If you’re like me, you use your mobile phone and tablets extensively throughout the day.
A lot of what we do is personal and we love to customize our devices to fit our personality or work style. A common device customization is using a non-native, alternative, 3rd party keyboard. Why? Well some of us just don’t like the touch keyboards that come with our devices by default. They have too small or large keys, they offer poor spelling or word suggestions; there are many reasons why we use them. If one were available – my daughter would probably use a keyboard that typed with pictures of kittens or something like that. The point is – that we have a love affair with these alternative keyboards and we are using them more than ever.
Alternative keyboards are available on just about every platform and are available from many different sources – some more trustworthy than others. Some of the more popular keyboards use cloud services to store multilingual dictionaries or offer word suggestions based on characters you type. As you enter text on your device’s screen, those characters are sent to these cloud services and run through their “machine-learning” or other algorithms to provide you with suggestions.
While these features may be awesome when we are using our devices for personal use, businesses need to be aware of some of their potential security risks.
As mobile devices are used more and more at the enterprise level and in government, organizations need to make sure that their information or even their customer’s private information is protected. Nearly every organization understands the need to secure data on mobile devices and most have deployed solutions that will enforce the device’s encryption to protect data at rest and are using secure connectivity to protect data in transit. However, these alternative keyboards could potentially be as damaging to your organization as intentional data leakage or malware.
In the world of desktop/laptop endpoint security, a piece of software that intercepts every keystroke you enter on the keyboard and send that information to a 3rd party is called a key logger. It’s a common method of obtaining sensitive data, such as passwords or even credit card numbers. As the user enters their password or a credit card number – those keystrokes are sent to a 3rd party—without their knowledge—and then could be used to launch further attacks against the company or purchase items. While key logging can be guarded against with end-point security software on the desktop/laptop – many of us willingly utilize devices that employ it on our mobile devices without a second thought.
Recently, reports came out that highlight some of the potential issues when using a 3rd party keyboards – where personal information was being wrongly sent to other users of the same alternative keyboard. Whether or not these issues are due to malicious activity or maybe a bug, it doesn’t really matter once the information has been leaked. As business users, we need to make sure that we are doing what we can to protect our data.
Most mobile platforms offer the ability to disable alternative keyboards entirely when the devices are being managed by an Enterprise Mobility Management product like Citrix XenMobile. If the device is being managed by Mobile Device Management (MDM) you can deploy a policy to the device and disable these keyboards entirely.
The problem with doing this is that you’ve now deployed a policy that changes the way the device works and impacts how the user interacts with the device. If you are doing this in a Bring Your Own (BYOD) model where the device is personally owned by the user and they also use it work – you may end up with a bunch of angry users outside your office with pitch forks and torches.
What can you do if you don’t want to manage the device and disable this functionality entirely? The answer is provided with XenMobile and our MDX Mobile Application Management (MAM) technology.
With XenMobile you have the ability to block these 3rd party keyboards – but only when the user is using a business app. Rather than disabling a 3rd party keyboard using MDM, which disables the feature for ALL apps, XenMobile’s MAM MDX policy allows you to selectively block the use of a 3rd party keyboard only when the user is using that specific app. So, if I were using my daughter’s “kitten keyboard” to post on Facebook (because I love the kitten emojis), I would be free to continue to do so. However, when I launched one of my business apps, like WorxMail, for example, to access my corporate email, I wouldn’t be allowed to use the kitten keyboard.
XenMobile’s MDX technology offers IT the ability to selectively apply corporate policy and restrictions at an app-level rather than at a device-wide level. While there are many MAM vendors out there – XenMobile offers over 50 app-specific polices that will be enforced ONLY when the user is using a business app. They are free to use whatever features like dictation and 3rd party keyboards while using personal apps.
By using XenMobile and the MDX technology, organizations can rest assured that when a user is using a business app (which might contain sensitive or private information) – your data is being protected WITHOUT impacting the user’s personal privacy.