Search Mailing List Archives
[liberationtech] Viber is secure?
katrin at mobileactive.org
Thu Sep 20 11:02:56 PDT 2012
Cormac, care to chime in?
On Sep 20, 2012 1:53 PM, "Collin Anderson" <collin at averysmallbird.com>
> Hi Amin,
> BBG and Freedom House's report 'Safety on the Line' included some
> evaluation of the security of Viber. While I was disappointed in the lack
> of specific details overall in the publication, it did not appear that they
> thought too highly of the application.
> I'm not sure if Callanan and Dries-Ziekenheiner are on this list, but
> perhaps if someone could reach out to them, we could get clarifications.
> On Thu, Sep 20, 2012 at 1:28 PM, Nathan of Guardian <
> nathan at guardianproject.info> wrote:
>> On 09/20/2012 08:36 PM, Amin Sabeti wrote:
>> > At this time, Viber (http://www.viber.com/) is so popular amongst the
>> > Iranian people and it is one of the popular communication ways in Iran.
>> > I was wondering to know this app is secure or not? The data is
>> encrypted or
>> > not?
>> (I have cc'd Viber's privacy email on this not. Perhaps they will chime
>> We have not done an audit of this app yet, but here's what some quick
>> research (http://www.viber.com/privacypolicy.html)
>> turned up some not very encouraging information. In short, it should be
>> considered as secure as a normal telephone call, aka NOT SECURE. In
>> addition, they make no mention of any security capabilities in their
>> client software or protocol. I would consider Skype a safer option than
>> Viber, which is saying a lot.
>> We can only hope that they at least use SSL/TLS for their authentication
>> and messaging API access from their client to their servers. It is
>> extremely doubtful they are doing any kind of voice encryption.
>> 1) They store a copy of all names and phone numbers in your phone's
>> address book on their servers.
>> "When you install the Viber App and register on the Site, you will be
>> asked to provide us with your phone number and to allow us access to
>> your mobile device's address book (collectively, "Personal
>> Information"). A copy of the phone numbers and names in your address
>> book (but not emails, notes or any other personal information in your
>> address book) will be stored on our servers and will only be used to"
>> 2) They maintain a record of every call for 30 months:
>> "Viber also maintains a Call Detail Record (CDR - see
>> http://en.wikipedia.org/wiki/Call_detail_record) for each call conducted
>> on the system. These are industry standard records used by all phone
>> companies. <snip> All log analysis is done in an anonymous, aggregate,
>> non-personally identifiable manner. We may look into a specific Call
>> Detail Record in response to a customer support request. We maintain
>> CDRs for a period of no more than 30 months."
>> 3) Calls go direct from phone to phone if possible, meaning its clear to
>> network operators who is calling/talking to each other.
>> "Audio calls by users are transmitted either directly from user to user
>> or, if direct transmission is not possible (due to, for example,
>> firewalls), Viber servers are used to transmit the call. In the latter
>> scenario, the information transmitted is stored briefly in volatile
>> memory (RAM) solely to enable the transmission of the call to the other
>> user. WE DO NOT RECORD ANY PART OF YOUR CALL."
>> 4) They make no statement about notifying you if your personal data is
>> given to law enforcement or other authorities. Does this mean they would
>> respond to a Iranian gov't request? Who knows, but legally they could.
>> "We may disclose information about you if we determine that for national
>> security, law enforcement, or other issues of public importance that
>> disclosure of information is necessary."
>> 5) It seems like some countries/operators are blocking Viber, which
>> means they must be using an easy to fingerprint VoIP port/protocol. This
>> means it is easy to identify who is using Viber. (Skype, for example,
>> does not use a standard port/protocol which makes it very hard to block,
>> though probably still easy to identify)
>> Hope that's helpful. If I can find time for someone to run Viber through
>> wireshark, I am sure we can provide more concrete details on their
>> protoocl security.
>> Unsubscribe, change to digest, or change password at:
> *Collin David Anderson*
> averysmallbird.com | @cda | Washington, D.C.
> Unsubscribe, change to digest, or change password at:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech