[liberationtech] Viber is secure?

Katrin Verclas katrin at mobileactive.org
Thu Sep 20 11:02:56 PDT 2012 

Cormac, care to chime in?
On Sep 20, 2012 1:53 PM, "Collin Anderson" <collin at averysmallbird.com>
wrote:

> Hi Amin,
>
> BBG and Freedom House's report 'Safety on the Line' included some
> evaluation of the security of Viber. While I was disappointed in the lack
> of specific details overall in the publication, it did not appear that they
> thought too highly of the application.
>
> [PDF]
> http://www.freedomhouse.org/sites/default/files/Safety%20on%20the%20Line.pdf
>
> I'm not sure if Callanan and Dries-Ziekenheiner are on this list, but
> perhaps if someone could reach out to them, we could get clarifications.
>
> Cordially,
> Collin
>
> On Thu, Sep 20, 2012 at 1:28 PM, Nathan of Guardian <
> nathan at guardianproject.info> wrote:
>
>> On 09/20/2012 08:36 PM, Amin Sabeti wrote:
>> > At this time, Viber (http://www.viber.com/) is so popular amongst the
>> > Iranian people and it is one of the popular communication ways in Iran.
>> > I was wondering to know this app is secure or not? The data is
>> encrypted or
>> > not?
>>
>> (I have cc'd Viber's privacy email on this not. Perhaps they will chime
>> in!)
>>
>> We have not done an audit of this app yet, but here's what some quick
>> research (http://www.viber.com/privacypolicy.html)
>>  turned up some not very encouraging information. In short, it should be
>> considered as secure as a normal telephone call, aka NOT SECURE. In
>> addition, they make no mention of any security capabilities in their
>> client software or protocol. I would consider Skype a safer option than
>> Viber, which is saying a lot.
>>
>> We can only hope that they at least use SSL/TLS for their authentication
>> and messaging API access from their client to their servers. It is
>> extremely doubtful they are doing any kind of voice encryption.
>>
>> More detail below from their privacy policy text:
>>
>> 1) They store a copy of all names and phone numbers in your phone's
>> address book on their servers.
>>
>> "When you install the Viber App and register on the Site, you will be
>> asked to provide us with your phone number and to allow us access to
>> your mobile device's address book (collectively, "Personal
>> Information"). A copy of the phone numbers and names in your address
>> book (but not emails, notes or any other personal information in your
>> address book) will be stored on our servers and will only be used to"
>>
>> 2) They maintain a record of every call for 30 months:
>>
>> "Viber also maintains a Call Detail Record (CDR - see
>> http://en.wikipedia.org/wiki/Call_detail_record) for each call conducted
>> on the system. These are industry standard records used by all phone
>> companies. <snip> All log analysis is done in an anonymous, aggregate,
>> non-personally identifiable manner. We may look into a specific Call
>> Detail Record in response to a customer support request. We maintain
>> CDRs for a period of no more than 30 months."
>>
>> 3) Calls go direct from phone to phone if possible, meaning its clear to
>> network operators who is calling/talking to each other.
>>
>> "Audio calls by users are transmitted either directly from user to user
>> or, if direct transmission is not possible (due to, for example,
>> firewalls), Viber servers are used to transmit the call. In the latter
>> scenario, the information transmitted is stored briefly in volatile
>> memory (RAM) solely to enable the transmission of the call to the other
>> user. WE DO NOT RECORD ANY PART OF YOUR CALL."
>>
>> 4) They make no statement about notifying you if your personal data is
>> given to law enforcement or other authorities. Does this mean they would
>> respond to a Iranian gov't request? Who knows, but legally they could.
>>
>> "We may disclose information about you if we determine that for national
>> security, law enforcement, or other issues of public importance that
>> disclosure of information is necessary."
>>
>> 5) It seems like some countries/operators are blocking Viber, which
>> means they must be using an easy to fingerprint VoIP port/protocol. This
>> means it is easy to identify who is using Viber. (Skype, for example,
>> does not use a standard port/protocol which makes it very hard to block,
>> though probably still easy to identify)
>>
>>
>> http://helpme.viber.com/index.php?/Knowledgebase/Article/View/87/0/blocked-countries--regions-providers
>>
>> Hope that's helpful. If I can find time for someone to run Viber through
>> wireshark, I am sure we can provide more concrete details on their
>> protoocl security.
>>
>> +n
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
>
> --
> *Collin David Anderson*
> averysmallbird.com | @cda | Washington, D.C.
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120920/07e1b32e/attachment.html>

More information about the liberationtech mailing list