Security "Bits"

The Mobile Barn Door

By Nat Kausik | February 2, 2015 at 9:24 AM

Recently I switched from an iPhone to an Android.  With all the rave reviews about the Motorola phones, I had to try one.

Speedbump! Turns out that the stock email app that comes in the Moto has issues with ActiveSync email, the standard in any Enterprise. There is page after page of discussions on the issue on the Google forums and elsewhere and no fix in sight until the next version of Android.  

So I decided to try a third party email client from the app store. There are dozens of such apps and most are free! I turned to the Wall Street Journal reviews to help pick one. The top ranked one recommended in the review is CloudMagic. So I installed it and got it up and running. So far so good.

Not so fast. I work for Bitglass and all of my email access is tracked by our own mobile security products. Alerts were firing, my email was being accessed from Woodbridge, NJ, even though I was physically sitting in our offices in Campbell, CA. Whaaat! Turns out that CloudMagic copies all my email into their servers hosted on AWS and then sends over the "important" ones to my mobile device.   Uninstalling the app on my mobile device did not change a thing. CloudMagic continued to copy my email on to their servers.

In other words, the top-ranked mobile email app recommended by the WSJ, hence likely used by many professionals, is the perfect trojan horse. It lifts users' email credentials and replicates all their email accounts on CloudMagic's servers. Makes the SONY breach look tame.

So I changed my email password right away and tried a different client. This time I installed Microsoft's new Outlook for Android. Alarms again. Turns out that Microsoft had just acquired a startup called Accompli that was up to the same tricks as CloudMagic. Why on earth would Microsoft think this is acceptable to consumers, let alone Enterprises?

Several other apps had the same issue until I found one called MailWise that appears sane. At least for now. They can change their mind at any time of course.  Interestingly, Mailwise has a configurable option called "Bypass Exchange Security Controls,"  which allows the mobile device to ignore all server-side security policies.

The net of this is that Mobile is the wide open barn door for enterprise data.  No MDM solution can keep a blacklist of all these trojan apps for email, backup and file-sharing. There are only two ways to achieve security with mobile.

(a) Custom apps that are hard coded to the enterprise server, so that they and only they can connect.   While this approach improves security, the user experience is terrible -  custom apps become quickly obsolete against rapidly developing mobile technlogies, locking the user into the Stone Age and hindering productivity. Just ask any user who is forced to use GOOD. 

(b)  Data protection solutions such as Bitglass that secure the data as it leaves the server.


Learn more


Nat Kausik

CEO at Bitglass Inc.






see all