Cormac, care to chime in? On Sep 20, 2012 1:53 PM, "Collin Anderson" <[email protected]> wrote:
> Hi Amin, > > BBG and Freedom House's report 'Safety on the Line' included some > evaluation of the security of Viber. While I was disappointed in the lack > of specific details overall in the publication, it did not appear that they > thought too highly of the application. > > [PDF] > http://www.freedomhouse.org/sites/default/files/Safety%20on%20the%20Line.pdf > > I'm not sure if Callanan and Dries-Ziekenheiner are on this list, but > perhaps if someone could reach out to them, we could get clarifications. > > Cordially, > Collin > > On Thu, Sep 20, 2012 at 1:28 PM, Nathan of Guardian < > [email protected]> wrote: > >> On 09/20/2012 08:36 PM, Amin Sabeti wrote: >> > At this time, Viber (http://www.viber.com/) is so popular amongst the >> > Iranian people and it is one of the popular communication ways in Iran. >> > I was wondering to know this app is secure or not? The data is >> encrypted or >> > not? >> >> (I have cc'd Viber's privacy email on this not. Perhaps they will chime >> in!) >> >> We have not done an audit of this app yet, but here's what some quick >> research (http://www.viber.com/privacypolicy.html) >> turned up some not very encouraging information. In short, it should be >> considered as secure as a normal telephone call, aka NOT SECURE. In >> addition, they make no mention of any security capabilities in their >> client software or protocol. I would consider Skype a safer option than >> Viber, which is saying a lot. >> >> We can only hope that they at least use SSL/TLS for their authentication >> and messaging API access from their client to their servers. It is >> extremely doubtful they are doing any kind of voice encryption. >> >> More detail below from their privacy policy text: >> >> 1) They store a copy of all names and phone numbers in your phone's >> address book on their servers. >> >> "When you install the Viber App and register on the Site, you will be >> asked to provide us with your phone number and to allow us access to >> your mobile device's address book (collectively, "Personal >> Information"). A copy of the phone numbers and names in your address >> book (but not emails, notes or any other personal information in your >> address book) will be stored on our servers and will only be used to" >> >> 2) They maintain a record of every call for 30 months: >> >> "Viber also maintains a Call Detail Record (CDR - see >> http://en.wikipedia.org/wiki/Call_detail_record) for each call conducted >> on the system. These are industry standard records used by all phone >> companies. <snip> All log analysis is done in an anonymous, aggregate, >> non-personally identifiable manner. We may look into a specific Call >> Detail Record in response to a customer support request. We maintain >> CDRs for a period of no more than 30 months." >> >> 3) Calls go direct from phone to phone if possible, meaning its clear to >> network operators who is calling/talking to each other. >> >> "Audio calls by users are transmitted either directly from user to user >> or, if direct transmission is not possible (due to, for example, >> firewalls), Viber servers are used to transmit the call. In the latter >> scenario, the information transmitted is stored briefly in volatile >> memory (RAM) solely to enable the transmission of the call to the other >> user. WE DO NOT RECORD ANY PART OF YOUR CALL." >> >> 4) They make no statement about notifying you if your personal data is >> given to law enforcement or other authorities. Does this mean they would >> respond to a Iranian gov't request? Who knows, but legally they could. >> >> "We may disclose information about you if we determine that for national >> security, law enforcement, or other issues of public importance that >> disclosure of information is necessary." >> >> 5) It seems like some countries/operators are blocking Viber, which >> means they must be using an easy to fingerprint VoIP port/protocol. This >> means it is easy to identify who is using Viber. (Skype, for example, >> does not use a standard port/protocol which makes it very hard to block, >> though probably still easy to identify) >> >> >> http://helpme.viber.com/index.php?/Knowledgebase/Article/View/87/0/blocked-countries--regions-providers >> >> Hope that's helpful. If I can find time for someone to run Viber through >> wireshark, I am sure we can provide more concrete details on their >> protoocl security. >> >> +n >> >> -- >> Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> > > > > -- > *Collin David Anderson* > averysmallbird.com | @cda | Washington, D.C. > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech >
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
