The downside to app wrapping is that each application must be modified, which means administrators need access to the app's binary code. That means some apps that come preinstalled on Android or iOS phones may not be supported. Also, implementations may work more smoothly with Android devices than with iOS because of problems getting binary code for apps sold via Apple's App store. For this reason, wrapping tools tend not to work with iPhone apps. For example, Mocana's Mobile App Protection product doesn't support the email client on the iPhone, or other built-in apps for that matter.
Users can get access to the binary for free iOS apps, but for paid App Store wares, IT needs an agreement to buy direct from the provider and bypass Apple's store.
"Apple overlooks the issue of app wrapping today and changing apps [bought] from their store, but by their rules you're not supposed to do that. They could clamp down and not allow that, although so far they haven't," says Redman. Apple declined to comment. (See "Where Apple and Google stand.")
The third approach to containment is to create a virtual machine that includes its own instance of the mobile operating system -- a virtual phone within a phone. This requires that the vendor work with smartphone makers and carriers to embed and support a hypervisor on the phone. The technology isn't generally available as yet, but devices that support a hypervisor may eventually allow users to separate personal and business voice and data.
VMware's offering, VMware Horizon, is still in development. It will support Android and iOS, and functions as a type 2 hypervisor, which means the virtual machine runs as a guest on top of the native installation of the device's operating system.
Having a guest OS run on top of a host OS tends to consume more resources than a type 1 "bare metal" hypervisor that's installed directly on the mobile device hardware. It's also considered less secure, since the underlying host OS could be compromised, creating a path of attack into the virtual machine.
Another vendor, Open Kernel Labs, offers a type 1 hypervisor, which it calls "defense-grade virtualization." Today the technology is used mostly by mobile chipset and smartphone manufacturers that serve the military. The company has yet to break into the commercial market, says Redman.
Developing a type 1 hypervisor that interacts directly with the hardware is impractical, argues Ben Goodman, lead evangelist for VMware Horizon. "We moved to a type 2 hypervisor because the speed at which mobile devices are being revised makes it nearly impossible to keep up."
As to security, VMware is working on an encryption approach similar to the Trusted Computing Group's Trusted Platform Module standard as well as jail-break detection.
Performance won't be a problem, Goodman promises. "VMware Horizon is optimized to run extremely well, and performance is exceptional." However, VMware declined to provide the names of any of early adopters who might speak publicly about the product.
Israeli startup Cellrox Ltd. offers its own twist on virtualization for Android devices. The technology, called ThinVisor and developed at Columbia University, is neither a type 1 nor type 2 hypervisor but "a different level of virtualization that resides in the OS and allows multiple instances of the OS using the same kernel," says CEO Omer Eiferman. It offers the product to cellular service providers and smartphone manufacturers, as well as to large enterprise customers.
Problems and promise
Not all containerization products support iOS, which powers the iPhone and iPad, the smartphones most commonly found in enterprises. While Apple has 22 percent market share worldwide compared to 50 percent for Android, in the enterprise those numbers are reversed: The iPhone commands a 60 percent market share versus just 10 percent for Android, according to Gartner.
For the products that do support iOS, Apple's legendary secrecy about OS enhancements means containerization vendors receive no advance notice and must scramble every time Apple releases an update. The bottom line: Users may have trouble accessing corporate resources if they upgrade their personal iPhone too quickly or frequently. "iOS changes often cause service interruptions while Good Technology's products are modified, tested, then released for our end users," says Terry at University Hospitals.
Directory integration is another area where tools are still evolving. "We'd like to see more integration with Active Directory and with PeopleSoft or whatever the source of record is to control user profiles," Terry says. "Ideally, tighter integration that would disable access automatically or restrict access to published applications based on a user's role." Today businesses may need to turn to integrators such as Vox Mobile to provide that level of integration.
Containerization is also limited in terms of troubleshooting and general support issues if the enterprise doesn't have visibility into the performance of the total device, argues Steve Chong, manager of messaging and collaboration at Union Bank, which uses Good for Enterprise. Is the problem related to signal strength? Has the user run out of storage space? Is there a way for IT to remotely access the phone to diagnose issues?