Is Wickr the Best Bet for Secure Secret Messaging Apps?
August 13, 2014
After attending a Meetup recently on encryption techniques for journalists, I realized the need to examine various encryption tools for text messaging, email, chat, and other forms of communication.
I tend to avoid sending sensitive information (social security numbers, credit card info, saucy selfies) over chat, email, text, or social media. That should not prevent me or others from practicing good security awareness.
Despite the seemingly insignificant informal nature of text messages, more people use text or SMS messaging as a form of communication as opposed to email, phone calls, or other avenues. Also, human error and negligence often contributes to security lapses.
This article highlights the encrypted text messaging mobile application called Wickr. This app and similar rivals such as Redact, CyberDust, and TextSecure, do not have significant user bases, but they are options for individuals who rely on secure text as a form of communication.
Wickr’s military grade encryption
They promote transparency through a clear security message to reassure potential users. Unlike certain big companies who use your information for free services (i.e. email), Wickr says,
We do not upload your contact book to our servers, We do not know anything about you or what you do with Wickr, We do not sell your personal information, We do not store your IP address or UDID, We do not own the messages and media you send via Wickr, We do not have a back door
The app scrambles user identity by requiring user IDs and no password recovery system. Email addresses and phone numbers are not required.
The app focuses on anonymous options. It prevents screenshots (“denied by DRM”). Wickr uses AES-256, RSA-4096, ECDH-521, SHA-256 and Transport Layer Security (TLS) to encrypt and encode message data when on the server and transported between devices. They utilize Perfect Forward Secrecy (PFS) to generate encryption keys and delete them afterwards.
Secure Shredder, message expiration, and pen testing with Aspect Security
With the “Secure Shredder”, messages are completely erased from your device. This option only destroys message content from your device and not the recipient device. The expiration date attempts to close the gap on this issue, but it does not prevent recipients from taking pictures of the message content with a separate device. The expiration option is resembles Virtru’s email encryption options.
The most important aspect to take away from this company is their commitment to security. They publish quarterly transparency reports and hire security consultants and penetration testers to expose vulnerabilities. On August 5th, they published this letter from Aspect Security attesting to the app’s security.
TextSecure and Redact
TextSecure receives a solid 4.5 star rating on the Google play store. In addition to the typical end-to-end message encryption you expect, the app is open source. You receive complete transparency with open source software.
Most cyber security professionals tell you that nothing is one hundred percent secure. If a software company or “expert” makes a similar claim, they err in judgement. Redact’s website copy states that it is “The world’s first totally secure instant messenger application”. This might as well serve as an open invitation for hackers to break the application and prove the app developers wrong.
Perhaps, this app proves more secure than others, but do not overextend your confidence. Why invite malicious hackers? Discovering vulnerabilities is an essential part of strengthening technology, as evidenced by Wickr’s commitment, but this is not a smart invitation.
The Redact Secure Messenger website word choice alone makes this a do not use mobile application. Sorry Redact, but keep in mind that no application is bulletproof. Also, why would you spend $5.99 for this app when comparable alternatives come for free? This is a case of tech product marketing gone awry.
You should have awareness of encryption options for text messaging, but this option may seem extreme for users who already will not freely send social security numbers, credit card info, or bank account numbers through this medium.