As we move forward with enterprise applications (such as corporate travel apps, recommended commercial apps), the topic has come up regarding a software review process for mobile applications.
Does anyone have any insight they can provide? What are some things you look for when 'approving' an app for corporate use? Security? Permissions required? Update intervals, etc?
You may want to look at some App wrapper technologies, like that made by Mocana. What these apps do is take a completed binary and "wrap" them with security features (for instance encrypting everything stored to disk, encrypting data transport, and providing app authentication mechanisms). This way you have at least some basis of application consistency from a security standpoint. I don't have any direct experience with the technology myself, but it seems intriguing.
Of course, vetting out user friendliness, best practices, and etc is a whole different ball game. You may want to consider an application development platform (traditionally called a MEAP or MCAP) to help standardize some of the development and deployment processes.
The reality is although we are reaching a point of maturity for MDM, in-house app development processes are still the wild west. Maybe in the end your best bet will be clearly communicating requirements on the front end to developers with a very clear word doc or wiki!
Things like Mocana look great, but I am not as worried about "in house" apps as I am about app store apps. For example, I'd like to be able to offer an app like Noteability or Penultimate but block off the ability to sync via dropbox. Are any of these wrapper tools available for iTunes app store apps?
Ah, gotcha. Short answer: no, there isn't a way to block apps from performing the "Open In..." function that ultimately allows copying of data to places you may not like.
The problem is that with code signing that apple requires for all AppStore apps, wrapping the app is impossible. I have heard of some vendors offering non-signed versions of their apps to customers so that they may be wrapped, but of course your milage will vary dramatically on this one.
The general best practice approach (at this point) is to simply provide your employees with tools that are comparable to what they will want to use on their own. For example, consider box.net or OxygenCloud or other Dropbox-y enterprise tools and educate your users to use those tools for corporate data instead of Dropbox. You may even be able to block *.dropbox.com on your enterprise network making it unattractive enough to use while on-site to encourage/force adoption of the enterprise tool.
Your other option is to use MDM to create a black-list of apps that basically smacks the user with the MDM stick by taking away privileges (eg email, Safari, etc.) until they remove the violating app.
Otherwise, this is very much the root challenge enterprise is facing when it comes to embracing these new mobile devices. My approach has been to not try to force restrictions (because you can't stop a worker who wants to be productive on these things with today's MDM tech), but provide comparable enterprise-blessed solutions that the user would happily use while being compliant to policy.