I recently read that installing an encrypted calling app can help secure communications on smartphones and employee-owned devices. Is this something that enterprises should include in their BYOD policy? How beneficial are they?
Fears about government agencies around the world potentially listening in on personal telephone conversations have fueled the demand for easier ways to secure calls made from mobile devices.
Open Whisper Systems -- developers of the open source RedPhone app for Android -- developed a similar free app called Signal that's compatible with RedPhone and provides encrypted voice calls for the iPhone. The core encryption technology in Signal is the ZRTP protocol created by PGP encryption inventor Phil Zimmermann, whose own Silent Circle apps use ZRTP and are installed on the newly available anti-eavesdropping Blackphone device. Other phones already on the market that offer voice encryption include Sectéra Edge from General Dynamics, which is certified to protect wireless voice communications classified "Top Secret" as well as access email and websites classified as "Secret." A cheaper option is Cellcrypt Mobile, an application that provides end-to-end real-time encryption for Android, BlackBerry, iPhone and Nokia smartphones without the need for specialized equipment.
Organizations that have employees who need to discuss highly sensitive information on their mobile phone should assess these products to see if they meet their security requirements. One problem is that both participants in a call usually have to have the same call encryption app installed, so encrypted calls to suppliers or customers may not be that straightforward. Also, encryption won't protect a conversation that's overheard by someone eavesdropping nearby.
To fully benefit from the security features of encryption apps, an acceptable usage policy should cover how certain types of information can be exchanged to prevent careless talk from leaking highly confidential information. For example, sensitive conversations should never be held in public places where they may be overheard. Additionally, security awareness training should cover how the security features of a particular app work to ensure calls are actually encrypted. Remember that for encryption to completely prevent unwanted surveillance, data must be encrypted throughout its lifecycle: at rest, in use or in motion, so any call encryption software has to be part of an integrated plan for data security.
Be aware that although calls may be encrypted, governments have legal avenues to gain access to encrypted data, though any such request would notify a company that its data is being targeted. Also, for a call to be completed, a valid phone number or IP address has to be sent in plaintext, helping anyone in a position to carry out traffic analysis to see where calls are coming from and going to. For the truly paranoid, routing calls through Tor would help further disguise metadata associated with a call.
In the end, encrypting voice calls is probably still unnecessary or at least not a cost-effective measure for most BYOD users. However, senior executives and employees travelling abroad may find that it is a valid security control for certain situations.
Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your questions now via email! (All questions are anonymous.)
Learn more about smartphone encryption software.
Check out SearchSecurity's guide on BYOD security.
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and ... Continue Reading