Wire application-level security audits

Kudelski Security and X-41 D-Sec have published application-level security audits of Wire’s iOS, Android, web application, and calling code.

A year ago the first independent Wire security audit that focused on the Proteus cryptographic protocol implementation came out. We promised to continue to work on a complete solution review, and today’s news demonstrates our commitment to this promise.

I believe this makes Wire the most thoroughly publicly audited communication software available today, and represents a proactive and transparent approach to security that the whole industry should follow. Morten Brøgger, CEO, Wire

What was audited?

Kudelski Security and X-41 D-Sec reviewed the Android and iOS apps, Wire web application, and the signalling components of the calling protocol. For the Android and iOS apps the audit focused on both security and privacy aspects.

This audit is massive in scope. It covers the largest part of Wire’s source code that is relevant from a cyber threats point of view.

All issues discovered and reported have been fixed, and the fixes have been reviewed by the auditors. All Wire code is open source and available on GitHub.

Audit report direct links:

Wire Security Review — iOS Client

Wire Security Review — Android Client

Wire Security Review — Web, Calling

Why do public security audits matter?

Not a single day passes without news of data breaches and leaks, cyber attacks, or software bugs that put companies and individuals in danger. Poorly written, unaudited software is often the root cause of these incidents.

Wire has taken several steps to mitigate the potential threats — all communication on Wire is end-to-end encrypted, and all our source code is open source. However, reviewing the whole code for security vulnerabilities isn’t a task most organizations or people that use or consider adopting Wire have the expertise or the time to take on. Our cooperation with Kudelski Security and X41 D-Sec verifies our security claims, saving your IT security team time.

Regular security audits show Wire’s dedication to transparency and building trust. We believe that security is not a project but a process — therefore we look forward to publishing audit updates as our apps and platform develop.

We want to drive a change in the communication industry where regular security audits become not only the best practice but a new norm. It is not good enough to advertise audits from years ago when the whole code base of your product has changed. It is also not good enough to publish glossy executive summaries of non-public security audits of solutions that are not even open source.

No business or consumer communication solution can match Wire today in the level of transparency and security through the combination of open source code, use of end-to-end encryption, and extensive independent audits.