Encrypted chat app Wickr opens code for public review

Security researchers have wanted a peek at Wickr’s code since the secure messaging app launched in 2012, and now they’re finally getting that chance. Wickr is publishing its code for Wickr Professional, the subscription-based enterprise version of its free messaging app, today for public review.

The public review builds on private third party code reviews by security experts like Dan Kaminsky and Whitfield Diffie, and has been a long time in the making for Wickr.

“For years, Wickr has been at the forefront of ephemeral communication. With Wickr Professional, they are allowing teams to be confident that what is discussed is not distributed. And by opening their code, they are giving the engineering community strong reasons to trust their platform,” Kaminsky said in a statement.

Users might not be interested in the inner workings of most of the apps they use, but for encrypted messaging, trust is paramount. Users need to know that the app’s security claims are verified — that there’s math behind the marketing — and so it’s common for the makers of encryption products to make their code available for public inspection. This makes it possible for experts to reassure users that their messages are private, and lets researchers hunt for bugs that could make the app less secure.

But Wickr hasn’t gone open-source — until now. That’s made it tough for Wickr to gain the trust of the most privacy-conscious users. The Electronic Frontier Foundation marked Wickr down in a 2015 edition of its Secure Messaging Scorecard because the company had no public documentation of their encryption protocol and had not made their code available for review.

Wickr tried to strike a balance later that year, when it published a white paper describing its methods. But the company still stopped short of making its code public.

After all, Wickr is a business, and it’s easy to see how offering up code for free could cut into the company’s profit. But Signal, a competing encrypted messaging app that has surged in popularity, has open-sourced its code from the beginning. Google, Facebook, and WhatsApp all implemented Signal’s encrypted messaging protocol in their own apps last year, demonstrating that open-source doesn’t inherently harm a company’s growth.

Joel Wallenstrom, who joined Wickr as CEO in Nov. 2016, says that his willingness to publish the code is based on what he sees as a change in the way Wickr competes in the marketplace.

“Where we’re going to compete is really good customer service and customer support,” Wallenstrom tells TechCrunch. “I’d like to collaborate on crypto and really go out there and stake our claim in the marketplace by helping people understand how to use ephemeral communications. The next thing is, how does a general counsel really understand and wrap his or her brain around how to use this? How does this work within our organization? These are big challenges. People are looking to us and maybe to others as well, saying, ‘I need help with that part too, not just the math.'”

Wallenstrom also wanted to please the security community, which has embraced open-source as a way to ensure the integrity of encrypted communication. “It was important to some corporations, and it was very important to the security community, obviously,” Wallenstrom says. “What I found is that Wickr messenger users typically are in the security community and there was just a big, ‘Why not?'”

The encryption protocol Wickr released today is only used in Wickr Professional, an enterprise messaging service the company launched in private beta last month. (Think of Professional as the encrypted and ephemeral competitor of Slack.) Wickr Professional allows group chats of up to 30 people and enables file transfers, calls, and video chat. The company also offers SCIF, an enterprise product that enforces rapid destruction of messages. Professional and SCIF will be available for an annual subscription fee, while Wickr’s main chat app will remain free.

The protocol used in Wickr Me, the free app for iOS and Android, is still closed-source. Wallenstrom says that the open-source protocol will be implemented in Wickr Me as soon as possible, but for now the company is focused on its enterprise offering.

“This is a multi-party, multi-device protocol,” explains Tom Leavy, one of the creators of the protocol.

Wickr launched as a one-to-one communication service, allowing a single user with a single device to securely chat with another user. But over time, users have begun to use more devices and gravitate toward group chat, so Wickr added those features too. But these features can cause problems for encrypted messaging because of the slow, sometimes data-heavy process of key exchange and encryption.

“We collected a lot of overhead, to the point where it was becoming difficult to scale,” Leavy says. “For Professional, we had an opportunity to say, ‘Okay, let’s take apart all the components here and really decide what operations need to happen in order to maintain end-to-end encryption between all the parties.’ The end result of that process was figuring out that there was a lot of replication of data and calculations in the key exchange and we were able to get a 50 percent reduction in larger group chats in the size of the message.”

The result is a faster, more agile protocol that Wickr hopes will attract enterprise customers who are warming up to the idea of encrypted communication but want more hands-on customer support than other apps can offer. Researchers who find errors or security vulnerabilities in the code can report the problems through Github and Wickr’s vulnerability disclosure program.

“The best way for us to understand what we’re going to be doing ten years from now is to be part of this dialogue,” Wallenstrom says.

You can read Wickr Professional’s white paper below and check out the code on Github.