[liberationtech] Viber is secure?
Nathan of Guardian
nathan at guardianproject.info
Thu Sep 20 10:28:50 PDT 2012
On 09/20/2012 08:36 PM, Amin Sabeti wrote:
> At this time, Viber (http://www.viber.com/) is so popular amongst the
> Iranian people and it is one of the popular communication ways in Iran.
> I was wondering to know this app is secure or not? The data is encrypted or
> not?
(I have cc'd Viber's privacy email on this not. Perhaps they will chime in!)
We have not done an audit of this app yet, but here's what some quick
research (http://www.viber.com/privacypolicy.html)
turned up some not very encouraging information. In short, it should be
considered as secure as a normal telephone call, aka NOT SECURE. In
addition, they make no mention of any security capabilities in their
client software or protocol. I would consider Skype a safer option than
Viber, which is saying a lot.
We can only hope that they at least use SSL/TLS for their authentication
and messaging API access from their client to their servers. It is
extremely doubtful they are doing any kind of voice encryption.
More detail below from their privacy policy text:
1) They store a copy of all names and phone numbers in your phone's
address book on their servers.
"When you install the Viber App and register on the Site, you will be
asked to provide us with your phone number and to allow us access to
your mobile device's address book (collectively, "Personal
Information"). A copy of the phone numbers and names in your address
book (but not emails, notes or any other personal information in your
address book) will be stored on our servers and will only be used to"
2) They maintain a record of every call for 30 months:
"Viber also maintains a Call Detail Record (CDR - see
http://en.wikipedia.org/wiki/Call_detail_record) for each call conducted
on the system. These are industry standard records used by all phone
companies. <snip> All log analysis is done in an anonymous, aggregate,
non-personally identifiable manner. We may look into a specific Call
Detail Record in response to a customer support request. We maintain
CDRs for a period of no more than 30 months."
3) Calls go direct from phone to phone if possible, meaning its clear to
network operators who is calling/talking to each other.
"Audio calls by users are transmitted either directly from user to user
or, if direct transmission is not possible (due to, for example,
firewalls), Viber servers are used to transmit the call. In the latter
scenario, the information transmitted is stored briefly in volatile
memory (RAM) solely to enable the transmission of the call to the other
user. WE DO NOT RECORD ANY PART OF YOUR CALL."
4) They make no statement about notifying you if your personal data is
given to law enforcement or other authorities. Does this mean they would
respond to a Iranian gov't request? Who knows, but legally they could.
"We may disclose information about you if we determine that for national
security, law enforcement, or other issues of public importance that
disclosure of information is necessary."
5) It seems like some countries/operators are blocking Viber, which
means they must be using an easy to fingerprint VoIP port/protocol. This
means it is easy to identify who is using Viber. (Skype, for example,
does not use a standard port/protocol which makes it very hard to block,
though probably still easy to identify)
http://helpme.viber.com/index.php?/Knowledgebase/Article/View/87/0/blocked-countries--regions-providers
Hope that's helpful. If I can find time for someone to run Viber through
wireshark, I am sure we can provide more concrete details on their
protoocl security.
+n
More information about the liberationtech
mailing list