Hi Amin, BBG and Freedom House's report 'Safety on the Line' included some evaluation of the security of Viber. While I was disappointed in the lack of specific details overall in the publication, it did not appear that they thought too highly of the application.
[PDF] http://www.freedomhouse.org/sites/default/files/Safety%20on%20the%20Line.pdf I'm not sure if Callanan and Dries-Ziekenheiner are on this list, but perhaps if someone could reach out to them, we could get clarifications. Cordially, Collin On Thu, Sep 20, 2012 at 1:28 PM, Nathan of Guardian < [email protected]> wrote: > On 09/20/2012 08:36 PM, Amin Sabeti wrote: > > At this time, Viber (http://www.viber.com/) is so popular amongst the > > Iranian people and it is one of the popular communication ways in Iran. > > I was wondering to know this app is secure or not? The data is encrypted > or > > not? > > (I have cc'd Viber's privacy email on this not. Perhaps they will chime > in!) > > We have not done an audit of this app yet, but here's what some quick > research (http://www.viber.com/privacypolicy.html) > turned up some not very encouraging information. In short, it should be > considered as secure as a normal telephone call, aka NOT SECURE. In > addition, they make no mention of any security capabilities in their > client software or protocol. I would consider Skype a safer option than > Viber, which is saying a lot. > > We can only hope that they at least use SSL/TLS for their authentication > and messaging API access from their client to their servers. It is > extremely doubtful they are doing any kind of voice encryption. > > More detail below from their privacy policy text: > > 1) They store a copy of all names and phone numbers in your phone's > address book on their servers. > > "When you install the Viber App and register on the Site, you will be > asked to provide us with your phone number and to allow us access to > your mobile device's address book (collectively, "Personal > Information"). A copy of the phone numbers and names in your address > book (but not emails, notes or any other personal information in your > address book) will be stored on our servers and will only be used to" > > 2) They maintain a record of every call for 30 months: > > "Viber also maintains a Call Detail Record (CDR - see > http://en.wikipedia.org/wiki/Call_detail_record) for each call conducted > on the system. These are industry standard records used by all phone > companies. <snip> All log analysis is done in an anonymous, aggregate, > non-personally identifiable manner. We may look into a specific Call > Detail Record in response to a customer support request. We maintain > CDRs for a period of no more than 30 months." > > 3) Calls go direct from phone to phone if possible, meaning its clear to > network operators who is calling/talking to each other. > > "Audio calls by users are transmitted either directly from user to user > or, if direct transmission is not possible (due to, for example, > firewalls), Viber servers are used to transmit the call. In the latter > scenario, the information transmitted is stored briefly in volatile > memory (RAM) solely to enable the transmission of the call to the other > user. WE DO NOT RECORD ANY PART OF YOUR CALL." > > 4) They make no statement about notifying you if your personal data is > given to law enforcement or other authorities. Does this mean they would > respond to a Iranian gov't request? Who knows, but legally they could. > > "We may disclose information about you if we determine that for national > security, law enforcement, or other issues of public importance that > disclosure of information is necessary." > > 5) It seems like some countries/operators are blocking Viber, which > means they must be using an easy to fingerprint VoIP port/protocol. This > means it is easy to identify who is using Viber. (Skype, for example, > does not use a standard port/protocol which makes it very hard to block, > though probably still easy to identify) > > > http://helpme.viber.com/index.php?/Knowledgebase/Article/View/87/0/blocked-countries--regions-providers > > Hope that's helpful. If I can find time for someone to run Viber through > wireshark, I am sure we can provide more concrete details on their > protoocl security. > > +n > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C.
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
