Your incident response playbook

Get your free guide on creating an effective cybersecurity response protocol.

Download Now
Mobile Security

Whitelisting and Blocklisting Mobile Applications: Pros and Cons

“It’s the apps’ fault!” is a clear message that came out of Google’s most recent Android Security Year in Review report. When there are security problems in Android smartphones, overwhelmingly, it’s the applications that get blamed and not the base operating system. IT managers should be asking, “What can I do with this nugget of knowledge?”

One easy fix is to ensure that all devices pull applications from Google’s Play Store and disallow “unknown sources” for applications. Google has directed an immense amount of resources at keeping malware (what they call “Potentially Harmful Applications,” or PHAs) out of their Play Store; in conjunction with Google Play Protect, they also can block applications after they’ve already been installed if the application is later determined to be a PHA. IT managers should be sure that Play Protect is enabled on all phones; most come with it out-of-the-box, but if you’re buying phones from a carrier, it’s always best practice not to assume which settings they’ve chosen for your device security.

Once the store is locked down, IT managers often turn to whitelisting and blocklisting applications. With whitelisting, only applications on an “Allow” list can be installed on a device. Blocklisting takes the opposite approach: any application can be installed, unless it’s on the “Block” list. These can be valuable techniques, but both have their pluses, minuses and limitations.


From a security point of view, whitelisting is a pretty effective tool for keeping PHAs off devices, because the Allow list of applications ends up being pretty short. When the ecosystem of applications is limited to whatever an IT manager has approved, malware doesn’t have much of a chance to creep onto a smartphone through application installation.

Whitelisting first surfaced in the world of Windows PCs, where the set of applications that users might want to install was pretty limited and generally included only business-relevant applications: word processing and spreadsheeting, some collaboration tools for audio and video conferencing and telephony, a few enterprise-written applications and perhaps a thick client for an ERP system (plus, of course, Solitaire). Whitelisting worked in the PC world because most “applications” are delivered through the web browser, and since everyone had a web browser — and enterprise firewalls use URL filtering to block “unapproved” sites — there were actually few limitations on what applications people could run.

Build a BYOD Plan for Your Business

icon of a document
White Paper

Get our comprehensive guide and template for developing a BYOD policy tailored to your organization. Download Now

With smartphones and tablets, applications took off: everything and everyone is now writing applications, and they have become the preferred method to consume content on smartphones. Compare a desktop OS application store with “thousands of applications,” and Google’s Play Store with over 3 million applications and it becomes clear: IT managers are going to have a hard time effectively managing an Allow list of applications out of a galaxy of millions of options.

Fortunately, Android has a good solution for IT managers who want to manage an Allow list for smartphones and tablets: multiple profiles based on Android for Work on the same device. IT managers who have embraced the idea of a dual profile device with work and home (or personal) profiles can separately manage the set of applications that can go into each profile. The home profile should have a light touch, simply limiting the application store to Google Play.

For the work profile, IT managers can set an Allow list using their management tools or, even better, create an enterprise managed Google Play Store that includes all allowed applications. This latter approach is much better than having an internal Allow list, because it makes the set of allowed applications crystal clear to users — if they can see it in their enterprise store, they can have it. If it’s not there, they can’t. Less confusion, more secure results.

Blocklisting (A.K.A. Blacklisting)

Although blocklisting sounds like a nice security feature, it’s actually pretty useless from a security point of view. It’s frankly unlikely that an IT manager is going to detect that an application has malware in it before Google does, and add it to the Block list before Google Play Protect kicks in.

What Block lists are useful for is managing devices and how people use them — that is, steering users towards approved applications and processes and away from applications that don’t meet enterprise mobility strategic goals. Videoconferencing tools are a good example: most enterprises have chosen a particular technology, and actively discourage users from doing an end-run around corporate policies with alternate tools.

In some cases, IT managers want to use block lists to keep out certain applications that aren’t PHAs but otherwise don’t comply with corporate requirements. For example, a hospital IT manager might need to block a drug dosage calculator application that returns incorrect information or an application that doesn’t comply with HIPAA requirements to properly protect patient information.

IT managers can also use Block lists where certain applications are being actively discouraged: social media is a typical example, but IT managers have had to block everything from Pokemon Go to the NCAA and World Cup bracket applications. Again, this isn’t really a security requirement, but supports enforcing acceptable use policies.

IT managers should be aware that different Mobile Device Management/Enterprise Mobility Management (MDM/EMM) tools handle these features differently. For example, not every MDM/EMM tool supports Block lists, and some don’t allow Block and Allow lists to exist at the same time. There are also different levels of enforcement of Block and Allow lists: some platforms and MDM/EMM tools can differentiate between application installation and application running, for example.

While capabilities differ based on specific hardware and software platforms and MDM/EMM tools, Allow and Block lists are present in some form in most tools. These lists, especially when combined with Android for Work’s multiple profiles, can be valuable tools in increasing security and controlling device usage.

Explore the benefits — from security to management to integration — of switching to Samsung for all your business needs.

Posts By

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

View more posts by Joel Snyder