August 20, 2017

Pulse Secure container pros delineate Docker from Android for Work from iOS

Docker, Android for Work, and iOS with its native application containers differ on several planes beyond the fact that they are meant for separate platforms. Here Pulse Secure’s Yoav Weiss and Rusty Carter slice and dice a path around and between them.

Docker facts you need to know

As though it was some sort of middleware easing the human interface into containers, typically LXC, Docker is a higher-level tool that makes it easy to create, manage, and deploy self-contained environments by acting on the container technology of choice underneath. “Docker can use a number of lower level tools called drivers to actually build the container. It so happens that LXC is one of these drivers. They are not two competing technologies but Docker uses LXC, or it can use a number of alternatives to LXC, but LXC is one of the ways that Docker works,” says Yoav Weiss, CTO of Mobile, Pulse Secure.

Beyond simply allowing the enterprise to run many apps simultaneously on a single piece of hardware, Docker runs each app directly on the host kernel and physical server and not simply on emulated versions thereof.

Yet, Docker takes abstraction beyond VMs / virtual servers enabling the user or enterprise to supply everything an app needs to run on thin kernel instantiations that consist of only what is required to support the given application.

“Ultimately, Docker enables you to avoid using a set of apps together with complicated dependencies. Its focus is on the ease of development and deployment of servers,” says Weiss.

Android for Work is harder at work than you think

Some would say that while Android offers more choice than iOS as a smartphone OS, it is less secure. But Android for Work deploys separate instances of the entire operating system in order to keep data in the personal and enterprise environments separate.

Android for Work applies process separation by counting only on the separate uids of the different apps to ensure that one process and its environmental necessities cannot touch those of another process.

Interestingly enough, Android for Work’s filesystem separation is implemented in a manner much like that of both Docker and LXC, having a separate mount table so that apps in different containers can neither see nor access one another’s files, even when the files are stored in a public directory, notes Rusty Carter, Senior Director of Product Management, Pulse Secure.

IOS, more or less than what you bargained for

Some say the simplicity of iOS keeps users from making costly security mistakes and makes smartphones more secure than Android does; others feel quite differently about it. Though iOS serves the same purpose as Android for Work, it works on a very different philosophy and implementation, according to Weiss. Most notably, iOS is an altogether different OS than Linux. Rather than adding containers per se, iOS uses native sandbox rules to ensure that each application exists inside its own container environment by default.

“On iOS, low-level processes live in the same namespace, unlike Android for Work. So these processes actually can see each other but they are still forbidden from accessing each other,” says Weiss.

Apple uses its rule-based sandbox containers to enable enterprise application management and separation for MDM so the enterprise can define managed apps. It is these sandbox rules that keep personal apps from touching or comingling with managed apps.

“It is because these containers are not OS level containers that each app can only exist once on the system,” says Weiss; “a user cannot have a personal Dropbox app if the enterprise requires that they have a managed Dropbox app, whereas on Android it is possible because it appears like a separate instance of the operating system.” This results in iOS application designations that some consider limiting while others consider it secure.

Data also cannot flow between enterprise and personal apps on iOS devices. “The only exception is the built-in apps such as Mail and Safari that can access both sides and maintain the separation at the app level,” says Carter.

David Geer

David Geer’s work has appeared in ScientificAmerican, The Economist Technology Quarterly, CSO & CSOonline, FierceMarkets, TechTarget, InformationWeek, Computerworld, Byte.com, ITWorld.com, IEEE Computer Society’s Computer magazine, IEEE Distributed Systems Online, Government Security News, Laptop, Smart Computing, Technical Support, The Hosting Standard (Canada), TechWorld.com (UK), SIGnature, Processor, and the Engineering News-Record. David served as a technician at CoreComm in Cleveland, OH prior venturing into writing.