Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Can encrypted calling apps boost BYOD security?

There are apps available that encrypt voice communications on smartphones and BYO devices, but are they really worth the investment? Expert Michael Cobb discusses.

I recently read that installing an encrypted calling app can help secure communications on smartphones and employee-owned devices. Is this something that enterprises should include in their BYOD policy? How beneficial are they?

Fears about government agencies around the world potentially listening in on personal telephone conversations have fueled the demand for easier ways to secure calls made from mobile devices.

Open Whisper Systems -- developers of the open source RedPhone app for Android -- developed a similar free app called Signal that's compatible with RedPhone and provides encrypted voice calls for the iPhone. The core encryption technology in Signal is the ZRTP protocol created by PGP encryption inventor Phil Zimmermann, whose own Silent Circle apps use ZRTP and are installed on the newly available anti-eavesdropping Blackphone device. Other phones already on the market that offer voice encryption include Sectéra Edge from General Dynamics, which is certified to protect wireless voice communications classified "Top Secret" as well as access email and websites classified as "Secret." A cheaper option is Cellcrypt Mobile, an application that provides end-to-end real-time encryption for Android, BlackBerry, iPhone and Nokia smartphones without the need for specialized equipment.

Organizations that have employees who need to discuss highly sensitive information on their mobile phone should assess these products to see if they meet their security requirements. One problem is that both participants in a call usually have to have the same call encryption app installed, so encrypted calls to suppliers or customers may not be that straightforward. Also, encryption won't protect a conversation that's overheard by someone eavesdropping nearby.

To fully benefit from the security features of encryption apps, an acceptable usage policy should cover how certain types of information can be exchanged to prevent careless talk from leaking highly confidential information. For example, sensitive conversations should never be held in public places where they may be overheard. Additionally, security awareness training should cover how the security features of a particular app work to ensure calls are actually encrypted. Remember that for encryption to completely prevent unwanted surveillance, data must be encrypted throughout its lifecycle: at rest, in use or in motion, so any call encryption software has to be part of an integrated plan for data security.

Be aware that although calls may be encrypted, governments have legal avenues to gain access to encrypted data, though any such request would notify a company that its data is being targeted. Also, for a call to be completed, a valid phone number or IP address has to be sent in plaintext, helping anyone in a position to carry out traffic analysis to see where calls are coming from and going to. For the truly paranoid, routing calls through Tor would help further disguise metadata associated with a call.

In the end, encrypting voice calls is probably still unnecessary or at least not a cost-effective measure for most BYOD users. However, senior executives and employees travelling abroad may find that it is a valid security control for certain situations.

Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your questions now via email! (All questions are anonymous.)

Next Steps

Learn more about smartphone encryption software.

Check out SearchSecurity's guide on BYOD security.

This was last published in December 2014

Dig Deeper on BYOD and mobile device security best practices

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Would your organization consider using an encrypted calling app?
While the recent Sony hack was for emails, the sensitive information gained from that hack has forced my company to look into every safety application, roll and procedure out there, including those that encrypt calls. Our data and conversations contain deeply sensitive information that is contaminated or compromised could spell disaster for the business. Because of this, we are actively looking for the best calling encryption apps available for our OS and mobile devices.