You and I have good reasons to seek out a secure messaging service, or we wouldn’t be here. Our use cases may vary, but I doubt they include defending against Iranian terrorists while on active duty in the Middle East.
If Wickr and Signal are good enough for the 82nd Airborne to use in Iran, it seems to me that they might be good enough for you and me as well. We’ve already reviewed Signal; its time to find out what makes Wickr special.
“All official communication on government cell phones within TF Devil has been recommended to use Signal or Wickr encrypted messaging apps,” Maj. Richard Foote, a spokesman for the 1st Brigade Combat Team, told Military Times.
“These are the two apps recommended by our leadership, as they are encrypted and free for download and use,” Foote said.
Wickr Me pros & cons
- Client-side end-to-end (E2E) encryption
- Encryption algorithms: AES 256, ECDH521, and RSA 4096, with Perfect Forward Secrecy (PFS)
- Anonymous accounts
- Ephemeral messages and attachments
- Burn-On-Read messages and attachments
- Provides Transparency Reports
- All user content is forensically wiped from the device after it expires
- Does not log IP Addresses or Unique Device ID
- Does not record user metadata
- GDPR compliant
- Code is publicly visible on GitHub, but not open source
- Message handling is unusual
Wickr Me vs Wickr ProBefore we go further in this Wickr review, we need to talk a bit about the differences between Wickr Me and Wickr Pro. Wickr Pro and Wickr Me both run off the same secure code base, and there is a free version of Wickr Pro available. Depending on your use case and threat model, you may want to consider using Wickr Pro Basic (the free tier of Pro) instead of Wickr Me. Why would you do that? Wickr Me distinguishes between users based on their anonymous username. Wickr Me accounts belong to whoever has the correct credentials to log in to a Wickr Me account. The company has no way to identify the owner of a Wickr Me account because they have no access to any personal information. Even if you link a phone number in Wickr Me that data is encrypted and cannot be read by the company. Wickr Pro requires you to use an email address as your username. While this supports password resets and verification of ownership for Wickr Pro accounts, it also eliminates the anonymity of Wickr Me. In addition, Wickr Pro Basic has several features that Wickr Me does not. I’m concentrating on Wickr Me in this review. However, if giving Wickr an email address would be acceptable in your particular circumstances, check out the additional features of Wickr Pro Basic, covered at the end of this review. Note: You can anonymously sign up for a secure email service and use this only for your Wickr registration.
WickrMe feature summaryHere are some key features to consider when deciding whether WickrMe is right for you:
- File, photo, video, voice message sharing
- Video and audio conferencing
- All messages and attachments are ephemeral. That means they only exist for a certain amount of time. Once their time is up, they are permanently deleted from both the sending and receiving devices. If a message or attachment is still sitting on a server awaiting delivery when its time is up, it is deleted from the server as well. In other words, messages may never get delivered if the recipient doesn’t log into Wickr frequently enough.
- Message handling is unusual. Messages are bound to both your account and a specific device. You can have multiple devices connected to one account, but messages will only go to the specific targeted device. Messages are not synced across all your devices as with most other messaging services.
- Wickr has published some of its code on GitHub, but the code is not open source.
- Wickr Me apps are available for Android, iOS, Windows, Mac OS, and Linux.
- Over 5 million copies of Wickr Me have been downloaded from Google Play alone.
Wickr company background informationWickr was founded in 2012 by the team of Dr. Robert Statica, Kara Coppa, Christopher Howell, Nico Sell, and York Sell. The company is based in San Francisco, USA.
Where is your Wickr Me data stored?Messages are stored on your device. They may be stored for a limited time on the Wickr servers, but are deleted upon delivery. Because messages are end-to-end (E2E) encrypted, even while they are on the Wickr servers, they are undecipherable. Messages are also ephemeral. This means that every message is automatically deleted from wherever it is in the Wickr system (their servers or your device) after a user-specified amount of time. In the long term (longer than the maximum life of any particular data), your Wickr Me data isn’t stored at all. We will discuss jurisdiction in the United States and potential privacy concerns further below in this review.
Wickr Me third-party testing and auditsWhile it can be hard to find any third-party testing and audit results for some secure messaging services, Wickr has glowing quotes from 4 outside organizations attesting to the security of their products. Unfortunately, I was unable to find the actual reports from which these quotes were taken.
Wickr Transparency ReportsWickr does a great job when it comes to providing Transparency Reports. They have an archive of them going back to 2/25/2013. Here is a link to all the Wickr Transparency Reports. This is similar to some VPN services and secure email services, as it provides users with any information that could affect the security of their data. You can also see this with ProtonMail.
Wickr Me messenger hands-on testingFor purposes of this Wickr Me review, I tested out the mobile app for Android, along with the Windows and Linux desktop apps. As you might expect, you can download the mobile apps from their respective app stores.
Wickr Me Android appYou can install Wickr Me from the Google Play store. The only thing to watch out for is that both Wickr Me and Wickr Pro are available in the store. Make sure you don’t download the wrong one. The Wickr Me Android app gets good marks (4.1 out of 5 stars from over 20,000 reviews) and has been downloaded over 5 million times. Note: The iOS version of Wickr Me gets even better marks (4.8 out of 5 stars from over 20,000 reviews). Installing Wickr Me on an Android phone involves downloading the app and selecting a username and password. Next, Wickr Me gives you the option to enable Contact Finder. Contact Finder will scan your phone’s address book looking for contacts that are also Wickr users. Adding your own phone number (so others can find you) is optional. So is enabling Biometric Prompt, which requires biometric or password authentication every time you launch Wickr Me. Once you finish all this, Wickr Me offers you a guided tutorial to learn more about the app’s features. Going through this tutorial is a good idea, as the Wickr team continues to add new features to the entire Wickr family of products.
Working with Wickr MeAt first glance, working with Wickr Me is much the same as working with any other messaging app. You tap a contact to chat with them. Such one-on-one conversations are called Direct Messages in Wickr Me. When you use Wickr Me on a mobile device, you can not only send and receive text messages. You can also share files, photos, and videos, send voice messages, or have telephone-style voice messages. But once you start using it, the ephemeral nature of the service makes itself felt. When you look in the text entry field, you’ll see a brief message like the one below: Any messages you enter in this field, any attachments you add, any voice memos you include, all of them will expire in 6 days (or whatever amount of time appears here). This Expiration time is a hard limit. Unread messages, even messages that haven’t been delivered by this expiration date, will be permanently and irretrievably eliminated from the Wickr service when this time arrives.
Wickr Burn-On-Read timerThe expiration time is only one of the two Auto-Destruct timers built into Wickr. The other is the Burn-On-Read timer. When activated, this timer controls how long a message (or other content) continues to exist after a recipient views it. This timer starts ticking as soon as content is marked as “read.” Note: Regardless of how much time might be left on the Burn-On-Read time, it will never extend the life of the content beyond the destruct time determined by the Expiration time.
Wickr group messaging and extra featuresWickr Me also supports group messaging. Previously known as group conversations or group chats, multi-person chats in Wickr Me now appear in Rooms. Wickr Me Rooms are not moderated, in contrast to those in Wickr Pro, which offer moderation and larger group sizes. Beyond the basics of Direct Messaging, Room chats, and self-destructing messages, Wickr Me has some very useful additional features. Here are some highlights:
- Share Location – Share your Current Location (a snapshot of where you are this instant) or your Live Location (your location over time) with others.
- Quick Responses – A set of pre-made responses you can send when you don’t have the time or attention to send a more personalized response.
- Key Verification – Verify the identity of any user in your contacts list by clicking their avatar which brings up the user’s information, and then clicking the “Security Verification” from their profile screen. For full details on how this works, click here.
Wickr Me Desktop clientsNot surprisingly, Wickr wants to promote the high-end versions of their product, just like we found when testing out Wire messenger. Perhaps because of this, it can be difficult to find the download page for Wickr Me. Here’s the link for you. Wickr Me downloads for all the desktops start here, with the page automatically determining which platform you are installing on. Wickr Me officially supports the following desktop platforms:
- Mac OS (not tested)
- Linux (64 bit and 32 bit)
Wickr Me Windows clientThe Windows installer for Wickr Me works as you would expect, launching a setup wizard that walks you through everything. If you get hit with the dreaded User Account Control (Do you want to allow this app to make changes to your device?) dialog box, just click Yes and the wizard will complete the Wickr Me installation.
Wickr Me Linux clientThe Wickr Me Linux client is distributed as a snap. Snaps are one of the ways the Linux community distributes software that can run on many different Linux distros without having to be separately compiled for each different distro. If you follow this link, you’ll end up at the Wickr Me page at SnapCraft, the snap app store for Linux. There you will find the information you need to install the Wickr Me snap on your version of Linux. If you want more information on snaps, including how to get your copy of Linux set up to use snaps if it isn’t already so configured, start here. When you launch the Wickr Me desktop you’ll see something like this: The desktop apps give you most of the capabilities of the mobile apps. You can even send your current location, although to do so you may need to give Wickr Me access to your operating system’s location services.
Wickr supportWickr provides separate support pages for Wickr Me and Wickr Pro. Here’s a link to the Wickr Me support page. The chances are good you will find the answers to any Support questions somewhere in this list. If not, you can submit a support ticket by clicking the Submit a request link at the top of this page. The Wickr Status link next to the Submit a request link is a nice touch. If you run into communication problems while using Wickr, you can click this link to find out if they are caused by a network failure.
How secure and private is Wickr?Wickr Me is about as secure and private as a messaging service can be. It combines strong encryption, Perfect Forward Secrecy, and content that literally disappears when not needed any more. Unlike some other messenger services, Wickr does not collect:
- Your IP address
- User metadata (since accounts are anonymous, Wickr doesn’t know who you are)
United States jurisdiction and privacy concernsOne lingering concern that some people may have is the legal jurisdiction where Wickr operates. Wickr Inc. is based in San Francisco, USA. Generally speaking, the United States is not a great privacy jurisdiction. It is a leading member of the Five Eyes surveillance alliance. There is also a history of US companies being forced to collect and log user data for authorities. Remember the Lavabit example? Fortunately, these concerns are seriously mitigated with Wickr. First, it simply does not collect data (IPs or metadata) and allows for anonymous registration. Furthermore, there is no central server logging all message content with all data being ephemeral. Of course, choosing the best secure messenger all comes down to your threat model and specific needs. Given everything we’ve seen in this Wickr review, however, the US jurisdiction is not overly concerning. Note: At least the United States does not have laws (yet) that force companies to break encryption and provide access to all secure communications, as we have seen in Australia. This is an issue for Session messenger.
Wickr business features (Wickr Pro)Wickr Pro is the business-oriented side of the Wickr product line. Wickr Pro and Wickr Me run off the same codebase, but Wickr Pro offers more features. The features that Wickr Pro users have access to beyond Wickr Me are:
- Video calls
- Conference/group calling
- Administrator control of security settings
- Moderated Rooms that support more users
- Larger file sizes
- Greater persistence for files