Viber defends new end-to-end encryption protocol against criticism

Messaging app Viber rolled out its own end-to-end encryption update yesterday, following in the footsteps of its competitor, WhatsApp, and allowing users to keep their calls and messages private. But researchers are questioning whether Viber’s messages are really as secure as the company claims.

In a blog post announcing the change, Viber COO Michael Shmilov says that the new feature will protect messages sent by Viber’s 700 million users from being accessed by anyone aside from the people in the chat — including the company itself. “We have been working on this for a long time and are proud that our users can confidently use Viber without fear of their messages being intercepted — whether it is in a one-to-one or group message, on a call, on desktop, mobile or tablet,” Shmilov writes.

But unlike WhatsApp, Viber has yet to publish details about how its encryption is implemented.(Developers of encryption systems commonly publish documentation so they can be audited for vulnerabilities by other researchers.) WhatsApp worked with the developers of secure messaging app Signal and published a security whitepaper detailing how users’ messages would be encrypted.

Viber has so far declined to publish specifics about how it is encrypting users’ messages, which has left technologists to speculate about the methods Viber is using. Frederic Jacobs, a security researcher who previously worked on Signal and is currently a student at the EPFL, pointed out that Viber may be using an MD5 algorithm, widely considered to be cryptographically insecure.

However, a Viber spokesperson told TechCrunch, “MD5 is not being used.”

“Viber will not grant backdoor access under any circumstance and in any country. We agree with the stance both Apple and WhatsApp have taken. Viber can access records that show only that one phone number has contacted another phone number. However we cannot access the content of messages or phone conversations,” the spokesperson added.

Shmilov told TechCrunch yesterday that Viber had been working on end-to-end encryption for several years, and that users would be able to authenticate their contacts before exchanging messages. A spokesperson clarified today that Viber has performed several internal audits on the encryption protocol it is using, and said that external audits are coming soon.

“Our encryption protocol was based on an open source protocol concept, with an extra level of security developed in-house,” the spokesperson explained.

Online messages are only as secure as the encryption used to protect them, and it can be difficult to build trust in a product if its maker isn’t transparent about security. Without proper security documentation, users are left in the dark when it comes to choosing which apps to trust.

Joe Hall, the chief technologist of the Center for Democracy and Technology, expressed concern that companies are so eager to join the rush to encrypting users’ messages that they aren’t taking the steps necessary to set up proper security. “In the rush to encrypt everything, I’m hoping encryption doesn’t become just a fad, resulting in poor security engineering. It’s not clear if that’s what’s happening here, but I suspect we’ll see that at some point,” Hall told TechCrunch.

So far, Viber has made end-to-end encryption available in Brazil, Belarus, Israel and Thailand, but users will be able to access the feature worldwide within the next two weeks.

Update: Frederic Jacobs does not currently work on Signal and does not speak on behalf of its creators at Open Whisper Systems. His research indicated use of MD5 in Viber’s construction, not in the encryption of attachments as previously reported.