[liberationtech] Viber is secure?

Collin Anderson collin at averysmallbird.com
Thu Sep 20 10:53:05 PDT 2012 

Hi Amin,

BBG and Freedom House's report 'Safety on the Line' included some
evaluation of the security of Viber. While I was disappointed in the lack
of specific details overall in the publication, it did not appear that they
thought too highly of the application.

[PDF]
http://www.freedomhouse.org/sites/default/files/Safety%20on%20the%20Line.pdf

I'm not sure if Callanan and Dries-Ziekenheiner are on this list, but
perhaps if someone could reach out to them, we could get clarifications.

Cordially,
Collin

On Thu, Sep 20, 2012 at 1:28 PM, Nathan of Guardian <
nathan at guardianproject.info> wrote:

> On 09/20/2012 08:36 PM, Amin Sabeti wrote:
> > At this time, Viber (http://www.viber.com/) is so popular amongst the
> > Iranian people and it is one of the popular communication ways in Iran.
> > I was wondering to know this app is secure or not? The data is encrypted
> or
> > not?
>
> (I have cc'd Viber's privacy email on this not. Perhaps they will chime
> in!)
>
> We have not done an audit of this app yet, but here's what some quick
> research (http://www.viber.com/privacypolicy.html)
>  turned up some not very encouraging information. In short, it should be
> considered as secure as a normal telephone call, aka NOT SECURE. In
> addition, they make no mention of any security capabilities in their
> client software or protocol. I would consider Skype a safer option than
> Viber, which is saying a lot.
>
> We can only hope that they at least use SSL/TLS for their authentication
> and messaging API access from their client to their servers. It is
> extremely doubtful they are doing any kind of voice encryption.
>
> More detail below from their privacy policy text:
>
> 1) They store a copy of all names and phone numbers in your phone's
> address book on their servers.
>
> "When you install the Viber App and register on the Site, you will be
> asked to provide us with your phone number and to allow us access to
> your mobile device's address book (collectively, "Personal
> Information"). A copy of the phone numbers and names in your address
> book (but not emails, notes or any other personal information in your
> address book) will be stored on our servers and will only be used to"
>
> 2) They maintain a record of every call for 30 months:
>
> "Viber also maintains a Call Detail Record (CDR - see
> http://en.wikipedia.org/wiki/Call_detail_record) for each call conducted
> on the system. These are industry standard records used by all phone
> companies. <snip> All log analysis is done in an anonymous, aggregate,
> non-personally identifiable manner. We may look into a specific Call
> Detail Record in response to a customer support request. We maintain
> CDRs for a period of no more than 30 months."
>
> 3) Calls go direct from phone to phone if possible, meaning its clear to
> network operators who is calling/talking to each other.
>
> "Audio calls by users are transmitted either directly from user to user
> or, if direct transmission is not possible (due to, for example,
> firewalls), Viber servers are used to transmit the call. In the latter
> scenario, the information transmitted is stored briefly in volatile
> memory (RAM) solely to enable the transmission of the call to the other
> user. WE DO NOT RECORD ANY PART OF YOUR CALL."
>
> 4) They make no statement about notifying you if your personal data is
> given to law enforcement or other authorities. Does this mean they would
> respond to a Iranian gov't request? Who knows, but legally they could.
>
> "We may disclose information about you if we determine that for national
> security, law enforcement, or other issues of public importance that
> disclosure of information is necessary."
>
> 5) It seems like some countries/operators are blocking Viber, which
> means they must be using an easy to fingerprint VoIP port/protocol. This
> means it is easy to identify who is using Viber. (Skype, for example,
> does not use a standard port/protocol which makes it very hard to block,
> though probably still easy to identify)
>
>
> http://helpme.viber.com/index.php?/Knowledgebase/Article/View/87/0/blocked-countries--regions-providers
>
> Hope that's helpful. If I can find time for someone to run Viber through
> wireshark, I am sure we can provide more concrete details on their
> protoocl security.
>
> +n
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>



-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120920/2d76671f/attachment.html>

More information about the liberationtech mailing list