Viber is a very popular messaging and calling app for mobile devices, recently having launched versions for the desktop as well. Researchers have recently demonstrated that this mobile application sends images and videos in the open and also stores these images publicly online, thereby not offering encryption protection for images sent by users. Doodles, images and map imagery are sent without being encrypted. These are stored online, in an address that is publicly available.
Videos/Photos without Encryption
Researchers at the New Haven Cyber Forensics R&E Education Group have demonstrated this serious privacy issue on YouTube. The researchers, Ibrahi Baggili and Jason Moore, had intercepted traffic on a Windows desktop and found the links to the online location of the imagery. Of course, it is not so easy to access the data, but hackers can create wireless points for access and intercept the traffic. In addition to hackers, many others, such as Internet service providers and mobile service operators can also access them. Moreover, the researchers also found that the application stores data publicly, on its servers, for a minimum period of one week. The sorting out of the data takes place, in an unencrypted way. Thus, anyone who can access these links can view the data openly, retrieve it and use it in any way they wish. The common cyber criminal will find no problem in using such unencrypted data, with a little ingenuity. The hacker will be able to see the video messages and also locate the user and find other information as well.
It is imperative that users of Viber are aware of this privacy leakage, so that they can make informed decisions before using such apps or at least wait till such issues are resolved. Viber has reacted to the demonstration saying that they would soon be fixing the issue. In fact, the company has made a statement to the effect that the problem has already been resolved and is presently under quality assurance tests. The fix will be soon offered for Android and Apple devices. However, the claim of the company is that no user has been affected due to this privacy breach.
As of May 2014, the Android version of the Viber app does not send images or videos without protection and the iOS fix is also on its way. When images or videos are not encrypted by the previous version of Viber, the user loses his privacy in case of the videos or the photos. Anyone who has control on the Viber network will be able to view and change them. Though Viber claims to have fixed the problem, there is still another issue remaining. A part of the unencrypted or unprotected images and video data remains available in the repository of Amazon web service of Viber. The data that is stored in the servers remains in an unencrypted form and does not get deleted immediately. Furthermore, it can be accessed without the need of any authentication procedure.
However, Viber has claimed that the problem is solved and it is sure to survive the mishap with the security flaws being fixed. But there are many users out there, who have not even heard about this security breach. Even if they do hear about it, they might prefer to continue using Viber, as the app is easy to use and convenient. More important, it is a free app for messaging and making calls all over the world. They might give this aspect more preference than considering whether the system is secure or not.