Search Mailing List Archives
[liberationtech] Viber is secure?
collin at averysmallbird.com
Thu Sep 20 10:53:05 PDT 2012
BBG and Freedom House's report 'Safety on the Line' included some
evaluation of the security of Viber. While I was disappointed in the lack
of specific details overall in the publication, it did not appear that they
thought too highly of the application.
I'm not sure if Callanan and Dries-Ziekenheiner are on this list, but
perhaps if someone could reach out to them, we could get clarifications.
On Thu, Sep 20, 2012 at 1:28 PM, Nathan of Guardian <
nathan at guardianproject.info> wrote:
> On 09/20/2012 08:36 PM, Amin Sabeti wrote:
> > At this time, Viber (http://www.viber.com/) is so popular amongst the
> > Iranian people and it is one of the popular communication ways in Iran.
> > I was wondering to know this app is secure or not? The data is encrypted
> > not?
> (I have cc'd Viber's privacy email on this not. Perhaps they will chime
> We have not done an audit of this app yet, but here's what some quick
> research (http://www.viber.com/privacypolicy.html)
> turned up some not very encouraging information. In short, it should be
> considered as secure as a normal telephone call, aka NOT SECURE. In
> addition, they make no mention of any security capabilities in their
> client software or protocol. I would consider Skype a safer option than
> Viber, which is saying a lot.
> We can only hope that they at least use SSL/TLS for their authentication
> and messaging API access from their client to their servers. It is
> extremely doubtful they are doing any kind of voice encryption.
> 1) They store a copy of all names and phone numbers in your phone's
> address book on their servers.
> "When you install the Viber App and register on the Site, you will be
> asked to provide us with your phone number and to allow us access to
> your mobile device's address book (collectively, "Personal
> Information"). A copy of the phone numbers and names in your address
> book (but not emails, notes or any other personal information in your
> address book) will be stored on our servers and will only be used to"
> 2) They maintain a record of every call for 30 months:
> "Viber also maintains a Call Detail Record (CDR - see
> http://en.wikipedia.org/wiki/Call_detail_record) for each call conducted
> on the system. These are industry standard records used by all phone
> companies. <snip> All log analysis is done in an anonymous, aggregate,
> non-personally identifiable manner. We may look into a specific Call
> Detail Record in response to a customer support request. We maintain
> CDRs for a period of no more than 30 months."
> 3) Calls go direct from phone to phone if possible, meaning its clear to
> network operators who is calling/talking to each other.
> "Audio calls by users are transmitted either directly from user to user
> or, if direct transmission is not possible (due to, for example,
> firewalls), Viber servers are used to transmit the call. In the latter
> scenario, the information transmitted is stored briefly in volatile
> memory (RAM) solely to enable the transmission of the call to the other
> user. WE DO NOT RECORD ANY PART OF YOUR CALL."
> 4) They make no statement about notifying you if your personal data is
> given to law enforcement or other authorities. Does this mean they would
> respond to a Iranian gov't request? Who knows, but legally they could.
> "We may disclose information about you if we determine that for national
> security, law enforcement, or other issues of public importance that
> disclosure of information is necessary."
> 5) It seems like some countries/operators are blocking Viber, which
> means they must be using an easy to fingerprint VoIP port/protocol. This
> means it is easy to identify who is using Viber. (Skype, for example,
> does not use a standard port/protocol which makes it very hard to block,
> though probably still easy to identify)
> Hope that's helpful. If I can find time for someone to run Viber through
> wireshark, I am sure we can provide more concrete details on their
> protoocl security.
> Unsubscribe, change to digest, or change password at:
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech