On the first morning of the annual RSA Conference in San Francisco, I met with a company whose story began almost exactly a year ago.
The first day of the RSA Conference traditionally sees the announcement of the winner of 'Innovation Sandbox', effectively a 'best newcomer' award for security vendors, and this year I met with Domingo Guerra, the president and co-founder of the company who won it last year.
Appthority formed in 2011 to offer a reputation-based scanning technology for mobile apps, but was relatively unknown until its win at RSA, which Guerra called "a great catalyst" for the company, giving it great visibility and exposure in the market. He said that after winning the award, Appthority went from 10,000 scanned apps to one million, five employees to 15, zero funding to a good series of investment and five partners to 25.
Guerra previously worked at Brocade, while his colleagues include McAfee alumni. He said he wanted to set up a company in the mobile device management (MDM) space, but that he didn't want to become the "158th company in the space", so chose instead to focus on applications and what they do.
He said: “We saw that bring your own device (BYOD) was overhyped and IT was bowled over by what employees want, so now we see mobile application management (MAM) and containerisation. We wanted to get away from enforcement and management and look at intelligence and overall risk. What do IT want to block?”
Appthority offers application reputation technology, which Guerra said was like URL reputation scanning and ultimately based on the behaviour of the application. With millions of applications available for the iOS and Android platforms, he said that it is almost impossible to know what to white or blacklist, so they provide the service to know where an application shares credentials with a third party or gives away geolocation data, for example.
“Mobility is so broad; you can do MDM, you can use our software-as-a-service portal where you send the apps to us, or you can build our API into your firewall to do more granular control, as we know the application's URL so we are on top of the data and can raise security and privacy concerns,” he said.
“We call it mobile application risk management, we scan the application, take the information an decide what to do with it.”
Guerra explained that the company has the ability to scan 10,000 applications a day and it actively goes to application stores and looks at what is sent by users, expanding from security threats to more privacy-focused concerns. This has led to a partnership, announced this week, with Arxan that undertakes research on 'Trojanised' applications.
I asked Guerra what he thought of the BYOD space, particularly after BlackBerry launched devices to try and solve the problem with two distinct hubs. He said that this was an interesting approach, however it is flawed by the fact that some applications bridge the work and play gap, such as the camera and social networking. “It is better to say that the application can steal your information without your permission and realise that it is difficult to protect your intellectual property,” he said.
“Instead educate on risk of applications and make developments to improve on the security of applications.”
Asked about the future of the company, Guerra said that it will be in working more with firewall providers and collaborating with handset manufacturers. “The enterprise used to use software from a handful of vendors, now it is tens of thousands and it is not clear what the applications do, as they do not see the code.”
The recent McAfee threats report for the fourth quarter of 2012 found that the number of mobile malware samples it discovered had increased by 95 per cent, and it mainly saw malware that searches for user details and Trojans that send SMS messages to premium services, then charge the user for each message sent. Considering this, it seems the reputation of apps is truly a key area for mobile security.
Guerra said: “Malware accounts for a half of a per cent of what we see, while 80 per cent will try to access corporate data. Applications are not built with security in mind, as often even the third-party code will be built in afterwards.”
The next step for Appthority is to launch into the UK and European markets. With a message as strong as this, it may well be heard loud and clear.