The downside to app wrapping is that each application must be modified, which means administrators need access to the app's binary code. That means some apps that come preinstalled on Android or iOS phones may not be supported. Also, implementations may work more smoothly with Android devices than with iOS because of problems getting binary code for apps sold via Apple's App store. For this reason, wrapping tools tend not to work with iPhone apps. For example, Mocana's Mobile App Protection product doesn't support the email client on the iPhone, or other built-in apps for that matter.
Users can get access to the binary for free iOS apps, but for paid App Store wares, IT needs an agreement to buy direct from the provider and bypass Apple's store.
"Apple overlooks the issue of app wrapping today and changing apps [bought] from their store, but by their rules you're not supposed to do that. They could clamp down and not allow that, although so far they haven't," says Redman. Apple declined to comment. (See "Where Apple and Google stand.")
The third approach to containment is to create a virtual machine that includes its own instance of the mobile operating system -- a virtual phone within a phone. This requires that the vendor work with smartphone makers and carriers to embed and support a hypervisor on the phone. The technology isn't generally available as yet, but devices that support a hypervisor may eventually allow users to separate personal and business voice and data.
VMware's offering, VMware Horizon, is still in development. It will support Android and iOS, and functions as a type 2 hypervisor, which means the virtual machine runs as a guest on top of the native installation of the device's operating system.
Having a guest OS run on top of a host OS tends to consume more resources than a type 1 "bare metal" hypervisor that's installed directly on the mobile device hardware. It's also considered less secure, since the underlying host OS could be compromised, creating a path of attack into the virtual machine.
Another vendor, Open Kernel Labs, offers a type 1 hypervisor, which it calls "defense-grade virtualization." Today the technology is used mostly by mobile chipset and smartphone manufacturers that serve the military. The company has yet to break into the commercial market, says Redman.