Text messages are great, but they have the annoying property of being out of the sender’s control as soon as they’re sent. That’s resulted in all kinds of fun for the Internet, and it’s also presented a big opportunity for a security company to pick up the slack and impose some sanity and privacy on these communications. A new start-up called Wickr is aiming to do just that with a mobile app that enables users to send anonymous, encrypted texts, photos and videos that self-destruct after a set time period and leave no trace for snoops.

Wickr is designed as a way for users to have complete control of not only how their communications are transmitted and stored, but also how long they’re available to anyone, even the recipient. The company, which launched its app this week, is the creation of several security experts, including Robert Statica, a professor at New Jersey Institute of Technology, Kara Coppa, a former defense contractor and network security operator, Christopher Howell, a former computer crime and forensics investigator, and Nico Sell, who is well-known in security circles as one of the key movers behind DEFCON and Black Hat and has been involved as a founder or adviser of several security companies.

The Wickr founders aim to make traceable communications the exception, rather than the norm, and to return control of private communications to the user.

“We want to flip communications on its head. Right now, all communications are traceable by default, and we think by default they should all be untraceable,” Sell said. “If you want it to be traceable, then you can do that. The idea is to give this capability for private communications to everybody.”

Wickr is a simple app that users install on their mobile devices. (Windows and Mac versions also are in the works.) Users must register with the company to begin, but their username is the only thing the company stores, and that’s saved as just a salted hash. No real names or email addresses are required. Once registered, a user can then send a private message to any other Wickr user. The messages flow through the company’s servers, but they’re encrypted all along the way and the Wickr servers only store each message–still encrypted–until it’s downloaded by the recipient. After that, it’s erased from the server.

Users also have the ability to set a maximum time-to-live for every message they send. Once a message expires, it is digitally shredded and overwritten several times with junk bits. Wickr is meant to not only protect user privacy during and after transmission of messages, but also to prevent forensic recovery of the deleted data after the fact.

Wickr uses AES-256 and RSA-4096 encryption, but Statica said that the way in which the algorithms are implemented is proprietary to the company. 

“We call it our digital security bubble,” he said. “Everything is app-based, the usernames are stored as a salted hash and they’re camouflaged on the server. It’s pretty much anonymous. No one knows who is who.”

The app, which is available in the iTunes App Store, does collect some identifying information about each user’s device, but that’s stored in encrypted form, as well. And, in addition to securing the communication channel for these messages, Wickr also scrubs any identifying metadata out of each file before it’s sent, including geolocation data, hardware IDs, etc. 

The basic Wickr services are free, but the company plans to charge for premium services, including transmission of larger files or sending messages to a large group of users. The company plans to expand to desktops in the near future, enabling the same kind of security for email messages, Statica said.

Categories: Mobile Security, Privacy

Comments (5)

  1. Anonymous
    1

    whispersys dot com has a similar app (redphone,textsecure) that’s been out for a while. good idea….only caveat is that the destination user must also have the app

  2. Anonymous
    2

    Sounds a little like the story around the “digital rubber” (German: Digitaler Radiergummi). I am not very familiar with the whole app-universe, but the fundamental problem remains: Everything I can read, I can copy. So the “expiring date” does not guarantee that the messages content is shreddered. If the recipient would like to keep it, he will. However, it could still be useful, because the majority of recipient will not go to such lengths just to copy some birthday invitations which they would forget about anyways.

  3. Anonymous
    3

    I suspect that they’ve invented the ultimate enabler for those who don’t want their sexting discovered by their Significant Others.

  4. Norm
    4

    I know of a way around uncovering the encoded as well as permanantly destroying any information sent.  The information is sent and then followed w an algorithm for destruction so to speak. the “uncoverable” is sent “back and forth”, almost being shaken up, to uncover content.  So good luck w all that “secret” stuff. Contact me if you desire further explanation. Cheers!

  5. Dennis Fisher
    5

    Yes, we’ve written about Textsecure in the past, but if I recall, it doesn’t have the expiration function.

Comments are closed.