Wickr is Dead
The app was a privacy-championing startup, before becoming an app of choice for drug traffickers and being acquired by Amazon Web Services:
If you open the encrypted messaging app Wickr Me today, you'll be greeted with a line of red text: "Reconnecting..."
[...] Wickr Me is no longer available to download on the Apple App Store or the Google Play Store. The app stopped accepting new users more than a year ago. And now, even current users cannot speak to one another.
So ends the story of an app that while never reaching the popularity of other encrypted messaging apps like Signal, nor those that later turned on end-to-end encryption for the masses like WhatsApp, nonetheless played an important role in the adoption of and debate around secure communications.
[...] Wickr started in 2012. Nico Sell, founder of Wickr, said in a talk a couple of years later that "all of us have something to hide, either now or your future self." Crucially, that came after the Edward Snowden whistleblower revelations of 2013, which saw a massive boom of secure messaging apps and the spread of encryption more generally.
[...] But how was a free app to make money? Part of the answer for Wickr at least ended up being with the U.S. government. In 2021, I reported that Customs and Border Protection (CBP) paid Wickr $700,000 for a number of Wickr licenses. In parallel to its free Wickr Me app, Wickr had developed an enterprise version that allowed governments or businesses to send encrypted messages to one another but still collect and audit messages if necessary. Later that year, I then reported that CBP planned to deploy Wickr across "all components" of the agency as part of a $900,000 contract. I have since obtained more documents about CBP's purchase of Wickr licenses via the Freedom of Information Act (FOIA). I've uploaded them here for posterity.
[...] That transformation from scrappy upstart to government contractor was solidified when Amazon Web Services acquired Wickr in June 2021. I remember being shocked at the time and writing up the news as quickly as I could. What the hell was AWS going to do with an app that was becoming a hotbed for crime, at least in my anecdotal experience?
The answer was to shut it down entirely. After NBC News found in 2022 that Wickr was linked to a string of child abuse cases, AWS announced it would stop accepting new users at the end of that year. The company said it would then kill Wickr Me entirely on December 31, 2023.
The secure messaging world is very different to the one Wickr launched in more than ten years ago. Today mainstream platforms are turning on end-to-end encryption by default, with Facebook doing just that last month. The need for specialist apps like Wickr may be decreasing with certain groups. Maybe it's even a good sign that Wickr has been shown the door.
In addition to the above article, our submitter included a few older, but relevant, links:
What It's Like When The FBI Asks You To Backdoor Your Software
When an FBI agent casually approached Nico Sell about installing a backdoor into her secure messaging program, the agent did not know what he was in for:
At a recent RSA Security Conference, Nico Sell was on stage announcing that her company—Wickr—was making drastic changes to ensure its users' security. She said that the company would switch from RSA encryption to elliptic curve encryption, and that the service wouldn't have a backdoor for anyone.
As she left the stage, before she'd even had a chance to take her microphone off, a man approached her and introduced himself as an agent with the Federal Bureau of Investigation. He then proceeded to "casually" ask if she'd be willing to install a backdoor into Wickr that would allow the FBI to retrieve information.
This encounter, and the agent's casual demeanor, is apparently business as usual as intelligence and law enforcement agencies seek to gain greater access into protected communication systems. Since her encounter with the agent at RSA, Sell says it's a story she's heard again and again. "It sounds like that's how they do it now," she told SecurityWatch. "Always casual, testing, because most people would say yes."
[...] It was clear that the FBI agent didn't know who he was dealing with, because Sell did not back down. Instead, she lectured him on topics ranging from the First and Fourth Amendments to the Constitution, to George Washington's creation of a Post Office in the US. "My ancestor was a drummer boy under Washington," Sell explained. "Washington thought it was very important to have freedom of information and private correspondence without government surveillance."
Her lecture concluded, she proceeded to grill the agent. "I asked if he had official paperwork for me, if this was an official request, who his boss was," said Sell. "He backed down very quickly."
Though she didn't budge for the agent, Sell makes it clear that surveillance and security is a complicated issue. "Ten years ago, I'd have said yes," said Sell. "Because if law enforcement asks you to catch bad guys, who wouldn't want to help?"
The difference now, she explained, was her experiences at BlackHat. Among those, Sell pointed to a BlackHat event where Thomas Cross demonstrated how to break into lawful intercept machines—or wiretaps. "It was very clear that a backdoor for the good guys is always a backdoor for the bad guys."
Secret Documents Show Which Message Apps Are the Most FBI-Proof
WhatsApp and iMessage are not as private as you might think:
Most message apps tout their privacy features in some way. It is common to hear marketing language about "end-to-end encryption" and "private messaging" for basically every communications app out there.
While it's great that encryption has become a selling point for the public, not every "encrypted messaging service" is made equally. Depending on how it is set up, your message app may leak metadata, contacts, and even message contents.
A recently uncovered FBI document obtained by a group called Property of the People and shared with Rolling Stone illustrates just how important your choice of private messenger can be. If you think popular options like Apple's iMessage and the Meta company formerly known as Facebook's WhatsApp are FBI-proof, think again. The nation's top cops can obtain a host of message information on many popular options including some mix of "subscriber data, message sender-receiver data, device backup, IP address, encryption keys, date/time information, registration time data, and user contacts."
[...] Nine popular messaging applications are included in the document: Apple's iMessage; Line, a Japanese message app; Signal, an open source encrypted chat platform popularized by Edward Snowden; Telegram, which originated in Russia and is now based in Dubai; Threema, a paid encryption chat (that I used to use) with servers based in Switzerland; Viber, which was developed in Cyprus and then bought by the Japanese conglomerate Rakuten; the Chinese Swiss army knife app WeChat; Meta's WhatsApp; and Wickr [Me], which is a chat service that Amazon Web Services apparently owns.
The bottom line: of the most popular apps, iMessage and WhatsApp are particularly susceptible to FBI snooping. Telegram and Signal score far better according to the FBI documents. (Line and Viber are also relatively bad picks, and my formerly favored Threema likewise fares more poorly than I'd have expected, but since they aren't as popular this probably isn't relevant for you.)
[...] Now to the encryption winners. It's no surprise that Signal fared well against favored FBI methods. It's open source, independent (albeit with some surprising partnerships), and touted by public personalities with privacy-focused bonafides. Still, I would have expected the FBI to have access to more metadata than they apparently do. Way to go, Signal.
Telegram especially surprised me for scoring so well. End-to-end encryption is not the default for most Telegram communications. You need to select a "secret chat" with an individual to get the full-bodied protection that the FBI document seems to indicate. Groups chats, which is the method preferred of many Telegram users, do not offer the same level of end-to-end encryption. Neither the FBI document nor the Rolling Stone article makes mention of this.
Weirdly, Rolling Stone does not mention Telegram at all, despite being the apparently most FBI-proof application all around and much more popular than Wickr, which does get a nod. The FBI document does note that Telegram may choose to divulge IP addresses and phone numbers for "confirmed terrorist investigations," but it cites Telegram's public policy rather than any secret backchannel.
And in case you want to pick up the banner and roll your own . . .
wicker-crypto-c
GitHub - WickrInc/wickr-crypto-c: An implementation of the Wickr Secure Messaging Protocol in C:
wickr-crypto-c is an implementation of the Wickr Secure Messaging Protocol in C, which provides a platform for secure communications across all Wickr products.
A white paper describing details of the protocol and its security model can be found here. A markdown version of the white paper can also be found in the wiki.
This crypto lib is released for public review for educational, academic, and code audit purposes only (*this is not an open source license, more on license here). We strongly believe in the value of the open source movement and are looking forward to collaborating with the community on this and other future projects, including under the GNU license.