Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Viber is secure?

Katrin Verclas katrin at
Thu Sep 20 11:02:56 PDT 2012

Cormac, care to chime in?
On Sep 20, 2012 1:53 PM, "Collin Anderson" <collin at>

> Hi Amin,
> BBG and Freedom House's report 'Safety on the Line' included some
> evaluation of the security of Viber. While I was disappointed in the lack
> of specific details overall in the publication, it did not appear that they
> thought too highly of the application.
> [PDF]
> I'm not sure if Callanan and Dries-Ziekenheiner are on this list, but
> perhaps if someone could reach out to them, we could get clarifications.
> Cordially,
> Collin
> On Thu, Sep 20, 2012 at 1:28 PM, Nathan of Guardian <
> nathan at> wrote:
>> On 09/20/2012 08:36 PM, Amin Sabeti wrote:
>> > At this time, Viber ( is so popular amongst the
>> > Iranian people and it is one of the popular communication ways in Iran.
>> > I was wondering to know this app is secure or not? The data is
>> encrypted or
>> > not?
>> (I have cc'd Viber's privacy email on this not. Perhaps they will chime
>> in!)
>> We have not done an audit of this app yet, but here's what some quick
>> research (
>>  turned up some not very encouraging information. In short, it should be
>> considered as secure as a normal telephone call, aka NOT SECURE. In
>> addition, they make no mention of any security capabilities in their
>> client software or protocol. I would consider Skype a safer option than
>> Viber, which is saying a lot.
>> We can only hope that they at least use SSL/TLS for their authentication
>> and messaging API access from their client to their servers. It is
>> extremely doubtful they are doing any kind of voice encryption.
>> More detail below from their privacy policy text:
>> 1) They store a copy of all names and phone numbers in your phone's
>> address book on their servers.
>> "When you install the Viber App and register on the Site, you will be
>> asked to provide us with your phone number and to allow us access to
>> your mobile device's address book (collectively, "Personal
>> Information"). A copy of the phone numbers and names in your address
>> book (but not emails, notes or any other personal information in your
>> address book) will be stored on our servers and will only be used to"
>> 2) They maintain a record of every call for 30 months:
>> "Viber also maintains a Call Detail Record (CDR - see
>> for each call conducted
>> on the system. These are industry standard records used by all phone
>> companies. <snip> All log analysis is done in an anonymous, aggregate,
>> non-personally identifiable manner. We may look into a specific Call
>> Detail Record in response to a customer support request. We maintain
>> CDRs for a period of no more than 30 months."
>> 3) Calls go direct from phone to phone if possible, meaning its clear to
>> network operators who is calling/talking to each other.
>> "Audio calls by users are transmitted either directly from user to user
>> or, if direct transmission is not possible (due to, for example,
>> firewalls), Viber servers are used to transmit the call. In the latter
>> scenario, the information transmitted is stored briefly in volatile
>> memory (RAM) solely to enable the transmission of the call to the other
>> 4) They make no statement about notifying you if your personal data is
>> given to law enforcement or other authorities. Does this mean they would
>> respond to a Iranian gov't request? Who knows, but legally they could.
>> "We may disclose information about you if we determine that for national
>> security, law enforcement, or other issues of public importance that
>> disclosure of information is necessary."
>> 5) It seems like some countries/operators are blocking Viber, which
>> means they must be using an easy to fingerprint VoIP port/protocol. This
>> means it is easy to identify who is using Viber. (Skype, for example,
>> does not use a standard port/protocol which makes it very hard to block,
>> though probably still easy to identify)
>> Hope that's helpful. If I can find time for someone to run Viber through
>> wireshark, I am sure we can provide more concrete details on their
>> protoocl security.
>> +n
>> --
>> Unsubscribe, change to digest, or change password at:
> --
> *Collin David Anderson*
> | @cda | Washington, D.C.
> --
> Unsubscribe, change to digest, or change password at:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list