We’re in a funny period where society obliges us to stay as connected as possible, but doing so safely is increasingly difficult. This makes secure messaging app Wickr (iOS App Store, free), which destroys messages after a set period of time, all the more attractive. Though the app rightly puts security first, Wickr is easy enough to use for your everyday messaging.
Turning The Key
Right off the bat you’ll notice some differences about how Wickr presents itself if you’re familiar with other messenger apps like Viber and Snapchat. Its simple sign-up system does the normal things like asking for a username, password, and prompting you for your email address and phone number so other users can find you. The difference is that Wickr boldly notes promises that your personal information will not be directly stored on their servers, but rather as a cryptographic “representation.”
Co-founder Nico Sell, who berated an FBI agent that asked to install a backdoor into Wickr, explained that this system compares cryptographic hashes of phone numbers and email addresses in order to find other users. Neither your phone number nor email address is ever directly in Wickr’s hands, she said. This neatly side-steps the problem of messaging services amassing huge amounts of personal information by copying your contact list in order to find other users.
You can send a Wickr message to non-user, who will receive an email invite for them to join. I was happily surprised to see that Wickr also handles group messaging with ease. Wickr tells me that one million users have downloaded the app, but that they don’t track user statistics. Still, this is much smaller than services like Viber.
Everything Is Temporary (and Encrypted)
One of my favorite spy tropes is the self-destructing tapes used in the opening of Mission: Impossible episodes. Snapchat offered a similar feature in their much-maligned picture messaging app, but Wickr actually delivers on secure, ephemeral messaging.
In the app’s Settings, you define the default life span of each message you send over Wickr. Messages can last anywhere from three seconds to six days. The clock starts running once the recipient taps to open the message, and it’s a literal digital timer displaying the remaining time down to the second for each message. When it runs out, an explosion animation devours your message. In the background, Wickr is erasing and overwriting the data so it can’t be recovered with digital forensics techniques. Wickr’s developers told me they plan to move to a freemium system with in-app purchases, such as longer message lifespans.
Each message is encrypted with a different key, and the keys are stored on users’ devices—not with Wickr. The goal is a “zero knowledge” system, which means that even if Wickr’s servers were compromised or seized by law enforcement, there would be nothing intelligible to obtain. Encryption is handled using AES 256, ECDH521, and RSA 4096. The last one, RSA 4096, is used for legacy purposes and is being phased out.
In addition to encrypting messages, Wickr “binds” each message to the devices used by the recipient. The developers explain that even if traffic is being monitored and the encryption is broken (a very real possibility) the messages would still be unreadable without the intended device. Note that you can chose to have Wickr only allow one device per user, but the app warns that doing so will require you to create a new account if you get a new device.
In practice, this can be a little confusing. When I read a new message on my iPad, that message would not appear on my iPhone. When both my iPhone and iPad were on with Wickr running, it was a crapshoot which would see the message first. I’d recommend keeping the ability to have multiple devices, but only using one. I had the same issues when using Confide.
Wickr messages are text by default, but you can take pictures, add photos from your camera roll, include audio messages, and record 30 seconds of video. You can also attach files stored on Dropbox, Google Drive, and Box. Attachments are also given a lifespan but you cannot download an image or file to keep it beyond its lifespan. Be sure to define a lifespan for video clips that are at least as long as the video’s run time.
As with Snapchat, Wickr pictures are only visible while you tap and hold the screen, which makes it harder but not impossible to screenshot a picture. I had no trouble doing so on my iPhone 5c. This is likely a restriction on the operating system level, but apps running on Android OS can prevent users from taking screenshots. I’ll be looking for that feature when I review the Android version of Wickr, which is currently in Beta.
Inside Wickr’s settings are usual offerings, but a few tools really stand out. For instance, you can opt out of syncing your messages between multiple devices and tie your Wickr account to a single device. There’s also the Secure Shredder, where you control how aggressively Wickr overwrites deleted data in the background. You can also manually “sanitize” your entire device, but the app warns that this may temporarily trigger a low memory warning as your messages are overwritten with junk data.
There’s also a block list, which lets you toggle between either a whitelist or a blacklist. By default, you can receive messages from any Wickr users, except those you list. Alternatively, you can allow messages from only from the people you list.
Not Just For The Paranoid
Until recently, being secure online meant having to take extraordinary measures and required no small degree of technical know-how. That’s changing. New apps like Wickr are working hard to provide security without sacrificing smart design and ease of use. With Wickr, the only real downside is the same you face with many messaging services: finding people, and convincing non-users to join. And though Wickr is easy enough for anyone to use for their daily correspondence, using it means learning to let go of messages.
Wickr’s emphasis on security will no doubt appeal to those who wear tinfoil hats, but it does more than protect secrets. It’s a company that takes great effort to protect its users and has even staked their reputation on their ability to do so. That’s a bold statement in the information economy, and one we should all think about.
Copyright © 2012 Ziff Davis, Inc