Secure SMS app Wickr finally hits Android
Wickr's flavor of secure text messaging, protected in part by the encryption technique called Perfect Forward Secrecy, lands on Android in a new beta.
Wickr isn't the only encrypted text messaging app around, but it does provide a hard-to-replicate level of protection for your texts. Previously for iOS only, it launched Monday in beta on Android.
The app's argument is simple: its San Francisco-based makers claim that Wickr, now cross-platform between Android and iOS, provides the most secure text messaging apparatus currently available. It uses AES-256, RSA-4096, ECDH-521, Transport Layer Security, and SHA-256 to encode data while it's being stored on a server and while being transferred between devices.
Nico Sell, a Wickr co-founder, doesn't hesitate to talk about her company's interactions with the US government.
"Wickr has been approached by the FBI and asked for a backdoor," she told CNET recently. "We said no."
Sell, who helps run the DefCon Kids program at the annual DefCon security and hacking conference, connects her heritage as a Daughter of the American Revolution to her work on Wickr.
"My ancestor was a drummer boy for George Washington, who founded the postal service. The US Post Office allowed people to have freedom of information, private correspondence without the government's prying eyes. That," she said, "is what made America great."
Wickr boasts that it meets or exceeds HIPAA requirements for medical record privacy and encryption, including military grade FIPS 140-2 and exceeds NSA Suite B compliant. It also uses Perfect Forward Secrecy, an encryption technique generates and uses encryption keys once and then deletes them immediately afterwards. PFS is used by Google but few other Internet companies, although Facebook recently has begun to incorporate it.
In fact, because Wickr's user data and texts are so heavily protected, user identification outside of user-to-user communication is anonymous. Messages are tied to the device they are sent from, attachments have metadata such as time, location, and identity stamps stripped from them, and deleted texts are shredded. Even the sender's identity is encrypted before the message leaves the sender's phone.
Wickr is straightforward about its intentions to make money from a privacy-protective app.
Sell said that Wickr is "the only small company doing a transparency report" published quarterly. While this claim is harder to verify, Sell isn't wrong to say that there aren't many small companies or startups writing regular transparency reports.
"We've gone a year without any zero days," she said, referring to attacks that exploit previously undocumented vulnerabilities in software or hardware. That's no mean feat for a company making closed-source software that's heavily involved in privacy protocol. "We have magnitudes more users than the other guys, so we should have more magnitudes more zero days," Sell said.
Wickr expects only 3 percent of its customers to pay for what it calls "professional" calling and texting, which it hopes will subsidize the other 97 percent of its users. The company didn't specify what features would differentiate "professional" from "free," but Wickr has said that it doesn't plan on showing ads to its non-paying customers.
Despite increased attention to privacy in the wake of the documents leaked by Edward Snowden, there's still little guarantee or even indication that people will take steps to replace a default app like their phone's text messaging app, and then ensure that their text's recipient also will have the same brand of secure replacement.