Everyone has their own reasons for wanting to use a secure messaging service — but some reasons are stronger than others. And I would be willing to wager that few reasons are stronger than defending your communications against adversaries in the Middle East.
That was the situation faced by the soldiers of the 82nd Airborne’s Task Force Devil after deploying to an undisclosed location in the Middle East. According to Major Richard Foote, a spokesman for the 1st Brigade Combat Team (as quoted in Military Times),
“All official communication on government cell phones within TF Devil has been recommended to use Signal or Wickr encrypted messaging apps,” Maj. Richard Foote, a spokesman for the 1st Brigade Combat Team, told Military Times.
“These are the two apps recommended by our leadership, as they are encrypted and free for download and use,” Foote said.
If Wickr and Signal are good enough for the 82nd Airborne to use in combat, it seems likely that they are good enough for you and me as well.
We recently reviewed Signal, so its time to find out what makes Wickr special. In this Wickr review, I’m going to focus on Wickr Me, the free, anonymous personal version of the product. This kind of app is our focus here at Restore Privacy. But don’t worry. I’ll also give you a short rundown of the rest of the Wickr product line, including Wickr RAM, the military muscle of the family.
Wickr Me pros & cons
- Client-side end-to-end (E2E) encryption
- Encryption algorithms: AES 256, ECDH521, and RSA 4096, with Perfect Forward Secrecy (PFS)
- Anonymous accounts
- Ephemeral messages and attachments
- Burn-On-Read messages and attachments
- Provides Transparency Reports
- All user content is forensically wiped from the device after it expires
- Does not log IP Addresses or Unique Device ID
- Does not record user metadata
- GDPR compliant
- Code is publicly visible on GitHub, but not open source
- Message handling is unusual
- Based in the United States
Before I take you deeper into the guts of Wickr Me, we need to talk about the differences between Wickr Me and Wickr Pro.
Wickr Me vs Wickr Pro
Wickr Pro and Wickr Me both run off the same secure code base, and there is a free version of Wickr Pro available. Depending on your use case and threat model, you may want to consider using Wickr Pro Basic (the free tier of Pro) instead of Wickr Me. Why would you do that?
Wickr Me distinguishes between users based on their anonymous username. A Wickr Me account belongs to whoever has the correct credentials to log into it. The company has no way to identify the owner of a Wickr Me account because they have no access to any of your personal information. Even if you link a phone number in Wickr Me that data is encrypted and cannot be read by the company.
Wickr Pro requires you to use an email address as your username. While this supports password resets and verification of ownership for Wickr Pro accounts, it also eliminates the anonymity of Wickr Me. On the positive side, Wickr Pro Basic has several features that Wickr Me does not.
I’m concentrating on Wickr Me in this review. However, if giving Wickr an email address would be acceptable in your particular circumstances, check out the additional features of Wickr Pro Basic, covered at the end of this review.
Note: You can boost your privacy when registering for Wickr Pro Basic by anonymously signing up for a secure email service that you only use for your Wickr registration. There are also disposable email services you can use for this purpose.
WickrMe feature summary
Here are some key features to consider when deciding whether Wickr Me is right for you. Wickr Me offers:
- File, photo, video, voice message sharing
- Video and audio conferencing
- All messages and attachments are ephemeral. That means they only exist for a certain amount of time. Once their time is up, they are permanently deleted from both the sending and receiving devices. If a message or attachment is still sitting on a server awaiting delivery when its time is up, it is deleted from the server as well. In other words, messages may never get delivered if the recipient doesn’t log into Wickr frequently enough.
- Message handling is unusual. Messages are bound to both your account and a specific device. You can have multiple devices connected to one account, but messages will only go to the specific targeted device. Messages are not synced across all your devices as with most other messaging services.
- Wickr has published their crypto library as open source but the rest of the code is not open source.
- Wickr Me apps are available for Android and Chromebook, iOS, Windows, Mac OS, and Linux.
- Over 5 million copies of Wickr Me have been downloaded from Google Play alone.
For this WickrMe review, I downloaded and tested Wickr Me desktop and mobile apps.
Wickr company background information
Wickr was founded in 2012 by the team of Dr. Robert Statica, Kara Coppa, Christopher Howell, Nico Sell, and York Sell. The company is based in San Francisco, USA.
As we’ve noted before, the United States is not the best jurisdiction for privacy. This is due to laws that allow government agencies to compel companies to hand over data. We have seen this with some VPN services and email services, such as Riseup and IPVanish. But we’ll discuss the topic of jurisdiction more below.
Where is your Wickr Me data stored?
Messages are stored on your device. They may be stored for a limited time on the Wickr servers, but are deleted upon delivery. Because messages are end-to-end (E2E) encrypted, even while they are on the Wickr servers, they are undecipherable.
Messages are also ephemeral. This means that every message is automatically deleted from wherever it is in the Wickr system (their servers or your device) after a user-specified amount of time. In the long term (longer than the maximum life of any particular data), your Wickr Me data isn’t stored at all. This is great for privacy.
Wickr Me third-party testing and audits
While it can be hard to find any third-party testing and audit results for some secure messaging services, Wickr has glowing quotes from four outside organizations attesting to the security of their products. Unfortunately, I was unable to find the actual reports from which these quotes were taken. You can see these references on the Wickr security page here.
Wickr Transparency Reports
Wickr does a great job when it comes to providing Transparency Reports. They have an archive of them going back to 2/25/2013. This is similar to some VPN services and secure email services, as it provides users with any information that could affect the security of their data. You can also see this with ProtonMail.
Here is a link to all the Wickr Transparency Reports.
Wickr Me messenger hands-on testing
For purposes of this Wickr Me review, I tested the mobile app for Android, along with the Windows and Linux desktop apps. As you might expect, you can download the mobile apps from their respective app stores.
Wickr Me Android app
You can install Wickr Me from the Google Play store. The only thing to watch out for is that both Wickr Me and Wickr Pro are available in the store. Make sure you don’t download the wrong one.
The Wickr Me Android app gets even better marks than last time we reviewed it (now 4.7 out of 5 stars from over 83,000 reviews) and has been downloaded over 5 million times.
Note: The iOS version of Wickr Me gets 4.6 out of 5 stars from just under 700 reviews).
Installing Wickr Me on an Android phone involves downloading the app and selecting a username and password. Next, Wickr Me gives you the option to enable Contact Finder. Contact Finder will scan your phone’s address book looking for contacts that are also Wickr users.
Adding your own phone number (so others can find you) is optional. With some secure messaging apps, however, this is not optional, as we noted in the Signal review. The Biometric Prompt option, which requires biometric or password authentication every time you launch Wickr Me, is also optional.
Once you finish all this, Wickr Me offers you a guided tutorial to learn more about the app’s features. Going through this tutorial is a good idea, as the Wickr team continues to add new features to the entire Wickr family of products.
Working with Wickr Me
At first glance, working with Wickr Me is much the same as working with any other messaging app. You tap a contact to chat with them. Such one-on-one conversations are called Direct Messages in Wickr Me. When you use Wickr Me on a mobile device, you can not only send and receive text messages. You can also share files, photos, and videos, send voice messages, or have telephone-style voice conversations.
But once you start using it, the ephemeral nature of the service makes itself felt.
When you look in the text entry field, you’ll see a brief message like the one below:
Wickr Burn-On-Read timer
The expiration time is only one of the two Auto-Destruct timers built into Wickr. The other is the Burn-On-Read timer. When activated, this timer controls how long a message (or other content) continues to exist after a recipient views it. This timer starts ticking as soon as the content is marked as “read.”
Note: Regardless of how much time might be left on the Burn-On-Read time, it will never extend the life of the content beyond the destruct time determined by the Expiration time.
Wickr group messaging and extra features
Wickr Me also supports group messaging. Previously known as group conversations or group chats, multi-person chats in Wickr Me now appear in Rooms. Wickr Me Rooms are not moderated, in contrast to those in Wickr Pro, which offers moderation and larger group sizes.
Beyond the basics of Direct Messaging, Room chats, and self-destructing messages, Wickr Me has some very useful additional features. Here are some highlights:
- Share Location – Share your Current Location (a snapshot of where you are this instant) or your Live Location (your location over time) with others.
- Quick Responses – A set of pre-made responses you can send when you don’t have the time or attention to send a more personalized response.
- Key Verification – Verify the identity of any user in your contacts list by clicking their avatar which brings up the user’s information, and then selecting the “Security Verification” from their profile screen. For full details on how this works, click here.
For this Wickr review, we also tested out the desktop apps.
Wickr Me desktop app
Not surprisingly, Wickr wants to promote the high-end versions of their product, just like we found when testing out Wire messenger. Perhaps because of this, it can be difficult to find the download page for Wickr Me. Here’s the link for you. Wickr Me downloads for all supported desktop and mobile operating systems start here, with the page automatically determining which platform you are installing on.
Wickr Me officially supports the following desktop platforms:
- Mac OS (not tested)
- Linux (64 bit and 32 bit)
Wickr Me Windows client
The Windows installer for Wickr Me works as you would expect, launching a setup wizard that walks you through everything. If you get hit with the dreaded User Account Control (Do you want to allow this app to make changes to your device?) dialog box, just click Yes and the wizard will complete the Wickr Me installation.
To add an extra layer of encryption for all traffic on your Windows machine, including Wickr messages, you could use a VPN for Windows running in the background.
Wickr Me Linux client
The Wickr Me Linux client is distributed as a snap. Snaps are one of the ways the Linux community distributes software that can run on many different Linux distros without having to be separately compiled for each different distro. If you follow this link, you’ll end up at the Wickr Me page at SnapCraft, the snap app store for Linux. There you will find the information you need to install the Wickr Me snap on your version of Linux.
If you want more information on snaps, including how to get your copy of Linux set up to use snaps if it isn’t already so configured, start here.
When you launch the Wickr Me desktop you’ll see something like this:
The desktop apps give you most of the capabilities of the mobile apps. You can even send your current location, although to do so you may need to give Wickr Me access to your operating system’s location services.
Wickr provides separate support pages for Wickr Me and Wickr Pro. Here’s a link to the Wickr Me support page. The chances are good you will find the answers to any Support questions somewhere in this list. If not, you can submit a support ticket by clicking the Submit a request link at the top of this page.
The Wickr Status link next to the Submit a request link is a nice touch. If you run into communication problems while using Wickr, you can click this link to find out if they are caused by a network failure.
How secure and private is Wickr?
Wickr Me is about as secure and private as a messaging service can be.
It combines strong encryption, Perfect Forward Secrecy, and content that literally disappears when not needed anymore. Unlike some other messenger services, Wickr does not collect:
- Your IP address
- User metadata (since accounts are anonymous, Wickr doesn’t know who you are)
The Wickr Messaging protocol and apps have gotten good marks in various third-party audits, and the 82nd Airborne considers it (along with Signal) to be good enough to use in a very hostile environment.
United States jurisdiction and privacy concerns
One lingering concern that some people may have is the legal jurisdiction where Wickr operates. Wickr Inc. is based in San Francisco, USA. Generally speaking, the United States is not a good privacy jurisdiction. It is a leading member of the Five Eyes surveillance alliance. The US government also has a history of forcing US companies to secretly collect and log user data. You might remember the Lavabit example, where the owner had to close the business to avoid being forced to spy on his customers.
Fortunately, these concerns are strongly mitigated with Wickr. First, it simply does not collect data (IPs or metadata) and Wickr Me allows for anonymous registration. Furthermore, there is no central server logging all message content with all data being ephemeral.
Of course, choosing the best secure messaging service all comes down to your threat model and specific needs. Given everything I saw while doing this Wickr review, the US jurisdiction isn’t a huge concern for me.
Note: At least the United States does not have laws (yet) that force companies to break encryption and provide access to all secure communications, as we have seen in Australia. This is an issue we discussed in our Session messenger review.
Wickr business features (Wickr Pro)
Wickr Pro is the business-oriented side of the Wickr product line. Wickr Pro and Wickr Me run off the same codebase, but Wickr Pro offers more features.
The features that Wickr Pro users have access to beyond Wickr Me are:
- Video calls
- Conference/group calling
- Administrator control of security settings
- Moderated Rooms that support more users
- Larger file sizes
- Greater persistence for files
The details of these features all depend on the Wickr Pro pricing tier you choose.
Wickr Enterprise – A corporate-grade collaboration platform
As the website describes it, “Wickr Enterprise is a fully scalable collaboration platform built with security top of mind. Maintain total control over your business communications while also remaining totally compliant.”
If you need enterprise-scale collaboration, this could be the service you are looking for. Click this link for more information.
Wickr RAM – Optimized comms for military use
Wickr RAM (Recall, Alert, and Messaging) is a secure collaboration platform designed specifically for the needs of the armed forces and approved by the DoD. It provides access to your NIPRNet environment through your mobile device. You can get more information on this system here.
Wickr Me prices = free
Wickr Me is free of charge. It is possible that the team will add some optional features at some point (such as greater persistence for files), but the core Wickr Me product will remain free.
Some secure messengers only offer paid apps, as we covered in our Threema review.
Wickr Pro prices
Wickr Pro users can choose among four pricing tiers: Basic, Silver, Gold, and Platinum. The Silver, Gold, and Platinum tiers are all geared toward businesses and large teams.
The Basic tier could be of particular interest for people interested in Wickr Me. You have to log in to Wickr Pro Basic with an email address, but you gain access to Pro-level features like secure video calling and a secure workspace for teams of up to 30 people.
If chatting is all you want to do, Wickr Me is the obvious answer. But if you need a secure workspace, or plan to use Wickr in a team situation, the free Wickr Pro Basic option might be exactly what you need.
Here are the Wickr Pro price tiers:
- Basic = $0
- Silver = $4.99/mo
- Gold = $9.99/mo
- Platinum = $25.00/mo
Wickr review conclusion
Wickr Me is one of the most capable secure messaging apps in the world. And it is free. Because all content is ephemeral it may take a little getting used to, but do you really need copies of 6-month old messages sucking up space on your phone?
Wickr Pro is a great option for anyone wanting access to more features. You can opt for the Basic (free) plan to get more features than Wickr Me. Or you can go with the Silver, Gold, or Platinum plans if you need support for a large team or business.
Is Wickr Me right for you?
Wickr Me ticks all the right boxes for a secure and private messaging service.
As long as you don’t need a permanent record of your chats, and can deal with messages never being delivered at all if the recipient doesn’t check in frequently enough, Wickr Me should be on your shortlist of services to test drive. And if you can settle for secure and private (but not anonymous) messaging, take a close look at Wickr Pro Basic for some nice additional features for the same “free” price point as Wickr Me.
Alternatives secure messaging services we have reviewed here on Restore Privacy: