For years we have been recommending Wickr Messenger as a secure, reliable, and trustworthy messaging app — but a lot has changed recently. Most notably, Wickr was purchased by Amazon, a move that caused some to seek alternative secure messaging apps. So should you jump ship, or sign up? This new and in-depth Wickr review for 2023 should answer all your questions.
Everyone has their own reasons for wanting to use a secure messaging service — but some reasons are stronger than others. And I would be willing to wager that few reasons are stronger than defending your communications against adversaries in the Middle East.
That was the situation faced by the soldiers of the 82nd Airborne’s Task Force Devil after deploying to an undisclosed location in the Middle East. According to Major Richard Foote, a spokesman for the 1st Brigade Combat Team (as quoted in Military Times),
“All official communication on government cell phones within TF Devil has been recommended to use Signal or Wickr encrypted messaging apps,” Maj. Richard Foote, a spokesman for the 1st Brigade Combat Team, told Military Times.
“These are the two apps recommended by our leadership, as they are encrypted and free for download and use,” Foote said.
If Wickr and Signal are good enough for the 82nd Airborne to use in combat, it seems likely that they are good enough for you and me as well.
We recently reviewed Signal, so its time to find out what makes Wickr special. In this Wickr review, I’m going to focus on Wickr Me, the free, anonymous personal version of the product. This kind of app is our focus here at Restore Privacy. But don’t worry. I’ll also give you a short rundown of the rest of the Wickr product line, including Wickr RAM, the military muscle of the family.
Wickr Me pros & cons
+ Pros
- Client-side end-to-end (E2E) encryption
- Encryption algorithms: AES 256, ECDH521, and RSA 4096, with Perfect Forward Secrecy (PFS)
- Anonymous accounts
- Ephemeral messages and attachments
- Burn-On-Read messages and attachments
- Provides Transparency Reports
- All user content is forensically wiped from the device after it expires
- Does not log IP Addresses or Unique Device ID
- Does not record user metadata
- GDPR compliant
– Cons
- Code is publicly visible on GitHub, but not open source
- Message handling is unusual
- Based in the United States
- Now owned by Amazon
Before I take you deeper into the guts of Wickr Me, we need to talk about the differences between Wickr Me and Wickr Pro.
Wickr Me vs Wickr Pro
Wickr Pro and Wickr Me both run off the same secure code base, and there is a free version of Wickr Pro available. Depending on your use case and threat model, you may want to consider using Wickr Pro Basic (the free tier of Pro) instead of Wickr Me. Why would you do that?
Wickr Me distinguishes between users based on their anonymous username. A Wickr Me account belongs to whoever has the correct credentials to log into it. The company has no way to identify the owner of a Wickr Me account because they have no access to any of your personal information. Even if you link a phone number in Wickr Me that data is encrypted and cannot be read by the company.
Wickr Pro requires you to use an email address as your username. While this supports password resets and verification of ownership for Wickr Pro accounts, it also eliminates the anonymity of Wickr Me. On the positive side, Wickr Pro Basic has several features that Wickr Me does not.
I’m concentrating on Wickr Me in this review. However, if giving Wickr an email address would be acceptable in your particular circumstances, check out the additional features of Wickr Pro Basic, covered at the end of this review.
Note: You can boost your privacy when registering for Wickr Pro Basic by anonymously signing up for a secure email service that you only use for your Wickr registration. There are also disposable email services you can use for this purpose.
WickrMe feature summary
Here are some key features to consider when deciding whether Wickr Me is right for you. Wickr Me offers:
- File, photo, video, voice message sharing
- Video and audio conferencing
- All messages and attachments are ephemeral. That means they only exist for a certain amount of time. Once their time is up, they are permanently deleted from both the sending and receiving devices. If a message or attachment is still sitting on a server awaiting delivery when its time is up, it is deleted from the server as well. In other words, messages may never get delivered if the recipient doesn’t log into Wickr frequently enough.
- Message handling is unusual. Messages are bound to both your account and a specific device. You can have multiple devices connected to one account, but messages will only go to the specific targeted device. Messages are not synced across all your devices as with most other messaging services.
- Wickr has published their crypto library as open source but the rest of the code is not open source.
- Wickr Me apps are available for Android and Chromebook, iOS, Windows, Mac OS, and Linux.
- Over 5 million copies of Wickr Me have been downloaded from Google Play alone.
For this WickrMe review, I downloaded and tested Wickr Me desktop and mobile apps.
Wickr company background information
Wickr was founded in 2012 by the team of Dr. Robert Statica, Kara Coppa, Christopher Howell, Nico Sell, and York Sell. The company is based in San Francisco, USA.
As we’ve noted before, the United States is not the best jurisdiction for privacy. This is due to laws that allow government agencies to compel companies to hand over data. We have seen this with some VPN services and email services, such as Riseup and IPVanish. But we’ll discuss the topic of jurisdiction more below.
Wickr purchased by Amazon
By far the biggest update with Wickr was the announcement in June 2021 that Wickr was being acquired by Amazon. For many Wickr users, this announcement was not good news.
For one, Amazon is a large multinational company that is headquartered in the United States. As such, it must comply with all US laws and government requests for data. This could affect Wickr users adversely.
Where is your Wickr Me data stored?
Messages are stored on your device. They may be stored for a limited time on the Wickr servers, but are deleted upon delivery. Because messages are end-to-end (E2E) encrypted, even while they are on the Wickr servers, they are undecipherable.
Messages are also ephemeral. This means that every message is automatically deleted from wherever it is in the Wickr system (their servers or your device) after a user-specified amount of time. In the long term (longer than the maximum life of any particular data), your Wickr Me data isn’t stored at all. This is great for privacy.
Wickr Me third-party testing and audits
While it can be hard to find any third-party testing and audit results for some secure messaging services, Wickr has glowing quotes from four outside organizations attesting to the security of their products. Unfortunately, I was unable to find the actual reports from which these quotes were taken. You can see these references on the Wickr security page here.
Wickr Transparency Reports
Wickr does a great job when it comes to providing Transparency Reports. They have an archive of them going back to 2/25/2013. This is similar to some VPN services and secure email services, as it provides users with any information that could affect the security of their data. You can also see this with ProtonMail.
Here is a link to all the Wickr Transparency Reports.
Wickr Me messenger hands-on testing
For purposes of this Wickr Me review, I tested the mobile app for Android, along with the Windows and Linux desktop apps. As you might expect, you can download the mobile apps from their respective app stores.
Wickr Me Android app
You can install Wickr Me from the Google Play store. The only thing to watch out for is that both Wickr Me and Wickr Pro are available in the store. Make sure you don’t download the wrong one.
The Wickr Me Android app gets even better marks than last time we reviewed it (now 4.7 out of 5 stars from over 83,000 reviews) and has been downloaded over 5 million times.
Note: The iOS version of Wickr Me gets 4.6 out of 5 stars from just under 700 reviews).
Installing Wickr Me on an Android phone involves downloading the app and selecting a username and password. Next, Wickr Me gives you the option to enable Contact Finder. Contact Finder will scan your phone’s address book looking for contacts that are also Wickr users.
Adding your own phone number (so others can find you) is optional. With some secure messaging apps, however, this is not optional, as we noted in the Signal review. The Biometric Prompt option, which requires biometric or password authentication every time you launch Wickr Me, is also optional.
Once you finish all this, Wickr Me offers you a guided tutorial to learn more about the app’s features. Going through this tutorial is a good idea, as the Wickr team continues to add new features to the entire Wickr family of products.
Working with Wickr Me
At first glance, working with Wickr Me is much the same as working with any other messaging app. You tap a contact to chat with them. Such one-on-one conversations are called Direct Messages in Wickr Me. When you use Wickr Me on a mobile device, you can not only send and receive text messages. You can also share files, photos, and videos, send voice messages, or have telephone-style voice conversations.
But once you start using it, the ephemeral nature of the service makes itself felt.
When you look in the text entry field, you’ll see a brief message like the one below:
Wickr Burn-On-Read timer
The expiration time is only one of the two Auto-Destruct timers built into Wickr. The other is the Burn-On-Read timer. When activated, this timer controls how long a message (or other content) continues to exist after a recipient views it. This timer starts ticking as soon as the content is marked as “read.”
Note: Regardless of how much time might be left on the Burn-On-Read time, it will never extend the life of the content beyond the destruct time determined by the Expiration time.
Wickr group messaging and extra features
Wickr Me also supports group messaging. Previously known as group conversations or group chats, multi-person chats in Wickr Me now appear in Rooms. Wickr Me Rooms are not moderated, in contrast to those in Wickr Pro, which offers moderation and larger group sizes.
Beyond the basics of Direct Messaging, Room chats, and self-destructing messages, Wickr Me has some very useful additional features. Here are some highlights:
- Share Location – Share your Current Location (a snapshot of where you are this instant) or your Live Location (your location over time) with others.
- Quick Responses – A set of pre-made responses you can send when you don’t have the time or attention to send a more personalized response.
- Key Verification – Verify the identity of any user in your contacts list by clicking their avatar which brings up the user’s information, and then selecting the “Security Verification” from their profile screen. For full details on how this works, click here.
For this Wickr review, we also tested out the desktop apps.
Wickr Me desktop app
Not surprisingly, Wickr wants to promote the high-end versions of their product, just like we found when testing out Wire messenger. Perhaps because of this, it can be difficult to find the download page for Wickr Me. Here’s the link for you. Wickr Me downloads for all supported desktop and mobile operating systems start here, with the page automatically determining which platform you are installing on.
Wickr Me officially supports the following desktop platforms:
- Windows
- Mac OS (not tested)
- Linux (64 bit and 32 bit)
Wickr Me Windows client
The Windows installer for Wickr Me works as you would expect, launching a setup wizard that walks you through everything. If you get hit with the dreaded User Account Control (Do you want to allow this app to make changes to your device?) dialog box, just click Yes and the wizard will complete the Wickr Me installation.
To add an extra layer of encryption for all traffic on your Windows machine, including Wickr messages, you could use a VPN for Windows running in the background.
Wickr Me Linux client
The Wickr Me Linux client is distributed as a snap. Snaps are one of the ways the Linux community distributes software that can run on many different Linux distros without having to be separately compiled for each different distro. If you follow this link, you’ll end up at the Wickr Me page at SnapCraft, the snap app store for Linux. There you will find the information you need to install the Wickr Me snap on your version of Linux.
If you want more information on snaps, including how to get your copy of Linux set up to use snaps if it isn’t already so configured, start here.
When you launch the Wickr Me desktop you’ll see something like this:
The desktop apps give you most of the capabilities of the mobile apps. You can even send your current location, although to do so you may need to give Wickr Me access to your operating system’s location services.
Wickr support
Wickr provides separate support pages for Wickr Me and Wickr Pro. Here’s a link to the Wickr Me support page. The chances are good you will find the answers to any Support questions somewhere in this list. If not, you can submit a support ticket by clicking the Submit a request link at the top of this page.
The Wickr Status link next to the Submit a request link is a nice touch. If you run into communication problems while using Wickr, you can click this link to find out if they are caused by a network failure.
How secure and private is Wickr?
Wickr Me is about as secure and private as a messaging service can be.
It combines strong encryption, Perfect Forward Secrecy, and content that literally disappears when not needed anymore. Unlike some other messenger services, Wickr does not collect:
- Your IP address
- User metadata (since accounts are anonymous, Wickr doesn’t know who you are)
The Wickr Messaging protocol and apps have gotten good marks in various third-party audits, and the 82nd Airborne considers it (along with Signal) to be good enough to use in a very hostile environment.
United States jurisdiction and privacy concerns
One lingering concern that some people may have is the legal jurisdiction where Wickr operates. Wickr Inc. is based in San Francisco, USA. Generally speaking, the United States is not a good privacy jurisdiction. It is a leading member of the Five Eyes surveillance alliance. The US government also has a history of forcing US companies to secretly collect and log user data. You might remember the Lavabit example, where the owner had to close the business to avoid being forced to spy on his customers.
Fortunately, these concerns are strongly mitigated with Wickr. First, it simply does not collect data (IPs or metadata) and Wickr Me allows for anonymous registration. Furthermore, there is no central server logging all message content with all data being ephemeral.
Of course, choosing the best secure messaging service all comes down to your threat model and specific needs. Given everything I saw while doing this Wickr review, the US jurisdiction isn’t a huge concern for me.
Note: At least the United States does not have laws (yet) that force companies to break encryption and provide access to all secure communications, as we have seen in Australia. This is an issue we discussed in our Session messenger review.
Wickr business features (Wickr Pro)
Wickr Pro is the business-oriented side of the Wickr product line. Wickr Pro and Wickr Me run off the same codebase, but Wickr Pro offers more features.
The features that Wickr Pro users have access to beyond Wickr Me are:
- Video calls
- Screensharing
- Conference/group calling
- Administrator control of security settings
- Moderated Rooms that support more users
- Larger file sizes
- Greater persistence for files
The details of these features all depend on the Wickr Pro pricing tier you choose.
Wickr Enterprise – A corporate-grade collaboration platform
As the website describes it, “Wickr Enterprise is a fully scalable collaboration platform built with security top of mind. Maintain total control over your business communications while also remaining totally compliant.”
If you need enterprise-scale collaboration, this could be the service you are looking for. Click this link for more information.
Wickr RAM – Optimized comms for military use
Wickr RAM (Recall, Alert, and Messaging) is a secure collaboration platform designed specifically for the needs of the armed forces and approved by the DoD. It provides access to your NIPRNet environment through your mobile device. You can get more information on this system here.
Wickr Me prices = free
Wickr Me is free of charge. It is possible that the team will add some optional features at some point (such as greater persistence for files), but the core Wickr Me product will remain free.
Some secure messengers only offer paid apps, as we covered in our Threema review.
Wickr Pro prices
Wickr Pro users can choose among four pricing tiers: Basic, Silver, Gold, and Platinum. The Silver, Gold, and Platinum tiers are all geared toward businesses and large teams.
The Basic tier could be of particular interest to people interested in Wickr Me. You have to log in to Wickr Pro Basic with an email address, but you gain access to Pro-level features like secure video calling and a secure workspace for teams of up to 30 people.
If chatting is all you want to do, Wickr Me is the obvious answer. But if you need a secure workspace, or plan to use Wickr in a team situation, the free Wickr Pro Basic option might be exactly what you need.
Here are the Wickr Pro price tiers:
- Basic = $0
- Silver = $4.99/mo
- Gold = $9.99/mo
- Platinum = $25.00/mo
Wickr review conclusion
Wickr Me is one of the most capable secure messaging apps in the world. And it is free. Because all content is ephemeral it may take a little getting used to, but do you really need copies of 6-month old messages sucking up space on your phone?
Wickr Pro is a great option for anyone wanting access to more features. You can opt for the Basic (free) plan to get more features than Wickr Me. Or you can go with the Silver, Gold, or Platinum plans if you need support for a large team or business.
The big question is how you feel about Amazon owning Wickr. After all, you need to be able to trust the privacy tools you are using. And the answer to these questions all comes down to your threat model. How much privacy and security do you need, and what threat actors are you protecting yourself against.
Is Wickr Me right for you?
Wickr Me ticks all the right boxes for a secure and private messaging service.
As long as you don’t need a permanent record of your chats, and can deal with messages never being delivered at all if the recipient doesn’t check in frequently enough, Wickr Me should be on your shortlist of services to test drive. And if you can settle for secure and private (but not anonymous) messaging, take a close look at Wickr Pro Basic for some nice additional features for the same “free” price point as Wickr Me.
Alternatives secure messaging apps we have reviewed here on Restore Privacy:
- Wire review
- Signal review
- Threema review
- Telegram review
- Keybase review
- Session review (a more private fork of Signal)
This Wickr review was last updated on January 2, 2023.
Wickr Messenger Data safety ANDROID APP:
1. This app may share these data types with third parties
– Personal info, Phone number,
– App activity,
– App info and performance, Crash logs and Diagnostics.
– Analytics
2. This app may collect these data types
– Personal info,
– App activity, App interactions and Other user-generated content,
– App info and performance, Crash logs and Diagnostics
– Analytics
3. Data is encrypted in transit
– Your data is transferred over a secure connection
4. You can request that data be deleted
– The developer provides a way for you to request that your data be deleted.
———————————————-
Wickr Me – Private Messenger has access / App permissions:
1. Phone: read phone status and identity
2. Photos/Media/Files
3. modify or delete the contents of your USB storage
4. read the contents of your USB storage
5. camera / perm_camera_mic
6. take pictures and videos
7. Contacts
8. read your contacts
9. perm_device_information
10. Device ID & call information
11. read phone status and identity
12. signal_wifi_4_bar / Wi-Fi connection information / view Wi-Fi connections
13. Location: precise location (GPS and network-based) / approximate location (network-based)
14. Microphone
15. record audio
16. Storage
Other:
receive data from Internet
prevent device from sleeping
change network connectivity
run at startup
pair with Bluetooth devices
full network access
change your audio settings
send sticky broadcast
view network connections
control vibration
SOURCE: Google Play
I cannot create a personal wickr account. Wickr me doesn’t allow new account starting 2023. Aws wickr there is no create an account page. It ask to sign in with a work email ( with a company domain ).
These are the only 2 apps I found on App Store.
Where can I get wickr pro ?
I received a message (in a wickr room) saying that my IP had been routed and I had been traced. And that my wickr activity would have been checked, and in case signaled to authorities. Is that possible? Or just a scam message to scary out people?
Unfortunately, Wickr (Me, Pro & Exec, and probably ARM, too) all fail on two counts:
1. They have embedded trackers (for Android, see https://reports.exodus-privacy.eu.org/en/reports/com.mywickr.wickr2/latest/) but we can’t see what the iOS app does; and
2. as is well-known, Wickr sends meta-data to various third-parties. This much has been confirmed by Mr Tin-Foil Hat himself, Michael Bazzell: https://inteltechniques.com/blog/2021/07/02/the-privacy-security-osint-show-episode-223/
Since I made the decision to remove all apps on my (de-Googled) phone which contain trackers, this pretty much bounces out Wickr. But Signal, Session and Wire are still OK (for now).
The answer to the “it’s only meta-data” assertion is this:
You rang an S&M phone sex chat line at 01:33 this morning, stayed on the line for 28 minutes, then hung up. But I don’t know what you said (the data).
PS – Wire obtained from F-Froid, that is. The one from Google Play Store contains the Countly tracker.
Why are you all so alarmist about AWS?
You don’t seem to be concerned about the fact that your messages are routed over the most insecure infrastructure in the world: the internet. Why is this alarming you all of a sudden? It’s not like messages can be read from the servers!
Or concerned about In-Q-Tel, or any other government entity?
I see AWS as a bigger, better, faster infrastructure, that allows Wickr to finally connect faster, have better reliability in message delivery. I’m not sure if Wickr.me and Wickr Pro go through the same routes – because on the downside, Wickr still has connection issues, and still takes a long time to “initalize” and then to “connect”. Wire is just a sophisticated and it connects immediately.
So as a sidenote, this makes me wonder if Wire is just in a better location, for international communications. The internet infrastructure in Germany is the fastest in the world. And if Wickr.me is still on old servers, not yet transitioned to AWS, those old servers might be in California, which is too decentralized. This is all speculation on my part, just me trying to guess what’s up with the occasional sluggish performance.
As for other entities looking over Wickr’s shoulders, either as investors or investigators, I don’t think this compromises the app or your messages in any way. The US Air Force has begun mass deployment of the app, if we are to trust reports on license purchases. If there were a flaw in it, if it could be exploited, then the government wouldn’t be using it.
From a military and security-services standpoint, it’s actually far more reliable to use something that is out there, than to develop an app in-house. When it’s used at large (like Wickr), bugs come out, hacks get reported, things get fixed. It’s widely deployed and gets tested in ways that don’t compromise national security. When it’s developed in-house, for private use, such as for a government division, the bugs might be coming to light where you don’t want them to, in Russia for example, and you’d never find out about it. If you failed to identify bugs, the community that finds them might not be friendly. Contrary to a commercial app where there is a community other than your own organization also looking at it.
IMHO, it’s highly desirable to have it checked out, and if it begins to be used by various agencies requiring the highest levels of security, that should be something that reassures you. Because the Air-Force isn’t going to just hand over confidential data to an entity like AWS. If they use it, they’ll be damn sure no one, on any part of the infrastructure, can open your messages, be that on the server farm or on the internet.
I think the reason Wickr sold up to AWS is considering where we’ve seen they’ve been useful to the military, that ownership by AWS, which has a lot of US government contracts, would be useful for their messenging software, to be used by government employees etc.
Lack of principle? Sure, but I bet they earn from it.
You recommend Wickr as safe for the general public, but what about the supposed investment of In-Q-Tel company in Wickr?
Please see here: https://en.wikipedia.org/wiki/In-Q-Tel#Software
The purpose of the In-Q-Tel is “to keep the Central Intelligence Agency, and other intelligence agencies, equipped with the latest in information technology in support of United States intelligence capability.”
Is this not enough for Wickr to be deleted from your website?
It raises questions from a trust perspective, I agree. We’ll consider this going forward in our recommendations. Thanks.
If there was a way to hack it, do you think the US government would want to use it?
If the CIA is able to use an exploit, so can everyone else.
To me, it looks more like investigation, oversight, verification, to see if it can be exploited, and if not, a tool that they might be able to use for their services too.