You and I have good reasons to seek out a secure messaging service, or we wouldn’t be here. Our use cases may vary, but I doubt they include defending against Iranian terrorists while on active duty in the Middle East.
That’s the situation faced by the 82nd Airborne’s Task Force Devil after deploying to an undisclosed location in the Middle East after the US took out Iranian General Qassem Soleimani. According to Major Richard Foote, a spokesman for the 1st Brigade Combat Team (as quoted in Military Times),
“All official communication on government cell phones within TF Devil has been recommended to use Signal or Wickr encrypted messaging apps,” Maj. Richard Foote, a spokesman for the 1st Brigade Combat Team, told Military Times.
“These are the two apps recommended by our leadership, as they are encrypted and free for download and use,” Foote said.
If Wickr and Signal are good enough for the 82nd Airborne to use in Iran, it seems to me that they might be good enough for you and me as well.
We’ve already reviewed Signal; its time to find out what makes Wickr special.
Wickr Me pros & cons
- Client-side end-to-end (E2E) encryption
- Encryption algorithms: AES 256, ECDH521, and RSA 4096, with Perfect Forward Secrecy (PFS)
- Anonymous accounts
- Ephemeral messages and attachments
- Burn-On-Read messages and attachments
- Provides Transparency Reports
- All user content is forensically wiped from the device after it expires
- Does not log IP Addresses or Unique Device ID
- Does not record user metadata
- GDPR compliant
- Code is publicly visible on GitHub, but not open source
- Message handling is unusual
Now let’s first examine the difference between Wickr Me and Wickr Pro.
Wickr Me vs Wickr Pro
Before we go further in this Wickr review, we need to talk a bit about the differences between Wickr Me and Wickr Pro. Wickr Pro and Wickr Me both run off the same secure code base, and there is a free version of Wickr Pro available. Depending on your use case and threat model, you may want to consider using Wickr Pro Basic (the free tier of Pro) instead of Wickr Me. Why would you do that?
Wickr Me distinguishes between users based on their anonymous username. Wickr Me accounts belong to whoever has the correct credentials to log in to a Wickr Me account. The company has no way to identify the owner of a Wickr Me account because they have no access to any personal information. Even if you link a phone number in Wickr Me that data is encrypted and cannot be read by the company.
Wickr Pro requires you to use an email address as your username. While this supports password resets and verification of ownership for Wickr Pro accounts, it also eliminates the anonymity of Wickr Me. In addition, Wickr Pro Basic has several features that Wickr Me does not.
I’m concentrating on Wickr Me in this review. However, if giving Wickr an email address would be acceptable in your particular circumstances, check out the additional features of Wickr Pro Basic, covered at the end of this review.
Note: You can anonymously sign up for a secure email service and use this only for your Wickr registration.
WickrMe feature summary
Here are some key features to consider when deciding whether WickrMe is right for you:
- File, photo, video, voice message sharing
- Video and audio conferencing
- All messages and attachments are ephemeral. That means they only exist for a certain amount of time. Once their time is up, they are permanently deleted from both the sending and receiving devices. If a message or attachment is still sitting on a server awaiting delivery when its time is up, it is deleted from the server as well. In other words, messages may never get delivered if the recipient doesn’t log into Wickr frequently enough.
- Message handling is unusual. Messages are bound to both your account and a specific device. You can have multiple devices connected to one account, but messages will only go to the specific targeted device. Messages are not synced across all your devices as with most other messaging services.
- Wickr has published some of its code on GitHub, but the code is not open source.
- Wickr Me apps are available for Android, iOS, Windows, Mac OS, and Linux.
- Over 5 million copies of Wickr Me have been downloaded from Google Play alone.
For this WickrMe review, we downloaded and tested Wickr Me desktop and mobile apps.
Wickr company background information
Wickr was founded in 2012 by the team of Dr. Robert Statica, Kara Coppa, Christopher Howell, Nico Sell, and York Sell. The company is based in San Francisco, USA.
Where is your Wickr Me data stored?
Messages are stored on your device. They may be stored for a limited time on the Wickr servers, but are deleted upon delivery. Because messages are end-to-end (E2E) encrypted, even while they are on the Wickr servers, they are undecipherable.
Messages are also ephemeral. This means that every message is automatically deleted from wherever it is in the Wickr system (their servers or your device) after a user-specified amount of time. In the long term (longer than the maximum life of any particular data), your Wickr Me data isn’t stored at all.
We will discuss jurisdiction in the United States and potential privacy concerns further below in this review.
Wickr Me third-party testing and audits
While it can be hard to find any third-party testing and audit results for some secure messaging services, Wickr has glowing quotes from 4 outside organizations attesting to the security of their products. Unfortunately, I was unable to find the actual reports from which these quotes were taken.
Wickr Transparency Reports
Wickr does a great job when it comes to providing Transparency Reports. They have an archive of them going back to 2/25/2013. Here is a link to all the Wickr Transparency Reports.
Wickr Me messenger hands-on testing
For purposes of this Wickr Me review, I tested out the mobile app for Android, along with the Windows and Linux desktop apps. As you might expect, you can download the mobile apps from their respective app stores.
Wickr Me Android app
You can install Wickr Me from the Google Play store. The only thing to watch out for is that both Wickr Me and Wickr Pro are available in the store. Make sure you don’t download the wrong one.
The Wickr Me Android app gets good marks (4.1 out of 5 stars from over 20,000 reviews) and has been downloaded over 5 million times.
Note: The iOS version of Wickr Me gets even better marks (4.8 out of 5 stars from over 20,000 reviews).
Installing Wickr Me on an Android phone involves downloading the app and selecting a username and password. Next, Wickr Me gives you the option to enable Contact Finder. Contact Finder will scan your phone’s address book looking for contacts that are also Wickr users.
Adding your own phone number (so others can find you) is optional. So is enabling Biometric Prompt, which requires biometric or password authentication every time you launch Wickr Me.
Once you finish all this, Wickr Me offers you a guided tutorial to learn more about the app’s features. Going through this tutorial is a good idea, as the Wickr team continues to add new features to the entire Wickr family of products.
Working with Wickr Me
At first glance, working with Wickr Me is much the same as working with any other messaging app. You tap a contact to chat with them. Such one-on-one conversations are called Direct Messages in Wickr Me. When you use Wickr Me on a mobile device, you can not only send and receive text messages. You can also share files, photos, and videos, send voice messages, or have telephone-style voice messages.
But once you start using it, the ephemeral nature of the service makes itself felt. When you look in the text entry field, you’ll see a brief message like the one below:
Any messages you enter in this field, any attachments you add, any voice memos you include, all of them will expire in 6 days (or whatever amount of time appears here). This Expiration time is a hard limit. Unread messages, even messages that haven’t been delivered by this expiration date, will be permanently and irretrievably eliminated from the Wickr service when this time arrives.
Wickr Burn-On-Read timer
The expiration time is only one of the two Auto-Destruct timers built into Wickr. The other is the Burn-On-Read timer. When activated, this timer controls how long a message (or other content) continues to exist after a recipient views it. This timer starts ticking as soon as content is marked as “read.”
Note: Regardless of how much time might be left on the Burn-On-Read time, it will never extend the life of the content beyond the destruct time determined by the Expiration time.
Wickr group messaging and extra features
Wickr Me also supports group messaging. Previously known as group conversations or group chats, multi-person chats in Wickr Me now appear in Rooms. Wickr Me Rooms are not moderated, in contrast to those in Wickr Pro, which offer moderation and larger group sizes.
Beyond the basics of Direct Messaging, Room chats, and self-destructing messages, Wickr Me has some very useful additional features. Here are some highlights:
- Share Location – Share your Current Location (a snapshot of where you are this instant) or your Live Location (your location over time) with others.
- Quick Responses – A set of pre-made responses you can send when you don’t have the time or attention to send a more personalized response.
- Key Verification – Verify the identity of any user in your contacts list by clicking their avatar which brings up the user’s information, and then clicking the “Security Verification” from their profile screen. For full details on how this works, click here.
Now we will take a close look at using Wickr Me on your desktop.
Wickr Me Desktop clients
Not surprisingly, Wickr wants to promote the high-end versions of their product, just like we found when testing out Wire messenger. Perhaps because of this, it can be difficult to find the download page for Wickr Me. Here’s the link for you. Wickr Me downloads for all the desktops start here, with the page automatically determining which platform you are installing on.
Wickr Me officially supports the following desktop platforms:
- Mac OS (not tested)
- Linux (64 bit and 32 bit)
Wickr Me Windows client
The Windows installer for Wickr Me works as you would expect, launching a setup wizard that walks you through everything. If you get hit with the dreaded User Account Control (Do you want to allow this app to make changes to your device?) dialog box, just click Yes and the wizard will complete the Wickr Me installation.
Wickr Me Linux client
The Wickr Me Linux client is distributed as a snap. Snaps are one of the ways the Linux community distributes software that can run on many different Linux distros without having to be separately compiled for each different distro. If you follow this link, you’ll end up at the Wickr Me page at SnapCraft, the snap app store for Linux. There you will find the information you need to install the Wickr Me snap on your version of Linux.
If you want more information on snaps, including how to get your copy of Linux set up to use snaps if it isn’t already so configured, start here.
When you launch the Wickr Me desktop you’ll see something like this:
The desktop apps give you most of the capabilities of the mobile apps. You can even send your current location, although to do so you may need to give Wickr Me access to your operating system’s location services.
Wickr provides separate support pages for Wickr Me and Wickr Pro. Here’s a link to the Wickr Me support page. The chances are good you will find the answers to any Support questions somewhere in this list. If not, you can submit a support ticket by clicking the Submit a request link at the top of this page.
The Wickr Status link next to the Submit a request link is a nice touch. If you run into communication problems while using Wickr, you can click this link to find out if they are caused by a network failure.
How secure and private is Wickr?
Wickr Me is about as secure and private as a messaging service can be.
It combines strong encryption, Perfect Forward Secrecy, and content that literally disappears when not needed any more. Unlike some other messenger services, Wickr does not collect:
- Your IP address
- User metadata (since accounts are anonymous, Wickr doesn’t know who you are)
The Wickr Messaging protocol and apps have gotten good marks in various third-party audits, and the 82nd Airborne considers it (along with Signal) to be good enough to use in a very hostile environment.
United States jurisdiction and privacy concerns
One lingering concern that some people may have is the legal jurisdiction where Wickr operates. Wickr Inc. is based in San Francisco, USA. Generally speaking, the United States is not a great privacy jurisdiction. It is a leading member of the Five Eyes surveillance alliance. There is also a history of US companies being forced to collect and log user data for authorities. Remember the Lavabit example?
Fortunately, these concerns are seriously mitigated with Wickr. First, it simply does not collect data (IPs or metadata) and allows for anonymous registration. Furthermore, there is no central server logging all message content with all data being ephemeral.
Of course, choosing the best secure messenger all comes down to your threat model and specific needs. Given everything we’ve seen in this Wickr review, however, the US jurisdiction is not overly concerning.
Note: At least the United States does not have laws (yet) that force companies to break encryption and provide access to all secure communications, as we have seen in Australia. This is an issue for Session messenger.
Wickr business features (Wickr Pro)
Wickr Pro is the business-oriented side of the Wickr product line. Wickr Pro and Wickr Me run off the same codebase, but Wickr Pro offers more features.
The features that Wickr Pro users have access to beyond Wickr Me are:
- Video calls
- Conference/group calling
- Administrator control of security settings
- Moderated Rooms that support more users
- Larger file sizes
- Greater persistence for files
The details of these features all depend on the Wickr Pro pricing tier you choose.
Wickr Me prices = free
Wickr Me is free of charge. It is possible that the team will add some optional features at some point (such as greater persistence for files), but the core Wickr Me product will remain free.
Wickr Pro prices
Wickr Pro users can choose among four pricing tiers: Basic, Silver, Gold, and Platinum. The Silver, Gold, and Platinum tiers are all geared toward businesses and large teams.
The Basic tier could be of particular interest for people interested in Wickr Me. You have to log in to Wickr Pro Basic with an email address, but you gain access to Pro-level features like secure video calling and a secure workspace for teams of up to 30 people.
If chatting is all you want to do, Wickr Me is the obvious answer. But if you need a secure workspace, or plan to use Wickr in a team situation, the free Wickr Pro Basic option might be exactly what you need.
Here are the Wickr Pro price tiers:
Wickr review conclusion
Wickr Me is one of the most capable secure messaging apps in the world. And it is free. Because all content is ephemeral it may take a little getting used to, but do you really need copies of 6-month old messages sucking up space on your phone?
Wickr Pro is a great option for anyone wanting access to more features. You can opt for the Basic (free) plan to get more features than Wickr Me. Or you can go with the Silver, Gold, or Platinum plans if you need support for a large team or business.
Is Wickr Me right for you?
Wickr Me ticks all the right boxes for a secure, private, anonymous messaging service.
As long as you don’t need a permanent record of your chats, and can deal with messages never being delivered at all if the recipient doesn’t check in frequently enough, Wickr Me should be on your shortlist of services to test drive. And if you can settle for secure and private (but not anonymous) messaging, take a close look at Wickr Pro Basic for some nice additional features for the same “free” price point as Wickr Me.
Alternatives secure messaging services we have reviewed here on Restore Privacy: