Linux and Android Come to Any Device

For years, the Citrix Systems cheerleading team waved its pom-poms to the resounding chant of “Any, Any, Any!” Any app, anywhere, on any device, knowing all too well that while it could deliver apps anywhere and on any device, its ability to do so for anything other than Windows apps was nothing more than some well-crafted marketing hype.

Citrix doesn’t talk about “any, any, any” quite so much today, which probably says as much about Citrix’s broader view of all things app as it does about the stiff competition it faces from VMware. This is a missed opportunity for Citrix, as for the first time, there’s a real possibility that any app anywhere might extend to Linux and Android on any device, iPhones and iPads included. The Windows-only focus for VDI and RDSH-based presentation virtualization is slowly opening up. Recent initiatives from both Citrix and VMware are extending VDI to Linux, and Android is gaining attention through virtual mobile infrastructure (VMI) via a new generation of server-hosted app delivery platforms. These platforms host Android in the data center and remote the display to mobile endpoints.

The business case for Linux-based virtual desktops is clear—it’s in the opening up of emerging markets in the BRIC nations without a thirty-year Windows history driving their requirements. They are adopting Linux in larger numbers than has been done in Europe and North America. Now that low-cost VDI is an achievable reality, large-scale Linux VDI implementations are increasingly attractive. The value of remoting Android is a little harder to grasp. What is the point of remotely delivering an Android app when cross-platform mobile application development is so easy, and why hobble application performance and availability by insisting on tethering to the data center?

It turns out that there are sufficient benefits to this approach to make it sufficiently worthwhile for at least half a dozen vendors, and it looks like it’s a growing market. For all the hype, and for all the marketing effort put forth by enterprise mobility management vendors, BYOD is a huge security problem. Worse, it is a security problem that is difficult to fully address using conventional tools. BYOD’s big problem is that mobile can’t provide the same assurances about whether a device has been compromised that a desktop OS can. This lack of assurance applies equally to both the iOS and Android ecosystems. In these ecosystems, evidence of jailbreaking and rooting on a device is used as a proxy for evidence that the device has been compromised. Unfortunately, jailbreak and rooting detection is subject to the same escalating threat-countermeasure-countermeasure evasion battle as any other security threat. Even the best mobile anti-malware detection cannot guarantee security. VMI, like other application remoting technologies, provides security by eliminating the presence of sensitive data at rest or in motion on the endpoint device. It suffers the same limited threat of data leakage via screen capture that other remoting technologies do. However, as with other remoting technologies, this is considered an acceptable risk. The benefits of VMI are not just limited to BYOD. With no data on the device, the security risks associated with device loss or theft are effectively eliminated. Even with current mobile device management solutions, in place and ready to remote wipe a device should it be lost, there is always a window between the time that a device is lost and the time that it is reported as missing. During this time, the possibility always exists that any locally held data can be accessed. With VMI, that risk no longer exists.

VMI also has a role to play in addressing Android platform fragmentation and cross-platform support. Google’s loose stewardship of Android has caused platform fragmentation, and has become a major challenge. According to platform tracker NetMarketShare, less than 50% of Android devices are running the two most recent OS releases, making it hard for developers to take advantage of new OS features if they want their apps to work across the majority of devices in use. Worse still, in January, Google stopped patching WebView, a core component of Android in v. 4.3 and older. WebView is the pre-eminent attack vector for Android. The decision to stop patching WebView leaves half of all Android devices increasingly vulnerable to attack. VMI allows customers to take advantage of new Android features by ensuring that the virtual infrastructure is maintained on the current Android version. It also provides assurances that the OS has all available security patches loaded. Just as VDI and RDSH can be used to provide access to Windows applications on Apple devices, VMI can be used to deliver Android apps to iOS, Windows Phone, and WinRT devices. For organizations standardizing on Android for in-house developed applications, this may be a viable means of extending support to iOS, Blackberry, and Windows Phone devices.

There are multiple VMI implementations, just like there are for Windows:

  • Mobile App Virtualization runs individual applications within a shared multi-user Android runtime, analogous to the way that Windows RDSH works.
  • As a containerized solution with multiple OS containers running on a shared Android Kernel—think Parallels Virtuozzo.
  • As full Android OS virtualization, effectively VDI for Android. Each user has a full Android virtual machine capable of hosting multiple Android apps.

Just as with RDSH and VDI implementations, mobile app virtualization has trade-offs between cost, session density, and full virtualization, competing with flexibility and isolation. Vendor solutions differ in implementation of underlying host platform and remote display technology. Host platform implementations include RHEL, vSphere, and XenServer, simplifying integration with cloud and data center hosting environments.

Remoting of Android apps is not new: patents describing the operation of a VMI service date from 2009. However, the technology has not received the publicity of other enterprise mobility management technologies. At present, six vendors are vying for a slice of the VMI market. Newcomers include Bay Area–based Sierraware and Remotium; Austin, Texas–based Hypori, which announced that its Android Cloud Environment (ACE) is approved by the NSA for US government classified use; and Israeli startup Nubo. US defense contractor Raytheon is a strong contender with Trusted Access Mobile, and security software specialist Trend Micro has Safe Mobile Workforce. Netherlands-based Listeq supports Android as a guest OS on BoxedVDI, although it doesn’t explicitly market it as a VMI platform.

Notably absent are EUC leaders Citrix and VMware, a surprising omission given their in-depth experience of all the key technologies needed to deliver an effective VMI service and the obvious overlap with both VDI and EMM services. It should be relatively easy for both companies to move into this market if they feel it’s worth their efforts. All four startups are small enough to be easy acquisition candidates, should the need arise.