“It’s the apps’ fault!” That’s the clear takeaway from a quick scan of the latest mobile security threat reports from the likes of Check Point, McAfee and Verizon.

When there are security problems in mobile phones, overwhelmingly, it’s the applications that are to blame and not the base operating system. IT managers should be asking, “What can I do with this nugget of knowledge?”

One easy fix is to ensure all devices pull applications from Google’s Play Store and disallow “unknown sources” for applications. Google has directed an immense amount of resources at keeping malware (what they call “Potentially Harmful Applications,” or PHAs) out of their Play Store; in conjunction with Google Play Protect, they also can block applications after they’ve already been installed if the application is later determined to be a PHA. As such, IT managers should make sure Play Protect is enabled on all phones.

Once the store is locked down, IT managers often turn to allowlisting and blocklisting applications. With allowlisting, only applications on an “Allow” list can be installed on a device. Blocklisting takes the opposite approach: any application can be installed, unless it’s on the “Block” list. These can be valuable techniques, but both have their pluses, minuses and limitations.

Allowlisting: A defined set of approved apps

From a security point of view, allowlisting is an effective tool for keeping PHAs off devices, because the allowlist of applications ends up being pretty short. When the ecosystem of applications is limited to whatever an IT manager has approved, malware doesn’t have much of a chance to creep onto a smartphone through application installation.

Allowlisting first surfaced in the world of Windows PCs, where the set of applications users might want to install was limited and generally included only business-relevant applications: word processing and spreadsheeting, some collaboration tools for audio and video conferencing and telephony, a few business-written applications and perhaps a thick client for an ERP system (plus, of course, Solitaire). Allowlisting worked in the PC world because most “applications” are delivered through the web browser, and since everyone had a web browser — and firewalls typically use URL filtering to block “unapproved” sites — there were actually few limitations on what applications people could run.

Evaluate your mobile security plan

icon of a document
White Paper

Discover if you have the right mobile security plan for your business. Download Now

With smartphones and tablets, applications took off: everything and everyone is now writing applications, and they have become the preferred method to consume content on smartphones. Compare a desktop OS application store with “thousands of applications,” and Google’s Play Store with over 3 million applications and it becomes clear: IT managers are going to have a hard time effectively managing an allowlist of applications out of a galaxy of millions of options.

Fortunately, Android has a good solution for IT managers who want to manage an allowlist for smartphones and tablets: multiple profiles based on Android Enterprise on the same device. IT managers who have embraced the idea of a dual profile device with work and home (or personal) profiles can separately manage the set of applications that can go into each profile. The home profile should have a light touch, simply limiting the application store to Google Play.

For the work profile, IT managers can set an allowlist using their management tools or, even better, create a managed Google Play Store that includes all allowed applications. This latter approach is much better than having an internal allowlist, because it makes the set of allowed applications crystal clear to users — if they can see it in their store, they can have it. If it’s not there, they can’t. Less confusion, more secure results.

Blocklisting: Keeping users on task

Although blocklisting sounds like a nice security feature, it’s actually pretty useless from a security point of view. It’s frankly unlikely that an IT manager is going to detect that an application has malware in it before Google does and add it to the blocklist before Google Play Protect kicks in.

What blocklists are useful for is managing devices and how people use them — that is, steering users towards approved applications and processes and away from applications that don’t meet mobility strategic goals. Videoconferencing tools are a good example: most businesses have chosen a particular technology and actively discourage users from doing an end-run around corporate policies with alternate tools.

In some cases, IT managers want to use blocklists to keep out certain applications that aren’t PHAs but otherwise don’t comply with corporate requirements. For example, a hospital IT manager might need to block a drug dosage calculator application that returns incorrect information or an application that doesn’t comply with HIPAA requirements to properly protect patient information.

IT managers can also use blocklists where certain applications are being actively discouraged: social media is a typical example, but IT managers have had to block everything from Pokemon Go to the NCAA and World Cup bracket applications. Again, this isn’t really a security requirement but supports enforcing acceptable use policies.

IT managers should be aware that different mobile device management/enterprise mobility management (MDM/EMM) tools handle these features differently. For example, not every MDM/EMM tool supports blocklists, and some don’t allow blocklists and allowlists to exist at the same time. There are also different levels of enforcement of blocklists and allowlists: some platforms and MDM/EMM tools can differentiate between application installation and application running, for example.

While capabilities differ based on specific hardware and software platforms and MDM/EMM tools, allowlists and blocklists are present in some form in most tools. These lists, especially when combined with Android Enterprise’s multiple profiles, can be valuable tools in increasing security and controlling device usage.

Learn how Samsung’s Knox Suite of device management and security solutions makes it easy to manage employee devices at scale. And get started on your device management journey with our free beginner’s guide to MDM.

Posts By

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

View more posts by Joel Snyder