Mobile Enterprise Software - overview
The Mobile Enterprise Software group, based at the IBM Thomas J. Watson Research Center in New York, performs research in the area of mobile enterprise middleware software. Specifically, we are targeting the following areas:
- Program analysis for mobile-application understanding, certification and security. We have studied and implemented algorithms for static analysis of Android and iOS mobile applications. Our analysis can detect which subsystems an application will access at run time, and which security permissions it will demand. A more sophisticated dataflow analysis can also detect integrity and confidentiality vulnerabilities.
- Application-level security, control, analytics, management and monitoring. This differs from traditional Mobile Device Management (MDM) solutions, which use mobile operating system APIs to control and manage entire devices. By restricting control to individual applications, we can achieve more fine-grained control of enterprise applications without interfering with personal applications, thereby promoting Bring Your Own Device (BYOD) policies. This work can be used for anomaly detection as well.
- Visual editing of security, control, analytics, management and monitoring. It is important for Chief Information Officer (CIO) and Information Technology (IT) managers to be able to configure the security policy of a mobile applications, what control to exercise, and what features to track at run time. This should be done without requiring access to the source code. Our solution transparently instruments a mobile application to enable security, control, analytics, management and monitoring. Furthermore, these services can be visually edited to better reflect the semantics of every given application.
- Enterprise data services for mobile applications. We are researching how to transparently enable mobile applications to use data services, such as backup, restore, provenance and synchronization.
- Application-level security. Traditionally, enterprise applications must rely on device-wide Virtual Private Network (VPN) connections to connect with enterprise intranets. Device-wide VPN, however, is computationally expensive and reduces security, since it potentially allows unauthorized applications to connect with a private intranet as well. We have studied and implemented a prototype for in-application VPN. Using our in-application VPN libraries, a registered application can connect to a private intranet without having to rely on device-wide VPN mechanisms.
Contact: Marco Pistoia