys in the OS key store, rather than in the app code itself, and we provide tools to the developer to read/write from an encrypted data store. This Secure Data Store can also be used for offline caching. One of the biggest problems with offline caching is that it’s incredibly insecure. Appmobi has solved this by enabling the local data to be encrypted at all times. Finally, the encrypted data is also mirrored on the server and syncing happens automatically.
Secure Push Messaging is the third component – and the first of its kind. Many apps push information that might be confidential, yet that information is sent via clear text. The Appmobi solution solves this by adding a secure, encrypted message, which is associated with a clear text notification. In order for the secure message to be decrypted by the app, the app and device keys must match, and the authentication must be completed successfully.
Then we have the fourth component – the Secure Live Update module, which allows app developers to update applications outside of the app stores, in real time, securely. If there is new functionality, features, and/or security issues, a developer can go in and upload their app code bundle then install it in real- time to all users’ devices. It’s a completely secure solution where the developer can choose the way to update the app – immediately, at next app open, upon approval, etc. The platform also maintains a history of previous releases and has a revision feature so you can easily revert to a previous build.
And finally, the last component is Secure Analytics, which tells a user anything they need to know about their application: device, OS, opens, clicks, views, streams – and it’s all fully secure. The data – in use, in transit, or at rest – is all encrypted.
TechRepublic: “How are the apps actually built?”
MS: “Getting started with our platform is quite simple. We support any Cordova development environment. The developer creates an app shell in our platform admin panel, and then defines its security settings and the features, which should be enabled. They can then download a custom, pre-configured app sample that includes all of our functions clearly commented, or they can work with our documentation and APIs directly. We also expose our functionality through a Cordova plugin, which requires three variables to be set.
Security is almost always the last thing the developer is thinking about when building an app. We don’t want it to be a headache or consume massive amounts of time. We want the developer to trust the platform is enabling more secure apps than what they can build themselves, and it takes minutes versus months. The developer can add security in as quickly as five-minutes.
Much like the cloud has taken the scaling issue out of the hands out of the system admin, we are trying to do the same thing with mobile security. We worked with a number of beta customers to understand how they will use it, and how to make it more efficient.
TechRepublic: “How about a specific example of an app that has been developed on Appmobi?
MS: “A great example is an app that was built in the healthcare space for diabetics to monitor their glucose levels and carbohydrates/insulin/activity, and allows information to be shared with the parent or guardian of a child with diabetes. Parents of newly diagnosed children with diabetes can often feel out of control when their children are not with them. In this case, the app sends data off to a web API for the mobile app service, which delivers results to the child and parent or guardian monitoring them.
This means the encryption key generation and management, secure push messaging, and secure data store components are critical for maintaining this sensitive, personal health care data in a secure, encrypted, and HIPAA compliant way – all of which is enabled through our platform.
Appmobi is currently targeting companies with HIPAA, governmental and financial regulations – or in other words, industries with highly secure data requirements.
Since we’ve launched, interest has been amazingly high – over the next couple of months we will see lots of apps using the platform in new and interesting ways.”
TechRepublic: “How about pricing?”
MS: “Pricing is quite simple. Our Secure Cloud solution is free up to 500 devices, and after that there are tiers based on device counts and support level. We also offer on-premise and a private cloud solution. More information about our pricing and registration for our Secure Cloud can be found here.
There are three tiers – a free Secure (public) Cloud offering, a paid Private Cloud offering, and an on-premise solution for local data centers. The Private Cloud option is $2,000 per month, and the on-premise solution can vary in cost.
It may seem too good to be true, but the full range of Appmobi services are available on the free Secure Cloud option. We wanted to make the difficulty threshold as low as possible for developers to start building secure apps. The free version offers all of the same features and functionality of the private cloud selection, in an easy to use public format. Any user can sign up on the Appmobi Secure Cloud and immediately use the services without the need to sign up for Amazon Web Services (AWS), launch instances, or configure the back-end. The service is free for unlimited apps, up to 500 devices and can be seamlessly transitioned to private stack services. There is no license fee at all connected to developing or deploying secure apps. There is a small monthly support fee, which will be $260 per month, but we are currently waiving this to make it as easy as possible to get started.”
TechRepublic: “What’s coming down the road at Appmobi?”
MS: “As you can imagine, we have a very full product pipeline. We are entirely focused on growing our MSaaS depth simplifying the development of secure apps and identifying security issues in deployed apps for IT teams. Some of the things we will be adding over the next couple of quarters include NoSQL DB support in our Secure Data Store, Native support in addition to Cordova, an advanced security analytics and rules engine that will provide developers to record custom security events, as well as a core set of predefined events to identify at-risk activity and a rules engine to take action on this behavior. We will also be adding features such as code obfuscation and security scans prior to app deployment.”
If you’re interested in learning more about how to build secure enterprise-grade apps in minutes, Appmobi is holding a webinar on March 16 at 2 p.m. EST. The URL link to register is: http://bit.ly/1LdT8tL