SAN FRANCISCO—Secure messaging service Wickr is opening its core cryptographic protocol to review by making the code available on GitHub. The move is a first for the company, which until now had kept its efforts proprietary.

"It is now time to begin opening the source code so our customers and partners can easily review the crypto codebase and validate the promises we make to Wickr's users," Wickr CEO Joel Wallenstrom said in a press release. "We hope this first release will inspire constructive critical feedback, further advancement of Wickr's security, and adoption of secure communications tools."

Anyone interested in perusing the code can view it on GitHub or on Wickr's website.

The code being released today powers Wickr Professional, the company's product targeted at enterprise customers. The protocol is called Wickr-Crypto-C, and is an upgrade designed to better meet the needs of enterprise customers, particularly with issues of scalability.

"The upgrade significantly improves the efficiency in key management for large group conversations in secure rooms," reads the Wickr press release. "A notably lighter, entirely client-based protocol, wickr-crypto-c enables scalable, strong perfect forward secrecy and ephemeral collaboration."

The new protocol is 50 percent lighter than the one used in the current consumer product and will perform better in low-bandwidth environments, Wallenstrom told PCMag.

While this is the first time Wickr has released its code, the company notes that it was always carefully picked over for potential security flaws. "No Wickr product goes to market without extensive scrutiny by our Advisors and best in the industry third-party security teams."

How Open Source Is It?

The code does not, however, represent the underlying technology powering Wickr's consumer product Wickr Messenger. That's unfortunate for everyday users looking for the assurances open code provides. However, Wallenstrom confirmed to PCMag that it's the company's eventual goal to merge the products so that consumer and enterprise users benefit.

"The commitment is to have them on the same protocol," said Wallenstrom.

The release of the code also does not mean that Wickr is giving its blessing for others to use the company's code on their own. "It's not yet forked for public use," Wallenstrom told PCMag. "These are hard process so right now we're in there for public review."

That's not to say Wickr won't eventually allow others to use the code on their own. "Hopefully people will learn from it and we can learn from people. And hopefully it can be used by others, eventually down the line," Wallenstrom said. "My history is from the security research community, so I just have a predisposition to participate and collaborate."

Code and Capabilities

When Wickr first emerged as a mobile, it touted its security pedigree. The service was set up in a zero-knowledge system, where the company retained as little data as possible about its users. It could not be compelled to hand over information, not even with a court order, simply because it has no information to give. Early on, the company also contrasted itself with Snapchat, which at the time was under fire for failing to delete posts from users. Wickr, meanwhile, used a system that let users decide when messages expired and then actually followed through with deletion.

Wickr also made a point of using perfect forward secrecy. This means that even if an attacker managed to discern the key used to encrypt a message and read its contents, that key couldn't be used to decrypt any other message.

Notably, Wickr engages all of its security features by default. Platforms like Google Allo and Facebook Messenger use the Signal protocol to secure messages, but only those sent when in a special secret-messaging mode. For its part, Signal has its own messaging app, which, like Wickr, is a PCMag Editors' Choice winner for secure messaging services.

The Telegram messaging service also employs advanced security features in a secret messaging mode, and also has kept its code to itself, opening itself to criticism on both counts by security professionals. WhatsApp uses the Signal protocol, too, but encrypts every message.

One of the criticisms levied against Wickr was that it remained closed to inspection. Signal, on the other hand, has been open source since its inception. While Wallenstrom says that Wickr listened to those critics, he stood by the company's work. "People have done wonderful things and been closed-source," he told PCMag. "I don't think this is a binary black-and-white thing."

The company argues that these features are more vital than ever. "In light of recent political and security events that have dramatically changed the course of governments and businesses, we need a seismic shift in the security culture to empower companies and organizations to use the right tools for the right conversations," reads the Wickr press release. "It is no longer responsible to store everything at all times and expect sensitive information to remain secure."

In addition to the company's technical pedigree, Wickr notably refused direct pressure from the FBI to place a back door in its software.

Further Reading

Security Reviews