Silk Road forums

Discussion => Security => Topic started by: justanotherrandomuser on September 22, 2012, 07:33 pm

Title: Wickr - Iphone/Android secure texting
Post by: justanotherrandomuser on September 22, 2012, 07:33 pm
So, I'm going to basically post a review so far on Wickr, a secure texting solution for iphone/android.

From https://www.mywickr.com/en/myapp.php#

The Internet is forever!  Your private communications don’t need to be. Wickr’s mission is to provide a free and easy way for anyone to communicate securely and Leave No Trace.

Wickr provides:

    military-grade encryption of text, picture, audio and video messages
    sender-based control over who can read messages, where and for how long
    best available privacy, anonymity and anti-forensic features
    security that is simple to use

Wickr deletes all metadata from your pictures, video and audio files, like your device info, your location, and any personal information captured during the creation of those files.

We do not require you to tie an email address to your account, allowing you to be as private and discreet as needed.

We have made this app with the best available security technology, but we strongly encourage you to only send private messages to people you trust.

FAQs about the App:

    How private are my Wickr messages?
    Can Wickr read my messages?
    How anonymous am I on Wickr?
    Does Wickr log or track my communications or activity?
    What about my mobile or Internet provider, can they track my communications in Wickr?
    How strong are Wickr's anti-forensic features?

How private are my Wickr messages?

Your messages are secured with military-grade encryption during their entire life span. They can only be read by you and the recipients on the devices you authorize.

For message encryption, Wickr's patent-pending 'Digital Security Bubble' relies on both the Advanced Encryption Standard (AES) symmetric block cipher implemented with random 256-bit keys and the asymmetric RSA-4096 algorithm.

Can Wickr read my messages?

No. Our service merely facilitates a secure exchange between sender and receiver. At no time is unencrypted message content stored on our servers.

Messages are encrypted by the sending device, sent through our service and provider networks in encrypted form, and decrypted by the receiving device. Our servers never process or store unencrypted messages nor are they ever in possession of the keys to decrypt the

How anonymous am I on Wickr?

We don't even know your username. And we don't force you to share an email address or other personal information that could identify you to us or other Wickr users.

Your username, along with all other user and device information related to your account, is irreversibly encoded with multiple rounds of salted cryptographic hashing prior to being sent to our servers. Even we cannot determine the actual values based on the hashed values we store.

Does Wickr log or track my communications or activity?

Minimal logs are kept for the purpose of maintaining system continuity. None of them contain user communications or message tracking information.

Our logs contain no message content or tracking information related to the delivery of messages. What little they do record contain only hashed user and device information. Our live database contains only hashed sender and receiver device information, and only while encrypted messages are routing through the system. This means that we or anyone viewing the database in real time cannot read any messages or determine which users are communicating. In fact, at a given moment, the only way we can determine who is communicating with whom is if we're given both usernames to start with, which amounts to simply confirming for someone that which they already know.

What about my mobile or Internet provider, can they track my communications in Wickr?

Your provider may be able to confirm that you are communicating with our service, but it cannot read your messages and cannot determine with any degree of certainty with whom you are messaging.

Regarding a provider's ability to establish with whom you are messaging, your mobile or Internet provider may track things such as IP address allocations and push notifications. While our indirect message delivery method may make it extremely difficult to establish all parties to the communication, we cannot entirely control the extent to which conjecture or inference could be drawn through observation of data collected from outside of our network.

How strong are Wickr's anti-forensic features?

Wickr provides the best anti-forensic privacy protection possible on the mobile platform.

Our anti-forensic features are specifically designed for the way mobile devices store and access data. While running, Wickr works continuously to wipe areas of main memory and device storage recently used to display text or multimedia content.


So, I gave it a shot, I have recently come across like minded individuals (the only requirement is that both sides use it) who were thankfully, quick to install it on their phones.  We tested it out this morning, registration was easy, it just asks for a userid, no email address required, put that it, exchanged uids over SMS, proceeded to try it out.

The most interesting feature is the self destruct option, it defaults to 1 hour, but you can set it for as long as 5 days.  This means that once your message has been opened by the other user,  after that time frame has expired, it will self destruct, the app,namely will overwrite the encrypted text with garbage.

So far, I'm happy with it, I wouldn't go so far as to be too explicit in my communications with it, but the self destruct feature is nice and if the authors of the app are indeed trustworthy, a very good idea and hopefully one that will frustrate LE to a great degree.   
Title: Re: Wickr - Iphone/Android secure texting
Post by: WestCoastRX on September 23, 2012, 03:24 am
Looks like Black SMS has some competition.  Thank you for the extensive writeup.
Title: Re: Wickr - Iphone/Android secure texting
Post by: BlarghRawr on September 23, 2012, 06:30 am
Unless the code-base for this application is available to anyone for reading, it should not be trusted. Like any form of encryption which makes it simple and automatic for the user... it could also be poisoned.

"They can only be read by you and the recipients on the devices you authorize."

That's the part I'd question the most. The "authorization" means some form of code is going out that allows the reading of a message, right? How? To who? How can you be certain ONLY the authorized device gets it?
Title: Re: Wickr - Iphone/Android secure texting
Post by: justanotherrandomuser on September 23, 2012, 08:11 pm
Unless the code-base for this application is available to anyone for reading, it should not be trusted. Like any form of encryption which makes it simple and automatic for the user... it could also be poisoned.

I agree, I would be cautious about what I communicated with it but hopefully either the more eyes on it approach will allow the community to note any discrepancies or prove it to be useful.

"They can only be read by you and the recipients on the devices you authorize."

That's the part I'd question the most. The "authorization" means some form of code is going out that allows the reading of a message, right? How? To who? How can you be certain ONLY the authorized device gets it?

Well, you can't be absolutely sure, hushmail proved that, but from what I understand, the phone generates a hash based off your login and password and sends that so they don't ever actually a copy of your data or login, and that hash is what's used to authenticate from different devices.  In addition, the timed delete function looks interesting.

I agree, it's hard to trust completely but there does remain a need for encrypted quick communications, until someone makes pgp sms easy with a phone...

At any rate, I'm using it at the moment so if I encounter an problems from it, I'll update this as quick as I can.
Title: Re: Wickr - Iphone/Android secure texting
Post by: happyroller1234 on December 03, 2012, 10:53 pm
I have also been using this app.  The reviews are very good, and it seems very secure...  Is there a way to know for sure?
Title: Re: Wickr - Iphone/Android secure texting
Post by: railingcapz on December 04, 2012, 03:18 am
Signing the thread. Very interested to see what more technical savvy members think of such an app. In any case, would it be better to just blend in with the masses and use standard sms or use Wickr? When I ask this, I mean for non-sensitive information, mainly for conversation that you would not want most to see but its still legal of some sort ;)
Title: Re: Wickr - Iphone/Android secure texting
Post by: DivineMomentsofTruth on December 04, 2012, 03:49 am
Signing the thread. Very interested to see what more technical savvy members think of such an app. In any case, would it be better to just blend in with the masses and use standard sms or use Wickr? When I ask this, I mean for non-sensitive information, mainly for conversation that you would not want most to see but its still legal of some sort ;)

I've been very interested in this as well...Seems like it could be legit or possibly something sinister. I hope it is not the latter. 

Can anyone who knows a lot more than me about authenticating the validity of this program please help.   I don't trust privnote so I don't see how this could be any safer but then again I don't know jack shit about how to check whether it is legit or not.

I certainly hope so...it'd make my life a lot easier.
Title: Re: Wickr - Iphone/Android secure texting
Post by: BlarghRawr on December 04, 2012, 04:16 am
Signing the thread. Very interested to see what more technical savvy members think of such an app. In any case, would it be better to just blend in with the masses and use standard sms or use Wickr? When I ask this, I mean for non-sensitive information, mainly for conversation that you would not want most to see but its still legal of some sort ;)

I've been very interested in this as well...Seems like it could be legit or possibly something sinister. I hope it is not the latter. 

Can anyone who knows a lot more than me about authenticating the validity of this program please help.   I don't trust privnote so I don't see how this could be any safer but then again I don't know jack shit about how to check whether it is legit or not.

I certainly hope so...it'd make my life a lot easier.
You would need to root your phone or other application, then install something that monitors all network traffic for it. And even then, you couldn't be certain. The next stage would be to take a JIT-dissassembler to it, or some such, to look for unwanted or malicious code. Or whatever, I don't really know.