Wickr

Secure: Send and receive secure messages, documents, pictures, videos and audio files.

Anonymous: Your conversations can not be tracked, intercepted or monitored. Your Wickr ID is anonymous to us and anyone outside your Wickr network.

No Metadata: Wickr removes all records, geotags, and identifying information from your messages and metadata

Shredder: Irreversibly remove all deleted messages, images and video content from your device.

Configurable timer: Set the expiration time on all your mesaging content.

Sounds promising. Yet we can’t confirm any of those. Wickr is proprietary software. Why? There are successful products such as TextSecure that are free and open source. They are doing great. Thus, there is no economical incentive not to make Wickr GPL licenced, let alone open source. Having to trust the company is the problem and Wickr should be disregarded at this point by anyone who values their privacy. Audits of source code by independent companies are excellent. Here they do not matter. It’s like RSA saying “don’t worry. BSAFE was audited by the NSA.”

After the source code is released, and the licence allows users to compile their own clients from it (preferrably Wickr should come with a script that produces a reproducible build), we can reliably analyze their claims. What worries me is, some of them are either false, or not up-to-date:

CaptureEncryption

Wickr uses ECDH521 key exchange + AES256 for symmetric encryption. Despite forward secrecy, there is no ratcheting or self-healing property. Long term MITM can be established at any point with single key-exfiltration attack against either end point.

Fingerprint verification

Fingerprint verification is hidden behind a tap on the user avatar. Anyone who doesn’t know better won’t be using the feature. Since the lock icon is the same color as all symbols, there’s no way to immediately figure out that the security is not at adaquate level.
1
Fingerprint verification can be done through the MITM using video. This is actually a decent method if recipient is known (and assuming HSA morphing technology hasn’t reached this point yet). The issue is in usability. After receiving the video, it must be viewed by holding the camera icon pressed. If user accidentally presses the accept button right below the camera icon, the client assumes key verification was valid and assigns green key-icon for user: “verified”.

2The sender will have to either record a new video, or resort to less private options:

The fingerprint can also be sent via inherently insecure SMS and unencrypted email. Even the suggestion of using these channels reaks unprofessionality from Wickr team. There is no way for users to display fingerprints on screen of their devices, thus there is no high-assurance way to verify fingerprints on the spot.

The explanation on importance of fingerprint is bad:fingerprintFingerprints are not “optional”. They are the only thing that prevents MITM attacks against user. In a sense, they’re not lying when they say it provides added level of security. They just fail to mention there is zero security without verification.

“That friends are who they say they are”.

Providing this level of misinformation is scary. It will lead to confusions where people will do alternative challenge-responses through the MITM:

“What movie did we watch yesterday?”.

“-Titanic”

“-Okay it must be you.”

This section should have carefully explained, that it ensures that end-to-end encryption is done between Alice’s and Bob’s devices and not Alice and HSA, and Bob and HSA.

Illusion of sender based control:

sbcThis is pure security through idocracy. The next picture taken with external camera explains:

3

I found many reasons to use TextSecure over Wickr. I found zero reasons to use Wickr over TextSecure; Vote with your feet.

PS. Wickr, check your hiring priorities:

openjobs

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s