Appdome study: Internal mobile apps in public app stores are becoming common. What does this mean?
Putting your internal mobile apps out there for anyone to download might not seem like the obvious thing to do, but it brings distinct advantages and is in line with zero trust trends.
In December, mobile app management vendor Appdome released the results of a study that found that 27% of Fortune 1000 companies are publishing internal, employee-facing mobile apps in the Apple App Store and Google Play.
This is a very interesting study and statistic. For years, even with mobile apps, the default approach for in-house apps was private distribution with enterprise developer certificates. Putting your internal apps out in the wild just wasn’t done, plus companies had concerns about Apple and Google policies.
But of course, putting internal apps in the public stores is completely valid. Naturally, this requires a robust and modern approach to authentication and authorization, but it’s right in line with the zero trust and conditional access trends we’ve been talking about for the last few years. In turn, this brings numerous distribution advantages.
Now, as shown by the Appdome study (press release, infographic PDF), it’s clear that this is becoming a reasonably common choice in the enterprise. The 270 companies identified publicly published a combined 693 internal apps.
Appdome study methodology
I got on the phone with Appdome CEO Tom Tovar dig into the study. As I’ve covered previously, Appdome is in the mobile app management and security market, so they think about these things a lot. Tom said they were having more customers start to inquire about or use public distribution. He saw this show up in Appdome’s internal data, too, and then decided to conduct the study.
Essentially, Appdome just sat down with a list of the Fortune 1000, downloaded all their apps from Apple and Google, and counted up the ones that were for internal employees. In practice, this is a complex undertaking, involving hard work on logistics and methodology.
One of the first basic steps was to find all the appropriate developer listings in the public stores. This can be complicated considering all the usual corporate M&A activities, subsidiaries, and the fact that for years it was hard to transfer or modify developer account names. For this data set, Appdome decide to only include subsidiaries within one degree of separation.
Next, Appdome created an evaluation process, and took about 30 people from their go-to-market team and had them spend four days working together on the study. The results then went through two more levels of validation.
Another issue was determining what actually constitutes an internal, employee-facing app. There’s a whole spectrum out there, ranging from apps for direct employees, partners, franchise owners, gig workers, enterprise customers, and consumers.
The Appdome crew downloaded every single app published by the Fortune 1000, opened them up, and looked at what they were for and how they worked. They saw, for example, if apps required users to log in using an email address with a specific domain.
For the present study, the 693 apps cited fall under the strictest definition of apps intended for direct employees. Also, apps that were available for both iOS and Android were only counted as one app in the total.
What public distribution means
Why do companies turn to public distribution, and why might it become increasingly popular?
For one, companies can just let Apple and Google be their content distribution network. (Remember, you can also set up an Apple caching server on a local network, if you want.)
Public distribution means that Apple and Google are reviewing these apps, which means that there’s a quality and security bar to pass. Some might view this as an annoyance, but really, this is a good thing.
Public distribution also means fewer hoops for users to jump through. Instead of having to find and authenticate to an enterprise app store, users can just head to the public sources they're familiar with. Then there’s less of a need for MDM to assist with app distribution, and, therefore, fewer privacy and liability issues on BYOD devices.
Companies can build in plenty of security features at the app level. As mentioned, good access controls are required; but companies can also embed other capabilities like device attestation checks, secure connectivity, encryption, and so on. Most MAM products these days will pass app store approvals.
Sure, there will still be plenty of apps that companies won’t want to distribute publicly, and there’s plenty of data that just shouldn’t be on on BYOD devices.
But again, Appdome’s data shows that plenty of companies are down this path already.
Furthermore, the study found that the types of internal apps that companies are publishing are quite varied. There are the internal event and meeting apps that you would expect, but there were also plenty of intensive operational apps.
What Apple is doing
As part of the changing landscape, also be aware that Apple is now supporting an option called Private Distribution for Custom Apps, which Melenie Seekins wrote about yesterday.
Custom Apps is the new name for Apple’s B2B program, and it allows developers to upload apps to the App Store infrastructure, but distribute them to only a particular company. After changes outlined at WWDC 2019, this can now include the developer’s own organization. This comprises a middle option between enterprise-signed apps and public apps, with its own set of pros and cons.
It’s still early for internal employee-facing apps in the public app stores, and the companies doing it skews towards the larger end. Of the 693 apps that Appdome cites, almost three-fourths came from the top half of the Fortune 100.
But the data shows that this is a legitimate distribution technique that’s becoming common, which will have a variety of effects in the enterprise mobility space.
Appdome is planning to publish more details from their data in the future, and Tom said they want to do this study annually. Kudus to the team for doing this insightful work!