Tool Review: Vibe Messaging

Posted by MelissaLoudon on Dec 22, 2011

Vibe burst onto the scene following reports that protesters were using it to coordinate with each other at the recent Occupy Wall Street demonstrations and camps.

As a smartphone app for anonymous broadcast messaging, Vibe is going after an important idea. In fact, it’s been promoted as an anonymous version of Twitter. Anyone with the app can post - there are no accounts - and users are able to limit the lifetime of the messages (from a few minutes to a few days) and the location to which they are broadcast (from a few meters to anywhere).

Vibe is clearly a useful tool. Some of the ways it has apparently been used include asking anonymous questions at a conference, and communicating with neighbours about local events. The ‘anonymity’ of not having to create an account may be perfectly adequate for these situations. However, when it comes to its use by activists - where it is being promoted as an appropriate tool for people with serious security implications should their identify be revealed - we need to delve deeper into promises of anonymity.

In the case of Vibe, our analysis revealed some serious concerns. Some of these have come up in other reviews as well.

  • First, we have no information on whether messages that expire (and are therefore no longer visible to vibe users) are actually removed from Vibe’s servers and server logs. If they aren’t, this is a permanent record subject to requests from law enforcement.
  • Second, all communication between the app and the server is unencrypted (HTTP), and vulnerable to eavesdropping on insecure WiFi networks, or by mobile network operators or Internet service providers.
  • Third, the app stores and transmits an internal user ID alongside each message. This is what the messages look like. Even if you can’t immediately link a user ID to a specific person, the mobile network operator (MNO) or someone eavesdropping on a WiFi network probably can, and someone who has even brief access to a phone with the app installed certainly can.

The table below is from Evaluating Security Apps,’s guide to deciding whether specific apps are suitable for communicating sensitive information. Not everyone has the same security requirements, or the same operational environment, and we encourage you to assess your security risks in a systematic way.

Will it work on my phone? 
  • Platforms (iPhone, Android, Java, Blackberry, Symbian etc)
  • Phone models
  • Installation method (App market, web download, download to PC?)
  • Language support
Vibe is available for iPhone and Android. Testing on Android, it required continuous Internet access to work and crashed without it.

Installed through the iPhone app store. Android users can download the .apk file directly from
Risks, Costs and Benefits 
  • What risk does this app address? What are the benefits?
  • Does it introduce other potential risks?
  • How much does it cost? Both the cost of the app and any data/text messaging/voice costs
Vibe is like Twitter without accounts - no need to sign up, just send out a ‘Vibe’ to people nearby.

The potential risks are significant if you need better anonymity than just not having to show a screen name - the app uniquely identifies users and transmits data unencrypted, and may also store data on its servers for longer than it is visible to users.

The app is free, data charges apply.
Is this app trustworthy? 
  • What permissions does it request? What permissions is it given by the operating systems?
  • Who is the developer? Are they well-known?
  • Is there an active user community?
  • Is the source code available for public review?
  • Is data stored and transmitted securely?
  • Is the app legal?
  • What is the developers’ policy on data requests from law enforcement?
  • Is the app mature?
  • How are updates released?
When tested on Android, Vibe requested location permissions, as well as Internet access.

Development of Vibe was outsourced to by its creator, Hazem Sayed. The complete lack of security features suggest that this app was not built for secure communication, and the fact that it crashes when it doesn’t have continuous Internet access does not instill confidence.

There is no public-facing website for Vibe, and no way to get support or connect with the user community besides possibly using the app itself.

Source code is not publicly available, and there is not information about how data is stored on servers.

Data is transmitted unencrypted using HTTP.

Vibe is legal, but its terms of use forbid illegal activity (as well as some legal activity, such as pornography).

 Image from Adrian Kinloch on Flickr

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd><p><br> <b><i><blockquote>
  • Lines and paragraphs break automatically.

More information about formatting options