Mobile Apps Encrypt Sensitive Data Using ASD-Approved Cryptography
Mobile apps must encrypt all sensitive or classified data sent over public networks using cryptography approved by the Australian Signals Directorate (ASD).
Plain language
When a mobile app on a phone or tablet sends sensitive or classified information across public networks (like the internet or mobile data), that information must be scrambled so outsiders cannot read it. The scrambling method (called cryptography or encryption) has to be one that the Australian Signals Directorate (ASD), the government's cyber security agency, has approved. This protects your organisation's data from being intercepted and read while it travels between the app and wherever it is going.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
June 2026
Control Stack last updated
18 June 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile Device ManagementTopic
Encrypted CommunicationsOfficial control statement
Mobile applications encrypt all sensitive or classified data communicated over public network infrastructure using ASD-approved cryptography.
Why it matters
If a mobile app sends sensitive or classified data over public networks without ASD-approved encryption, attackers can intercept and read that data in transit, leading to a serious data breach.
Operational notes
Recheck each app's encryption against the current ASD-approved cryptography list periodically and after every app or operating system update, as approved algorithms and app behaviour both change over time.
Implementation tips
- The IT manager should compile a list of every mobile app the organisation uses that sends sensitive or classified data, then confirm with each app vendor or by checking technical documentation that the app uses encryption when communicating over public networks.
- The IT team should verify that the encryption used by each mobile app appears on the ASD-approved cryptography list (published by the Australian Signals Directorate), and record the specific algorithm or protocol each app relies on (for example, TLS with an approved cipher).
- The person managing mobile devices should configure organisation-issued phones and tablets so apps cannot send sensitive data over unencrypted connections, for example by enforcing settings through a Mobile Device Management (MDM) platform.
- The business owner or IT lead should reject or remove any mobile app that cannot demonstrate it encrypts sensitive data in transit with ASD-approved cryptography, replacing it with a compliant alternative.
- The IT team should retest encryption after each major app update or operating system change, since updates can alter how an app handles data sent over public networks, and keep dated records of each check.
Audit / evidence tips
- Askthe inventory of mobile apps that handle sensitive or classified data Look atwhether each entry records the encryption method used in transit Goodis a maintained list naming every relevant app and the specific cryptography it uses over public networks
- Askthe IT team to show that the encryption each app uses is on the ASD-approved cryptography list Look atthe named algorithms or protocols against the current Australian Signals Directorate guidance Goodmaps each app to a named, currently approved cryptographic standard
- Askevidence that data cannot be sent unencrypted, such as Mobile Device Management (MDM) configuration or app settings Look atthe enforced policy Goodshows technical controls that block sensitive data from travelling over public networks without encryption
- Askhow the organisation tests that encryption actually works in practice Look attest results, network capture summaries, or vendor attestations Goodincludes dated evidence confirming traffic is encrypted, not just an assumption it is
- Askwhat happens when an app cannot meet the requirement Look atrecords of apps that were rejected, removed, or remediated Goodshows a clear process for removing or replacing non-compliant apps and dated examples of it being applied
Cross-framework mappings
How ISM-2108 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-2108 requires mobile applications to encrypt all sensitive or classified data sent over public networks using ASD-approved cryptography | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.