RSA Conference APJ: This is how you can prevent unwanted app behaviour
San Francisco-based Appthority helps enterprises manage apps by uncovering their hidden actions and enabling creation of custom policiesBy Theon Leong 29 May, 2014
As a build up to the RSA Innovation Sandbox competition for securities startups, e27 and RSA Security LLC will be conducting a series of interviews with the winners of the Innovation Sandbox competition held in the US. We will be talking about their achievements and gathering helpful tips for prospective entrepreneurs.
According to Appthority’s 2014 App Reputation Report, 95 percent of the top 200 free iOS and Android apps exhibit at least one risky behaviour. For organisations, this poses a serious risk as they desire to keep confidential data regarding their products out of public knowledge. Hence, this has given rise to BYOD (Bring Your Own Device) companies like San-Francisco-based Appthority.
Appthority automates the review and approval of mobile apps in the enterprise, automatically placing them in whitelists or blacklists based on their app behaviours. Its analysis engines expose each app’s behaviour as well as identify third party code used in the app and any URLs and websites that the app can communicate with. It then enables enterprises to create custom policies to prevent unwanted app behaviours. Some of them also analyse their own internally developed apps to make sure that there are no security issues present before the app is available to their customers or employees.
Winner of the 2012 Sandbox Competition
In 2012, Appthority participated in the Innovation Sandbox competition in the US, bringing home the prize of “The Most Innovative Company”.
According to Appthority’s President and Co-founder Domingo Guerra, he had a great experience participating in the RSA Innovation Sandbox Competition. He said in an interview with e27 that “Being named ‘The Most Innovative Company of RSA Conference 2012′ really put us on the map in the cyber security space. It opened doors with customers, investors, helping us receive our series A funding and paving the way to becoming a successful business today.”
When asked about what stage he saw the company at when he entered the competition, Guerra said that it had been in stealth-mode development for about a year, following continuous ‘Lean Startup‘ Build-Measure-Learn cycles. It had been bootstrapping its product development and hadn’t received any funding as of that time.
He elaborated saying that they were a small team working out of his living room as a make-shift office and their product was not launched yet. However, they were having early interactions with enterprise customers who were eager to find a solution to their mobile app security woes. Once they were ready to make their public debut, the startup chose to leverage on the Innovation Sandbox appearance to launch the Appthority App Risk Management service.
Guerra also said that competition is fierce among each year’s most innovative companies, and RSA does a great job of selecting the cream of the crop as finalists. Because of the high quality of presenting companies, the Innovation Sandbox completion also attracts some of the biggest names from the investor community as well as large enterprise customers looking for the latest advancements in the security space. According to him, it really is a dream opportunity to showcase a new product for young companies that want to make a splash.
More on Appthority
Appthority helps organisations manage their apps. Its main customers are large organisations that are trying to tame the metaphorical BYOD (Bring Your Own Device) and BYO (Brew Your Own) Apps beasts. To accomplish this, it introduces an App Risk Management service to uncover the hidden actions of apps and enables enterprises to create custom policies to prevent unwanted app behaviour. Appthority compares each customer’s custom behavioural policy to see if the app will be approved for use, creates a detailed app reputation report and adds the app to the customer’s whitelist- or blacklist-based on the analysis.
However, not all customers have the same risk profile, that is why the ability to construct highly customisable app behavioural policies is valued by IT and security administrators. It does this through providing support for multiple app allowance policies simultaneously — by company department, by geography or even by device type — whether it is company- or employee-owned. Then, the service automates policy enforcement and remediation at scale, to support the creation of multiple group and role-based policies.
For example, administrators can select to automatically warn users who have apps that put corporate calendars at risk, remind users about cloud storage policies when corporate documents are headed to a non-approved cloud service, and automatically quarantine devices when malware is present.
When questioned about his competitors, Guerra claimed that only Appthority was built from the ground up to focus on iOS and Android and analyses apps for total risk with respect to risky security and privacy behaviours in addition to malware detection. Although other security companies focus on mobile risk, most only focus on malware and thus on Android. A few other vendors focus only on app vulnerabilities, but these are short-sighted approaches, as most of the enterprise risks in mobile apps are from behaviours the developer incorporated into the app by design.
Advice to prospective startups in this space
According to Guerra, technical expertise is very important, because a lack of it would be a difficult problem to solve in the internet security space. However, besides technology, a successful app security startup needs to have a strong talent in sales and marketing. It is a new space and thus customers are not aware of what options are available to address their needs. Organisations don’t only look to startups to provide products, but also education on the latest threat vectors, industry practices and different solutions available.
Guerra claimed that customers had tried to analyse apps manually, but quickly found it was a helpless approach as app versions change every few months. He also said that customer introductions (word of mouth) have been one of their main growth drivers.
On a final note, overcoming the lack of awareness of how risky mobile app behaviour presents a threat to protecting and securing organisations and their employees is essential for app security startups to succeed.
As the internet integrates with daily life, the RSA Conference APJ committee and e27 are working together to cover a series of stories on how startups are finding new ways to help organisations and people maintain their privacy and security. Interested participants can submit their entries on the Conference website here. The call for submissions will close on June 6, 2014.