Appthority Portal Helps Assess Mobile Risk

Appthority Portal gives customers greater granularity in determining and responding to mobile risk factors.
Appthority sprung to life early last year at RSA with its mobile app screening and risk assessment product for the enterprise, and has been racking up partnerships within the enterprise mobility ecosystem ever since, including a recent alliance with Mobile Iron, one of the market leaders in mobile device management. Today the company announced the Appthority Portal, which lets customers see mobile app risk data directly, understand more precisely the factors that influence particular risk scores (or Appthority Trust Score), and customize those scores on a per-company, or even per-department, basis.

The outcome: IT can write mobile policies at an increasingly fine-grained level, based on application behavior.

When introducing Appthority initially, CEO Anthony Bettini said the company's approach was more about "bring your own software" rather than "bring your own device," arguing that it wasn't necessarily the device that created risk, but the applications and the resources and information they could access once the device was connected to a corporate network. Appthority co-founder and president Domingo Guerra says the company's database now contains 1.2 million unique applications. Until now, those were all iOS and Android apps, but the company just launched support for BlackBerry 10 apps, and has plans for Windows Phone apps later this year.

Appthority's screening technology is hosted on Amazon Web Services. Partners have accessed app "scores" and underlying behavioral data via APIs -- these Appthority partners include development shops like Appcelerator, enterprise application stores like Apperian and Happtique, and MDM companies like MobileIron, Fixmo, Boxtone and Marble Security. The MDM technologies use Appthority data as the basis to write the policies that get enforced upon end users. The partners can upload apps to Appthority's cloud, or they can query the system based on the meta data of the app, and the reports generated get fed directly to that partner.

With the new Appthority Portal, the end-user customer can see the data directly, including very detailed app behavior explanations to help them make better policy decisions. Corporate developers can also upload their apps directly now, Guerra says. The scanning takes only a couple of minutes.

The data Appthority discovers in its screening process runs the gamut from detecting malware, to understanding its origin (for example, that the software was developed in the Ukraine or in China, or even the reputation of the developer), to uncovering what the app has access to (like a contact database or the user's location), and more. Guerra says that Appthority disassembles the binary file and performs both static and dynamic analysis, running the file through more than 3,000 rules based on the API calls that the OS manufacturers make available. This includes Android apps ported to BlackBerry 10 -- Guerra says that Appthority's technology understands not only what each mobile OS allows, but also what the application is trying to do, meaning any extra calls the application makes outside of the standard APIs.

Understanding application behavior lets an organization do things like block the use of DropBox based on the location of a user, for instance, but also block other apps that might make direct use of DropBox as well. Portal users will access data via a single screen that breaks down apps by OS and by app category, with those apps ranked by risk. Diving into the apps provides not only a risk score, but details on key behaviors, like whether the app tracks user location by sending map coordinates unencrypted. End user shops can write policies based specifically on that sort of fine-grained understanding of app behavior.

Guerra says that Appthority is seeing more than one million queries per day for app analysis, from 137 institutions, including customers and partners, and across a variety of vertical industries. The solution is available in seven languages. The portal has been in private beta, and is available this month. The list pricing: $2.50 per user per month, plus $2.50 per user per month for having scores exposed in the Mobile Iron console, but if you buy both Appthority and Mobile Iron together (via either company's channel partners), the total cost is $4 per user per month. Guerra says there are discounts based on volume usage.