On 09/20/2012 08:36 PM, Amin Sabeti wrote: > At this time, Viber (http://www.viber.com/) is so popular amongst the > Iranian people and it is one of the popular communication ways in Iran. > I was wondering to know this app is secure or not? The data is encrypted or > not?
(I have cc'd Viber's privacy email on this not. Perhaps they will chime in!) We have not done an audit of this app yet, but here's what some quick research (http://www.viber.com/privacypolicy.html) turned up some not very encouraging information. In short, it should be considered as secure as a normal telephone call, aka NOT SECURE. In addition, they make no mention of any security capabilities in their client software or protocol. I would consider Skype a safer option than Viber, which is saying a lot. We can only hope that they at least use SSL/TLS for their authentication and messaging API access from their client to their servers. It is extremely doubtful they are doing any kind of voice encryption. More detail below from their privacy policy text: 1) They store a copy of all names and phone numbers in your phone's address book on their servers. "When you install the Viber App and register on the Site, you will be asked to provide us with your phone number and to allow us access to your mobile device's address book (collectively, "Personal Information"). A copy of the phone numbers and names in your address book (but not emails, notes or any other personal information in your address book) will be stored on our servers and will only be used to" 2) They maintain a record of every call for 30 months: "Viber also maintains a Call Detail Record (CDR - see http://en.wikipedia.org/wiki/Call_detail_record) for each call conducted on the system. These are industry standard records used by all phone companies. <snip> All log analysis is done in an anonymous, aggregate, non-personally identifiable manner. We may look into a specific Call Detail Record in response to a customer support request. We maintain CDRs for a period of no more than 30 months." 3) Calls go direct from phone to phone if possible, meaning its clear to network operators who is calling/talking to each other. "Audio calls by users are transmitted either directly from user to user or, if direct transmission is not possible (due to, for example, firewalls), Viber servers are used to transmit the call. In the latter scenario, the information transmitted is stored briefly in volatile memory (RAM) solely to enable the transmission of the call to the other user. WE DO NOT RECORD ANY PART OF YOUR CALL." 4) They make no statement about notifying you if your personal data is given to law enforcement or other authorities. Does this mean they would respond to a Iranian gov't request? Who knows, but legally they could. "We may disclose information about you if we determine that for national security, law enforcement, or other issues of public importance that disclosure of information is necessary." 5) It seems like some countries/operators are blocking Viber, which means they must be using an easy to fingerprint VoIP port/protocol. This means it is easy to identify who is using Viber. (Skype, for example, does not use a standard port/protocol which makes it very hard to block, though probably still easy to identify) http://helpme.viber.com/index.php?/Knowledgebase/Article/View/87/0/blocked-countries--regions-providers Hope that's helpful. If I can find time for someone to run Viber through wireshark, I am sure we can provide more concrete details on their protoocl security. +n -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
