Researchers slurp unencrypted Viber messaging data with ease Popular Whatsapp-like messaging service Viber is exposing users to man-in-the-middle and other attacks because it isn’t encrypting various data at rest and in transit, security researchers have warned. The mobile app allows users to send each other messages, videos, images and “doodles”, share GPS location details and make …
Whilst bad, the report is a little disingenuous.
If you are acting as a router and using logging tools like Wireshark you can intercept all network traffic, regardless of whether it is encrypted or not - that is the point of these network monitoring tools.
The rest of the report makes me glad I'm not a Viber user, but the formulation of the wording around the interception cheapens the whole thing, especially for a tech savvy audience.
Those simply swept away years of experience on making computer systems secure. Since those devices are essentially completely new developments, only sharing the kernel.
Additionally "security" in the mobile world only means "security" of business models. Mobile devices have protections to keep you from installing a newer version of the operating system, making you buy new hardware whenever the vendor wants you to. It includes protection from copying software.
True security features like community based code reviews are nowhere to be found. Additionally development is so appalling few good programmers write for such mobile devices. Combined with the possibility to make a quick quid even with horribly bad software quality, there are now hordes of bad mobile app developers. This is just like it used to be with the "Multimedia CD-ROM" scene in the 1990s and the "web designers" which came afterwards.
So it's not surprising that a mobile application which claims to do something difficult is in fact completely broken.
I tested Viber a couple of years back, and their response to my question if they encrypted any of the traffic was "no" - which is when I dropped it from apps I use.
These companies are not interested in protecting you (you're not a customer, you're a number - remember, it's "free"?). They will do as little as possible to get some functionality working and off it goes, and with the volume the market offers that's enough for good profit - most people are still not aware what a risk they take when all their traffic can be intercepted. For Joe Public, it will take a dramatic event for this to be seen as a problem - after the Snowden files dry up I give it 6 months and we're back where we started. However, to be fair to Viber, to my knowledge they have never claimed to encrypt traffic - I asked them this a few years back when I could not find it in the online docs, and I got a reply they didn't.
Now, let's assume Viber gets asked for crypto. The way most of these outfits work, they will slap on a library and call it "safe", because to do it right, encryption and security need to be part from the design from the ground up which is effort they will not expend - also because it gets them into trouble in the US when there is a official demand for data.
So, am I surprised about this "discovery"? No.
Viber is in big use in Ireland, and shame on me I never checked was it encrypted! I understand about lowered expectation of privacy when using these services, but there is a difference between somone or a government having to target your data, vs broadcasting it in the plain over any network you happen to connect to!
I actually though no way would somone not be encrypting their traffic.
So I guess it is now time to engage in a campaign to move people off viber, but what is a good cross platform alternative?
I get what you're saying. Put it like this, any text I send no matter what format has a reasonable chance of getting scanned by some government or other. I can't do anything about that.
That is a whole lot different than someone running a packet sniffer on a WLAN and picking my picture texts up without a problem. That is a big issue and one I can do something about. It is a reasonable expectation of privacy (let's call it local privacy) and the fact viber is sending personal data in the plain is negligent.
Is there an alternative that at least uses ssl constantly?
Yesterday we had an article "helpfully" describing VKontakte as "Russian Facebook", the actual company not mentioned by name until the second paragraph.
Now we casually drop a name right in the title without a mention of what/who/where the fuck they are. For all I know Viber could be the name of an industrial data bus, so why not head the article with something like "Whatsapp lookalike's messaging application data slurped with ease"?
At least we would have some consistency then.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
