Viber, a popular messaging app with more than 700 million users, announced on Tuesday that it would deploy end-to-end encryption on its platform, following in the footsteps of WhatsApp earlier this month.
But how is Viber implementing its encryption? What technology is it using? The company won’t say.
When Facebook-owned WhatsApp announced its end-to-end encryption feature, it provided technical details of the new security architecture. It teamed up with encryption luminary Moxie Marlinspike, who developed one of the most highly regarded encryption protocols, Signal.
Viber, on the other hand, won’t say how it added encryption to its product.
“We built [Viber’s encryption protocol] based on the concept of an established open-source solution with an extra level of security developed in-house,” a Viber spokesperson told the Daily Dot.
When asked multiple times on which protocol Viber based its encryption, the spokesperson said that it was “elect[ing] not to disclose at this time.”
Matthew Green, a computer-science professor at John Hopkins University and a leading cryptographer, was skeptical of Viber’s reluctance to discuss its encryption protocol.
“The only reason I can think of is that it’s some custom hack an engineer threw together as a side project. Custom protocols are never a good idea,” said Green, who recently led a team that discovered a critical encryption bug in Apple‘s iMessage app. “It may use something standard but I don’t recognize any of it. Kind of sketchy.”
Some encryption protocols are more secure than others, and it benefits users to know how exactly their private messages are being secured.
Last year, the encryption in popular messaging app Telegram received criticism after the company revealed that it had developed the protocols in-house.
Cryptographers worry about proprietary encryption standards because they are not open-source and available for public auditing, a process that improves encryption code by letting anyone hunt for flaws.
Viber said it had performed multiple internal audits but had yet to allow an external one.