I have developed a mobile application that runs on our company's mobile devices. The mobile application connects to the corporate servers over a GSM network.
We had a meeting to decide how to secure communication between the mobile application and the server application. Our security team insists that we install the VPN application on the mobile device, first establish a VPN connection to our corporate network, and then connect our mobile application to the server via https.
I could not understand her persistence. I think it's more dangerous to give each owner of a mobile device VPN rights than connect to https. As I know, an https connection can provide the required security between client and server applications that I have both written and that use https for communication.
Is there any security-relevant information that I understand is insufficient to understand? If I'm honest, how I could show you that https is sufficient for security and offering VPN is more dangerous. All other convincing information is welcome.